What is a Polymorphic Virus?: Complete Explanation

virus
The Storm Worm is a polymorphic virus that used provocative titles to lure people into clicking on links. 8% of computers were infected by this.

Polymorphism is the use of a malware decryption engine that gives virus protection from typical software security and removal techniques. The core function of the virus will then be allowed to attack the host computer or perform its essential purpose. As the core function can be made to be anything, it’s up to the author of the virus to determine what the malware does. The most common examples are ransomware like CryptoWall and VirLock.

The first true example of a polymorphic virus was created in 1989 by Mark Washburn as an example of polymorphism. His code was the 1260 Virus and it was used to show examples of dangers, attacks, and symptoms of potential new methods.

It continued only two years later with the development of the Dark Avenger Mutation Engine (MtE). As 1260 had a modifiable skeleton structure, MtE was designed to be completely modular for similar reasons.

Polymorphic viruses took the center of attention in tech security in 2007 when the Storm Worm was released as an email attachment with provocative titles. The worm made its way around the world so quickly that the entire industry had to react. New security methods were put in place that hoped to train people not to fall for future spam bait.

Polymorphic Virus: An Exact Definition

A polymorphic virus is a complex malware designed by hackers to be nearly impossible to detect and remove. Most malicious software, or malware, is detected by unique identifiers that are required for the software to be managed by operating systems. These identifiers are typically static which makes malware detection a manual task of identifying malicious software by previously discovered identifiers. Each new virus is simply added to the dictionary of malware IDs.

Polymorphic viruses were designed to be able to change their identifying features as it replicates. While the basic code structure remains the same, the encryption key is changed every time the virus infects a computer. With a new key, comes a new decryption routine. This makes the virus’ signature ever-changing and nearly impossible to detect.

According to research done by Webroot, almost all malware today contains polymorphism. As it is the most difficult method to detect, polymorphism has given the virus a bit more edge.

The good news is that polymorphic viruses do not appear out of the aether. They must be spread through network connections. Typically, computers are infected through spam e-mails, infected sites, or directly installed by other malware or malicious agents. The most common form of spread is by clicking links on untrustworthy sites. Many of these sites claim to offer free software, cash rewards, or other incentives to get the unsuspecting to click on the bait. Sometimes the malware is injected through forced pop-ups or ads placed on sites.

How Does a Polymorphic Virus Work?

A polymorphic virus is installed onto a victim’s computer through either spam, infected software, or intentionally. The base function of a polymorphic virus can be programmed to do just about anything from monitoring techniques like keylogging to allowing for outside access to computer hardware such as webcams and microphones. What makes it a polymorphic virus is not the primary malicious intent it performs, but rather that it changes its signature by consistently changing its encryption key and decryption method.

Polymorphic viruses can replicate and change decryption methods around 19 times a day. It’s important to remember that each replication is a new instance of the malware which will continue to operate alongside the previous iteration should it not be removed or detected.

How Do You Create a Polymorphic Virus?

As polymorphic viruses are only used for software spying and malicious purposes, I will not detail the methods for creating one. The description of how they work should suffice in your efforts to keep your computer clean and safe from malware. If you are looking for an example of what the code may look like, I would suggest you look up the 1260 Virus written by Mark Washburn in 1989.

Where Did Polymorphic Viruses Originate From?

The first polymorphic virus was written in 1989 by Mark Washburn as a demonstration. The demonstration was named 1260, but it is more affectionately known as V2P1 or Chameleon. 1260 was derived from Ralf Burger’s publication of the disassembled Vienna Virus code. Mark Washburn’s 1260 added two distinct elements – The first was a cipher and the second is the defining feature of polymorphism, a randomized decryption algorithm.

While the V2P1’s decryptor is simple, it can be used as a skeleton for a more complex structure. It can be shortened or lengthened by the number of junk instructions and random padding for up to 39 bytes. Virus scanners were put to their toughest challenge as V2P1 could change its signature as it worked and simple search strings could not be extracted.

