Malware Polymorphism. Oligomorphic, Polymorphic & Metamorphic Malware
They say that the best way of hiding something is to stow it away in plain sight. I wouldn’t go as far as placing a stack of Benjamins under the rug, but the idea of adding the element of surprise can befuddle even the most adept bloodhound. There’s nothing special about malware creators trying to hide their code, contraptions, or tracks; come to think of it, it’s kind of a ‘job requirement’.Anyway, with “hiding” being the word du jour, in this article, I’m going to deep-dive into the wonderous, cloak-and-daggerish world of polymorphic malware. Yes, I agree that it sounds like something Bender from Futurama would say if he were to justify a dry cough, but we ain’t there just yet. So, without further ado, let’s try to answer the $1 million question “what is polymorphism?”. Enjoy, subscribe, and no hate.
What is Malware Polymorphism?
In cybersecurity, the word polymorphism is used to describe a class or, at times, individual malware capable of changing base (i.e., identifiable) features and/or behavior to circumvent detection grids and achieve its end goal. Polymorphism sounds pretentious, often poised to baffle the reader instead of making things a tad clear, so, to solve this pompous enigma, here’s what you should know – “poly” means “many”, while “morphism” may hint to “shape”, “form”, characteristics”.
Polymorphic malware is specifically designed to counter detection techniques, most often passing ‘evil’ code off as a system-sanctioned process or service. In a Cybercrime Magazine article about the harmful effects of polymorphic malware, author Ann Johnson noted that 96% of Windows Defender’s positive detections registered in 2017 pointed towards what can be conceived as polymorphic malware – one-time-only detections after which, the malicious files disappeared as having been plucked away by an invisible hand.
While polymorphism can, in many instances, be synonymous with malware or any type of illegal, online-bound activity at that, but the term itself was neither coined by cybersec researchers nor limited to the field.
In fact, without polymorphism, it would be impossible to achieve inter-application communication. As such, in programming, polymorphism becomes the bedrock of OOP (Object-Oriented Programming) and it’s used for providing a single interface to multiple entity classes, or the use of a single symbol to represent numerous different types.
Since polymorphism’s OOP applicability is not a part of today’s article, I’ll skip the technicalities. However, if you’re interested in learning more about this topic or perhaps furthering your knowledge concerning OOP, you should definitely check Jonathan Johnson’s thoughts on the fine points of E2E applications.
In “Evolution and Detection of Polymorphic and Metamorphic Malwares (sic!): A Survey”, the authors noted that:
After that, the authors concluded:
At this point, we’re more than able to construct a working hypothesis – concerning the question “what is polymorphism?”, we can state that, in cybersecurity, this refers to a malware’s ability to create numerous encryption-decryption routines in order to disrupt the anti-malware software’s signature-derivation mechanism.
No signature matching the list of usual suspects means that the process should be safe, right? Dead wrong; it’s in its (malware) nature to deceive you and any signature-based scanning and remediation software present on the targeted machine, endpoint, system, network, and everything in between.
A couple of takeaways before we move on to the next section:
- Polymorphism means assuming one or two or three or x+1 forms by changing all the identifiable characteristics.
- Polymorphism in programming is different from the one used to describe malware behavior.
- Polymorphism in cybersecurity equals obfuscation by the means of encryption.
The many types of “-isms” – Polymorphism, Oligomorphism, and Metamorphism.
Before we take a stab at polymorphic malware and what makes them, well, a prime example of polymorphism, we should also have a lovely chat about the two other kinds of “-isms”: Oligomorphism and Metamorphism. Both types share a common ‘ancestry’, which in this case is the so-called encrypted or encryption malware.
A long time ago, when the Earth was still hot and antivirus software became more aware and efficient, malware creators decided to encrypt the code’s body to avoid detection. We would later refer to this point in time as ground-zero of second-generation malware.
When encryption was added to the evil code’s body or rather as part of its land and expand behavior, it was more than obvious that signature-based detection methods were no longer efficient in combating a threat that would simply not have registered as a threat.
As the aforementioned paper states, a second-generation, encrypted malware would have consisted of an encrypted body and the appropriate decryption key, a technique shared (and abused) by your run-of-the-mill ransomware.
