The phrase ‘polymorphic malware’ may sound like something from a 1980s-science fiction film, but sadly this isn’t the case. In fact, it’s a very real threat facing organisations today. As suggested by the name, polymorphic malware has the ability to constantly change and evolve itself with the sole aim of avoiding detection. Many of the most common forms of malware out there today can be polymorphic, including bots, Trojans and viruses. The most common ways of doing this include changing key characteristics such as file format and encryption key, but even something as simple as changing the malware’s name can help keep it under the radar for just that little bit longer, allowing it to do more damage to its victim.
Polymorphic malware first started appearing in the 1990s. Since then, it has become highly pervasive throughout the cyber world with new, more aggressive strains appearing all the time. Recent research suggests as much as 97% of all malware infections use some sort of polymorphic technique to evade detection, meaning an effective defence strategy is no longer a luxury, it’s a must.
>See also: A guide to cyber attacks: Malware – Part 1
Understanding the threat
Polymorphic malware is primarily designed to confound and evade traditional signature-based security tools that rely on fixed points of reference to detect a cyber threat. However, despite many different characteristics of the malware being able to shapeshift, it’s core function always remains the same. Advanced variants of polymorphic malware can continue to evolve almost indefinitely, meaning they are extremely difficult for traditional security tools to ever catch them. Every time a new malicious signature is identified and added to a security database, the malware just shifts again and security efforts go right back to square one.
One of the best-known examples of polymorphic malware is the Storm Worm Email from 2007. This infamous spam email with the subject “230 dead as storm batters Europe” was, at one point, responsible for as much as 8% of all global malware infections. When the message’s attachment was opened, the malware installed wincom32 service and a Trojan onto the recipient’s computer, transforming it into a bot. One of the reasons the storm worm was so hard to detect with traditional antivirus software was the malicious code used morphed every 30 minutes or so.
Any organisation that still relies on these traditional security measures is incredibly vulnerable to attacks of this nature. Sadly, many organisations do still rely on them, as evidenced by the fact that nearly every successful cyber-attack today features some element of polymorphic malware component.
Defending against polymorphic malware
Fortunately, a small amount of strategic investment combined with a regular employee education and simple common sense can significantly improve any organisation’s defences against the polymorphic threat. Below are three key areas where security efforts should be focussed:
- Regularly cyber security training for employees: A significant proportion of successful cyber attacks start with an employee unwittingly clicking on a phishing email or malicious file attachment. Regular employee training helps educate them on tell-tale signs of attempted attacks, which in turn can greatly reduce the number of breaches that allow polymorphic malware in to begin with.
- Invest in behaviour-based detection tools rather than signature-based ones: As discussed above, polymorphic malware is specifically designed to evade detection by traditional antivirus tools. As such, investments in this area can be largely futile and a waste of money. Instead, organisations should focus on more advanced, behaviour-based detection techniques. These methods offer the ability to track the way data is accessed and used by employees over time, with any suspicious activity automatically flagged. Behaviour-based solutions like endpoint detection and response or advanced threat protection can also pinpoint threats in real time before any data is compromised.
- Ensure software is always kept up to date: Perhaps the most straightforward way of improving security against malware is ensuring that software and applications used within the organisation are kept up to date at all times. Major software vendors, such as Microsoft, Apple and Oracle regularly issue crucial security patches for new vulnerabilities discovered within their software. Failure to install these promptly creates breach windows that are open to exploitation from anyone with knowledge of the vulnerabilities. Despite this, it can often be days, weeks or even months before these patches installed, creating unnecessary risk. All organisations, no matter how big or small, must adopt a “patch early, patch often” mantra.
Polymorphic malware is an increasingly prevalent threat which simply cannot be countered by traditional signature-based security measures. Instead, strategic investment in behavioural-based security measures, combined with employee education and regular software updates can be used to create a robust, multi-layered approach that’s far more effective in today’s cyber security climate.
By Jan Van Vliet, VP and GM EMEA at Digital Guardian