What Are Metamorphic and Polymorphic Viruses?
Metamorphic and polymorphic viruses are some of the most advanced and hard to kill viruses out there, but what are they? Just as with their biological namesakes, the first computer viruses were simple bits of code. They took advantage of the fact that early computers had basically no security. These computers were usually in the hands of trusted users, and their operating systems were written with a good faith assumption about the user.
As cybersecurity came into existence, the means to combat viruses became more sophisticated, which means that virus authors had to write smarter malware. These two types of viruses are the end result of that arms race.
The General Meaning of "Virus"
To understand what makes metamorphic and polymorphic viruses special, we need to understand the nature of viruses in general. A virus is a piece of malicious software that has a few key features. First, a virus is self-replicating and self-propagating. So it makes copies of itself and then infects other files and computers with those copies.
Secondly, a virus has a payload. Some sort of action, such as formatting a hard drive or displaying a message on the screen. Some early viruses only existed to replicate, although that by itself can break a computer system - today, almost all viruses have payloads with varying levels of harm.
How Antivirus Detection Works
Another defining feature of a virus is that it usually needs another file to host it. That's usually an executable file, but not always. The virus attaches its code to that of the legitimate excitable file and is then executed along with the file it has infected.
Antivirus software looks for the unique strings of code that make up these viruses. Once you've isolated the virus code, you can create a "signature." If the antivirus program sees that signature in a file, it assumed the file has been infected and quarantines it until further action is taken.
What Is a Metamorphic Virus?
Metamorphic viruses are incredibly sophisticated and can only be written by high-level programming experts. Essentially, these viruses can edit, translate, and rewrite their own code!
In other words, since the actual code of the virus keeps changing, there's no way to have a universal signature for it. Every time the virus replicates, it creates a unique iteration of the code.
The code does exactly the same job, but it's mixed around and reworked so that a bit-by-bit comparison would not look the same. The longer the virus is in your system, the more iterations there are. So even if one particular iteration is detected and destroyed, it doesn't really make much of a difference.
What Is a Polymorphic Virus?
Polymorphic viruses have the same basic goal as metamorphic viruses. They want to change their signature every time they execute, so that antivirus programs can't detect them. The main difference is in how the virus achieves that goal. In a way, the polymorphic solution is smarter than the metamorphic one - especially since it's much easier to achieve.
Basically, the polymorphic virus code is encrypted. When the virus executes, it decrypts itself, does what it's programmed to do, and then encrypts itself again. However, each time it encrypts itself, it uses a new encryption key. So when the virus is dormant, it looks completely unique and has no fixed signature.
Since encryption and decryption are well understood and easy to implement, you don't need to be a programming genius to write a polymorphic virus. The downside to this is that the virus has to decrypt itself to work. Since the actual decrypted virus code is the same every time, it's possible to detect that code when the virus is loaded into memory. Effectively, this means polymorphic viruses are invisible when dormant but detectable when they execute.
Some antivirus programs don't scan RAM on a live basis for virus code, so systems protected by these types of programs would be particularly vulnerable.
Detecting Metamorphic and Polymorphic Viruses
Since metamorphic and polymorphic viruses don't have a fixed form, it's not possible to create a universal signature for them. So other types of detection and protection have to be employed in order to combat these vicious programs.
Must Read: What Will Future Hacking Be Like?
Heuristics are one way to fight them. A heuristic is a rule of thumb that's not 100% certain but tends to point you towards the right answer. A heuristic might include the types of things these viruses do. In other words, you might not be able to see the virus itself but detect suspicious behavior that might point to an infection being present.
There are problems with this approach, of course. You have a higher rate of false positives, where non-malicious behavior triggers the heuristic. On the other hand, you can have false negatives. That's when the virus doesn't trigger the heuristic and runs rampant on the system until it's too late. Striking a balance between being too aggressive or too lax is a key challenge in modern antivirus development.
Many free or cheap antivirus programs don't use heuristics at all but stick to the signature detection method only. This leaves the system at the complete mercy of metamorphic and polymorphic viruses.
When it comes to polymorphic viruses in particular, live protection is paramount since there's a small window of opportunity to detect the virus code after decryption. In fact, detection of an encryption or decryption process itself can be a sign detection engines look out for.
The Fundamentals Are Still Effective
As fancy as these viruses are, they can still be mitigated by simple methods. Don't run software from sources you don't trust. Don't click on links you don't trust. Keep your antivirus up to date. Make sure your antivirus is one that uses heuristics, behavior-based detection, and performs live monitoring of system memory.
These are all simple steps that reduce the risk of falling victim to these advanced viruses. There's no such thing as perfect protection, but that's no reason to be lax.