How did they avoid detection, you ask? Well, first of all, the malware’s body (i.e., code) is encrypted by a key. Second, the key itself is unique, having been changed after each infection. This random key generation mechanism protects the body from detection and subsequent deletion. However, it does have a caveat – the encryption-decryption process remains unaltered, despite random-key generation on malicious unpacking & execution.
For the infection to occur, the malware’s body must be decrypted. And here’s the catch; although encryption was added to abscond the code’s intent, even the most out-of-league anti-malware software could have detected and mitigated this threat simply by analyzing the decryption sequence.
Encryption malware made use of superencryption or cascade encryption to conceal the ‘package’s content; very avant-garde for that time considering that most malware adopted a ‘breach-and-clear’ S.O.P. There you have it – encrypted malware in a nutshell. Now let’s scoot over to the second “-ism” which is Oligomorphism.
Remember how unique malware gets decrypted? They range the encryption key but keep the same decryption routine. Oligomorphic malware has the ability to generate a new “decryption” routine for each infection.
In essence, by spit-shining an old decryption routine, a single root-malware can generate hundreds of new strains, just by cycling through decryption routines. The immemorial Win.9x Memorial, a virus that wreaked havoc in the late ‘90s, had close to 100 decryptors. Interesting as viruses go, mostly because of its tear-jerking backstory. You can read more about Memorial here.
Oligomorphism has, undoubtedly, altered their rules to some extent. However, we should keep in mind that those permutations will eventually run out. How do we get around this? Polymorphism, of course. When it comes to polymorphic malware, the rule of thumb would be: no signature can be derived if the decryptor is unique.
So, instead of cycling through decryption procedures, polymorphic malware will generate a new decryptor for each variant. Well, it’s a little bit more complicated than that – this malware class has a nasty addition called a “mutation engine”. Its purpose is to compute an entirely new kind of malware by fusing the decryption routine and the encrypted malware’s body. The result is a new breed of polymorphic malware capable of avoiding most signature-based detection methods. And since we’re on that topic, let’s take a closer look at some of the techniques used to construct new polymorphic variants.
So, what is polymorphic malware?
Long story, short, polymorphic malware is malware that has the ability to shape-shift in order to avoid detection. This malware class can change everything from appearance, intent, encryption-decryption methodologies, user- and system-interaction routines, but the functionality remains the same.
Polymorphic Malware Obfuscation Techniques
1. Subroutine reordering
For those of you who are not familiar with the notion, a subroutine is a set of simple instructions designed to run inside of a program on a frequent basis. For instance, MS Word’s autosave feature is one of the many subroutines running inside the program. Now, in polymorphic malware, the attacker would often employ the so-called subroutine reordering obfuscation technique to generate entirely new variants.
In “Malware Obfuscation Techniques: A Brief Survey”, the authors call out the example of Win32/Ghost, a trojan-like malware with C2 capabilities and, allegedly, Machine-Learning improvements, which can generate up to 3,628,800 variants by reordering only 10 subroutines. The same example is quoted in Arjun Shah’s paper on metamorphic code generation.
2. Dead-Code insertion
It’s the simplest obfuscation technique out there. As the name suggests, the technique involves inserting nonsensical code lines within the program’s body in an attempt to change its aspect. Great for fooling old AVs, but not much of a challenge for behavioral analysis AVs, which have a way of dealing with junk code. To get an idea of what an AV may be up against, here’s a quick and easy to understand dead-code insertion example.
This SlideShare presentation deals with the challenges of code optimization. If you’ve a keen interest in this sort of thing, by all means, go through the presentation. However, for the purpose of this article, you may want to turn your attention to slides 5 and 6. Notice the discrepancies – two dead stores and an unreachable call. The cleared code can be reviewed in slide 6. Of course, this is very basic, but it gives you an idea about how easy it is to add junk code to the body of a program for obfuscation purposes.
3. Register swapping (reassignment)
There’s no app or program out there that doesn’t require registry services. This virtual bookie keeps everything running smoothly and knows everything about everybody. In an attempt to conceal malicious activity, creators may try to swap or reassign some registry values in order to throw the AV off track.
