Metamorphic and Polymorphic malware : changes its shape like a real virus !

Can you imagine that a piece of malware code can change its shape and signature each time it appears, to make it extremely hard for signature based antivirus to detect them ?! This is called Polymorphic or Metamorphic malware.

In its annual threat report, security firm Sophos said that the majority of samples it observes are unique attacks associated with polymorphic malware!

Although the idea of mutating malware sounds quite scary, it’s actually been used by malicious hackers since the early 1990s but they are getting very advanced. Usually antivirus solutions use signatures to identify malware by comparing each file with their database of malware signatures. If the file under investigation has the a signature that looks like on of the signatures in their database, then it will detect the infection.

Crackers are getting smarter. When you visit a suspicious web site, you will get infected with a malware with a certain shape and signature. When another person visits the same site, he will get infected with the same malware but with different shape and signature. Each time someone downloads that malware, a new shape is generated for the same malware automatically. Actually refreshing that page will generate new shapes for the new malware !. This makes it so difficult for signature based antivirus solutions to handle.

Not only each download for the same malware will have different shape, the same malware on a certain machine will keep changing its shape to avoid detection.

Β It is important to note that although the malware changed (“morphs”) its shape for each iteration and each download, the function that it performs remains the same (it is like it changes its appearance, but the bad code inside it still doing the same damage).

This is an example of malware (codenamed Shylock)Β that once appear with file name and description, and with time it appears as different file completely, changing by that its signature:

Polymorphic Malware_2323asa

Metamorphic malware

This type of malware is completely rewritten with each iteration but still each version for each iteration functions the same way. The longer the malware stays in a computer, the more iterations and versions it will produce and the more sophisticated the iterations are.

The technologies used by metamorphic malware is so sophisticated and complex. Metamorphic malware is more difficult to detect than polymorphic malware. Some of the technologies used for such malware include register renaming, code permutation, code expansion, code shrinking and garbage code insertion.

Polymorphic malware

it is also a type of malware that changes its shape and signature. It has usually two parts, one of them changes its shape, while the other part remains the same, which makes it easier to detect than metamorphic malware.

Usually this type of malware consists of two parts :

  • Code that is used to decrypt and encrypt the other part (usually called VDR : virus decryption routine). This part does not change its shape.
  • The core malware code that changes its shape (usually called EVB : encrypted virus body).

When an infected application launches, the VDR decrypt the encrypted virus body (EVB) so it can execute and then re-encrypt it again. Usually the malware writer will use randomly generated encryption key to be used by the VDR so for each malware download, so that we will get completely different EVB encrypted virus body. Polymorphic Malware_232

63 comments on “Metamorphic and Polymorphic malware : changes its shape like a real virus !

  1. Reblogged this on Remove Your Malware and commented:
    An interesting and informative article about “Metamorphic” and “Polymorphic” Malware by Ammar Hasayen makes today’s reblog! If you want to see more articles like this, head to! Or follow Remove Your Malware for similar posts!

  2. Hi would you mind sharing which blog platform you’re using?
    I’m planning to start my own blog in the near future but I’m having
    a tough time choosing between BlogEngine/Wordpress/B2evolution and Drupal.
    The reason I ask is because your design and style seems different then
    most blogs and I’m looking for something
    completely unique. P.S Apologies for being off-topic but I
    had to ask!

  3. Attractive section of content. I just stumbled upon your blog and in accession capital to assert
    that I get actually enjoyed account your blog posts.
    Anyway I will be subscribing to your feeds and even I achievement you access consistently quickly.

  4. I have been browsing online more than 3 hours today, yet I never found any interesting
    article like yours. It is pretty worth enough for me.
    In my view, if all web owners and bloggers made good content as you did, the
    web will be a lot more useful than ever before.

  5. Howdy! Someone in my Myspace group shared this site with us so I
    came to give it a look. I’m definitely enjoying the information.
    I’m book-marking and will be tweeting this to my followers!
    Terrific blog and brilliant design.

  6. Hey! Someone in my Facebook group shared this site with
    us so I came to take a look. I’m definitely enjoying the
    information. I’m bookmarking and will be tweeting this to my followers!
    Fantastic blog and amazing design and style.

  7. I do believe all of the ideas you have introduced in your post.
    They’re very convincing and can certainly work. Still, the posts are
    very short for newbies. May you please extend
    them a bit from next time? Thank you for the post.

  8. Hi! Quick question that’s entirely off topic. Do you know how to make your site mobile friendly?
    My website looks weird when browsing from my iphone 4.
    I’m trying to find a template or plugin that might be able to fix this problem.
    If you have any recommendations, please share.

    With thanks!

    • Hi, actually im using a host provider and i am using a theme called iTheme2, and it comes with a mobile friendly features and even a wordpress mobile app πŸ™‚

  9. I blog quite often and I truly appreciate your content.
    Your article has really peaked my interest. I am
    going to take a note of your blog and keep checking
    for new details about once a week. I subscribed to your RSS feed as well.

  10. Normally I don’t learn post on blogs, however I would like to say that this write-up very
    compelled me to check out and do it! Your writing style has been surprised me.
    Thank you, very great article.

  11. Nice blog! Is your theme custom made or did you download it from somewhere?
    A design like yours with a few simple adjustements would really make my blog stand out.
    Please let me know where you got your theme. Many thanks

  12. Oh my goodness! Incredible article dude! Thank you so much, However I am
    encountering problems with your RSS. I don’t understand why I can’t join it.
    Is there anyone else having the same RSS problems?
    Anybody who knows the answer can you kindly respond? Thanx!!

    • Thanks man indeed. Yes it took me sometime to write this article πŸ™‚ im sad to hear that RSS is not working 😦 im using public provider for my blog and cannot even troubleshoot 😦

  13. Great post. I used to be checking continuously this blog and I’m inspired!
    Extremely useful information particularly the final part :
    ) I handle such info a lot. I was looking for this particular info for a very lengthy time.
    Thanks and good luck.

  14. I have been browsing on-line more than 3 hours these days,
    yet I by no means discovered any attention-grabbing article like
    yours. It is beautiful worth sufficient for me.
    In my view, if all site owners and bloggers made just right content material
    as you did, the internet will likely be a lot more useful than ever before.

  15. Hi just wanted to give you a quick heads up and let you know a few of the
    images aren’t loading properly. I’m not sure why but I
    think its a linking issue. I’ve tried it in two
    different web browsers and both show the same results.

  16. I blog quite often and I really thank you for your content.

    The article has really peaked my interest. I am going to bookmark your website and keep checking
    for new details about once a week. I subscribed to your Feed too.

  17. I’m very happy to find this website. I wanted to thank you for ones time
    for this fantastic read!! I definitely liked every bit
    of it and i also have you book marked to look at new information on your
    web site.

  18. Hey very nice web site!! Man .. Beautiful ..
    Superb .. I’ll bookmark your site and take the feeds additionally?
    I am happy to search out a lot of helpful information here
    within the post, we want develop more strategies in this regard,
    thank you for sharing. . . . . .

  19. Hi there, You’ve done an incredible job. I’ll definitely digg it and personally recommend to my friends.
    I am confident they’ll be benefited from this website.

  20. Pingback: Sandbox for malware detection – Azure Mechanics

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s