Polymorphic Virus: How They Work and How to Protect Yourself

Key Points:

• The first true example of a polymorphic virus was Mark Washburn’s 1260 Virus, created in 1989 to show examples of dangers, attacks, and symptoms of potential new methods.
• A polymorphic virus is a complex malware designed by hackers to be nearly impossible to detect and remove.
• A polymorphic virus is used when the author needs to hide their software from system security and the computer user for nefarious reasons from data theft to data ransoming.

What is a Polymorphic Virus?: Complete Explanation

Polymorphism is the use of a malware decryption engine that gives virus protection from typical software security and removal techniques. The core function of the virus will then be allowed to attack the host computer or perform its essential purpose. As the core function can be made to be anything, it’s up to the author of the virus to determine what the malware does. The most common examples are ransomware like CryptoWall and VirLock.

The first true example of a polymorphic virus was created in 1989 by Mark Washburn as an example of polymorphism. His code was the 1260 Virus and it was used to show examples of dangers, attacks, and symptoms of potential new methods.

It continued only two years later with the development of the Dark Avenger Mutation Engine (MtE). As 1260 had a modifiable skeleton structure, MtE was designed to be completely modular for similar reasons.

Polymorphic viruses took the center of attention in tech security in 2007 when the Storm Worm was released as an email attachment with provocative titles. The worm made its way around the world so quickly that the entire industry had to react. New security methods were put in place that hoped to train people not to fall for future spam bait.

Polymorphic Virus: An Exact Definition

A polymorphic virus is a complex malware designed by hackers to be nearly impossible to detect and remove. Most malicious software, or malware, is detected by unique identifiers that are required for the software to be managed by operating systems. These identifiers are typically static which makes malware detection a manual task of identifying malicious software by previously discovered identifiers. Each new virus is simply added to the dictionary of malware IDs.

Polymorphic viruses were designed to be able to change their identifying features as it replicates. While the basic code structure remains the same, the encryption key is changed every time the virus infects a computer. With a new key, comes a new decryption routine. This makes the virus’ signature ever-changing and nearly impossible to detect.

According to research done by Webroot, almost all malware today contains polymorphism. As it is the most difficult method to detect, polymorphism has given the virus a bit more edge.

The good news is that polymorphic viruses do not appear out of the aether. They must be spread through network connections. Typically, computers are infected through spam e-mails, infected sites, or directly installed by other malware or malicious agents. The most common form of spread is by clicking links on untrustworthy sites. Many of these sites claim to offer free software, cash rewards, or other incentives to get the unsuspecting to click on the bait. Sometimes the malware is injected through forced pop-ups or ads placed on sites.

How Does a Polymorphic Virus Work?

A polymorphic virus is installed onto a victim’s computer through either spam, infected software, or intentionally. The base function of a polymorphic virus can be programmed to do just about anything from monitoring techniques like keylogging to allowing for outside access to computer hardware such as webcams and microphones. What makes it a polymorphic virus is not the primary malicious intent it performs, but rather that it changes its signature by consistently changing its encryption key and decryption method.

Polymorphic viruses can replicate and change decryption methods around 19 times a day. It’s important to remember that each replication is a new instance of the malware which will continue to operate alongside the previous iteration should it not be removed or detected.

How Do You Create a Polymorphic Virus?

As polymorphic viruses are only used for software spying and malicious purposes, I will not detail the methods for creating one. The description of how they work should suffice in your efforts to keep your computer clean and safe from malware. If you are looking for an example of what the code may look like, I would suggest you look up the 1260 Virus written by Mark Washburn in 1989.

Where Did Polymorphic Viruses Originate From?

The first polymorphic virus was written in 1989 by Mark Washburn as a demonstration. The demonstration was named 1260, but it is more affectionately known as V2P1 or Chameleon. 1260 was derived from Ralf Burger’s publication of the disassembled Vienna Virus code. Mark Washburn’s 1260 added two distinct elements – The first was a cipher and the second is the defining feature of polymorphism, a randomized decryption algorithm.

While the V2P1’s decryptor is simple, it can be used as a skeleton for a more complex structure. It can be shortened or lengthened by the number of junk instructions and random padding for up to 39 bytes. Virus scanners were put to their toughest challenge as V2P1 could change its signature as it worked and simple search strings could not be extracted.

What Are the Applications of a Polymorphic Virus?

Polymorphic viruses are almost exclusively used for malicious purposes to circumvent computer security to attack a computer. The virus author will design a purpose that they need to be able to hide and spread. For example, CryptoWall was designed to lock users out of their computers and hold their data for ransom. The malware itself was designed to replicate with changing signatures for protection against removal.

To put it simply, a polymorphic virus is used when the author needs to hide their software from system security and the computer user for nefarious reasons from data theft to data ransoming.

Examples of Polymorphic Viruses In the Real World

Storm Worm Email

In 2007, an e-mail with the provocative title “230 Dead As Storm Batters Europe” was sent around the world. Each spam email was carrying an attachment that installed the wincom32 service to effectively turn the computer into a bot. What’s more, is that the Storm Worm was designed to mix up its signature every 30 minutes to stay hidden.

CryptoWall Ransomware

CryptoWall is a rather notorious polymorphic ransomware that encrypts files on the infected computer and requires a paid ransom to decrypt it. This software did not replicate with new iterations in one device as once the computer was ransomware locked there was no need to hide as the malicious actor had full control. Instead, the polymorphic builder in CryptoWall was used to create new variants for each new potential victim.

VirLock

VirLock can infect files, replicate itself and change file formats as well as lock the computer screen like a traditional ransomware. This allowed it to take CryptoWall’s methods just a bit further by making the malware itself harder to detect and remove.

Are you interested in learning about other computer viruses? Check out our complete guide!

Up Next:

• The First CGI Movie: The History of Computer-Generated Imagery Learn the history of CGI, including the first feature-length movie to feature this technology.
• Explore Facebook: History, Products, Founding, and More Facebook is arguably the most successful social media platform to ever exist. Learn the complete history of its creation and development.
• Let’s Explore The Computers of the 1970s Computers of the 1970’s were different than the ones we use today in terms of appearance and functionality, but paved the way for the ones we use today.