Each malware generation has its own registry assignment routine, but the behavior remains unchanged. The best example in this case is Win95/Regswap’s tendency to reassign the EAX, EBX, and EBX data registers. So, instead of EAX, EBX, and EDX, we get EBX, EDX, and EAX. Simple, but effective (to some degree).
Polymorphic malware examples
Before we take a look at this rowdy bunch of polymorphic malwares and what is polymorphism IRL, I should say something nice about metamorphic malware. I’ve already covered encrypted malware, oligomorphism, and polymorphism (somewhat). As far as metamorphism is concerned, you only need to know one thing – this class is called body-polymorphic for a very good reason.
Instead of relying solely on superencryption (encrypted malware), cyclic decryptors (oligomorphic malware), or continuous decryptors generation (polymorphic malware), metamorphic malware can create new code bodies, without altering aspect, functionality, or encryption-decryption routines.
This malware gone super Saiyan is destructive and impervious to signature-based detection. Size is its only flaw – true metamorphic malware is hard to craft and even harder to distribute due to size.
Now let’s take a look at some polymorphic malware.
1. Storm Worm
Detected in the wild on the 17th of January 2007, Storm Worm managed to ‘worm’ its way into millions of devices from around the globe. Some estimates claimed that this polymorphic worm accounted for approximately 10% of worldwide infections.
Storm Worm propagated through click-bait emails such as “230 people dead after massive storm hits Europe”, “Naked teen assaulted home director”, “Saddam Hussein has been spotted in X location”, and so on. The Storm Worm-bearing emails had attachments that were capable of carrying various payloads – rootkits, botnetting tools, trojans.
What made Storm Worm a polymorphic malware was its ability to cycle between payloads and to assume various themes, topics, and forms before the next infection.
Why settle for meager ransomware when you can have VIRLOCK? Allow me to clarify – your average ransomware encrypts your file and asks for moolah in return for that decryption key. VIRLOCK goes the full mile – all encrypted files are turned into ‘infector files’ meaning that they can infect other files, regardless of location.
For instance, if you share files over a virtual place with someone and your files get infected by VIRLOCK, your peer’s files get infected as well. Kind of reminds me of those virophages from Starcraft II.
BAGLE is a prime example of why we shouldn’t disregard things labeled as ‘old school’. The BAGLE worm first popped up in 2004. Some say that it may have Australian roots, but it was never confirmed. Nothing notable about BEAGLE’s first variant – it infected around 120,000 before disappearing.
However, Bagle.B, BEAGLE’s first variant, was a bit more virulent compared to version alpha, exploiting tons of backdoors and dropping trojans on its wake. Interestingly enough, BAGLE 2.0 had a short “half-life” (i.e., a couple of weeks).
Still, just like a cockroach after a nuclear blast, BAGLE would pop its head out and multiply to the point that researchers and AV software alike had trouble keeping up with the latest variants. Some sources suggest that the number of BAGLE variants surged from 35 in 2004 to 100+ in 2005.
- Next-gen Antivirus & Firewall which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Privileged Access Management and Application Control, all in one unified dashboard
Parting Thoughts and Recommendations
Now, before I go, allow me to share with you some tips on how to protect your machines against polymorphic malware.
- Say no to suspicious attachments. Delete or quarantine an email received from an unknown source.
- Don’t go traipsing on websites that could hide malicious content.
- Apply the latest security patches and keep your software up to date.
- Use a Next-Gen Antivirus software or a tool with anti-ransomware encryption capabilities. Heimdal™ Security’s Next-Gen Antivirus & MDM with Ransomware Encryption Protection is your best bet against malicious encryption, worm, trojans, viruses, and everything in between.
- Keep an eye on those RDP ports. Batten those hatches as not to get caught by surprise by a brute-force attack.
That’s about it. Hope you’ve enjoyed this article on what is polymorphism. Stay tuned for more awesome content. And don’t forget to use the comments section for rants, beer donations, or topic suggestions. Stay safe!
A technical case study focusing on multi-process malware (MPM), what it is and how it circumvents usual cyber-defense detection methods.