What Are the Applications of a Polymorphic Virus?

Polymorphic viruses are almost exclusively used for malicious purposes to circumvent computer security to attack a computer. The virus author will design a purpose that they need to be able to hide and spread. For example, CryptoWall was designed to lock users out of their computers and hold their data for ransom. The malware itself was designed to replicate with changing signatures for protection against removal.

To put it simply, a polymorphic virus is used when the author needs to hide their software from system security and the computer user for nefarious reasons from data theft to data ransoming.

Examples of Polymorphic Viruses In the Real World

Storm Worm Email

In 2007, an e-mail with the provocative title “230 Dead As Storm Batters Europe” was sent around the world. Each spam email was carrying an attachment that installed the wincom32 service to effectively turn the computer into a bot. What’s more, is that the Storm Worm was designed to mix up its signature every 30 minutes to stay hidden.

CryptoWall Ransomware

CryptoWall is a rather notorious polymorphic ransomware that encrypts files on the infected computer and requires a paid ransom to decrypt it. This software did not replicate with new iterations in one device as once the computer was ransomware locked there was no need to hide as the malicious actor had full control. Instead, the polymorphic builder in CryptoWall was used to create new variants for each new potential victim.

VirLock

VirLock can infect files, replicate itself and change file formats as well as lock the computer screen like a traditional ransomware. This allowed it to take CryptoWall’s methods just a bit further by making the malware itself harder to detect and remove.

Are you interested in learning about other computer viruses? Check out our complete guide!

Polymorphic Virus: How They Work and How to Protect Yourself FAQs (Frequently Asked Questions) 

How do polymorphic viruses work?

Polymorphic viruses are malware that is designed to use randomized decryption to create varying signatures. This makes them difficult to detect which prevents proper removal. The only visible symptoms are system slowing down which may cause the video to flicker.

How does the polymorphic virus spread?

Polymorphic viruses are spread covert which means that they require the user to click on them. This can be done through email attachments, pop-up advertisements, and infected websites. The best way to avoid the dangers of downloading this malware is to avoid clicking on anything suspicious.

How can we be protected from viruses?

The big names in cybersecurity and even Operating System developers at Apple and Microsoft have been in a long battle to prevent these viruses from being able to operate. You can use Windows Defender, anti-virus software, or Apple Security to help keep yourself away from the dangers of malware, but the best practice is to avoid untrustworthy websites and network connections.

What is an example of a polymorphic virus?

The most famous of the many examples of polymorphic viruses is the Storm Worm email which occurred in 2007 and infected nearly 8% of the computers worldwide.

Who created the polymorphic virus?

Polymorphic viruses were originally thought up in academics by many different individuals, but the first true example of one was written by Mark Washburn in 1989. It was named the 1260 Virus.

What are the symptoms of polymorphic virus?

As these viruses are designed to remain undetectable, the only symptoms that can be seen are experiencing total system slowdown. Video flickers and framerate slowdowns are the most common visual cues, but even software startup time and functions will slow to a crawl.

When was the first-known polymorphic virus created?

The first polymorphic virus was the 1260 Virus which was written in 1989 by Mark Washburn.

About the Author

More from History-Computer

  • Available here: https://www.kaspersky.com/resource-center/definitions/what-is-a-polymorphic-virus?CJEVENT=7fd74c72e11411ec828c34380a1c0e11
  • Available here: https://www.minitool.com/backup-tips/polymorphic-virus.html
  • Available here: https://www.geeksforgeeks.org/what-are-polymorphic-viruses/
  • Available here: https://www.techopedia.com/definition/4055/polymorphic-virus
  • Available here: https://www.thewindowsclub.com/polymorphic-virus
  • Available here: https://s3.wp.wsu.edu/uploads/sites/2776/2022/05/NathanWaltz-Poster.pdf
  • (1970) https://docs.broadcom.com/doc/understanding-and-managing-polymorphic-viruses-96-en Jump to top