Polymorphic techniques make malware harder to detect

Mar 8, 2016 11:10 GMT  ·  By

During the last year, security experts from Webroot have scanned over 27 billion URLs, 600 million domains, 4 billion IP addresses, 20 million mobile apps, 10 million connected sensors, and took a look over 9 billion file behavior records.

What they've found is that in 97% of all detections, malware is unique to the system it infects, even if, at its core, in many infections, it's the same malware variant.

Webroot security researchers are saying that malware operators are intentionally using a technique called polymorphism that alters the malware's binaries in a way to generate unique executables.

The technique is old, and can be applied on the server, from where the malware is distributed, before packaging it for each victim, or on the client's side, where the malware changes itself with each new infected victim.

This so-called polymorphism technique produces new signatures for each new malware infection, and it may be the reason why other cyber-security companies like Dell or Panda Security are reporting seeing new malware numbers in the range of billions per year and millions per month.

Polymorphic malware is here to stay

"This tactic poses a major problem to traditional security approaches, which struggle to discover singular variants, let alone do so in time to stop data breaches and other compromises," Webroot specialists explain.

And things aren't getting better either. "While polymorphic malware has been around for over a decade, it is now the norm for nearly all threats today," Grayson Milbourne, Security Intelligence Director for Webroot explains.

In 2014, Webroot says it detected an average of around 700 file instances per malware family, and nearly 30,000 file instances per PUA (Potentially Unwanted Applications). This has dramatically changed in 2015, when the same Webroot researchers said they saw less than 100 file instances per malware family, and around 260 file instances per PUA.

Webroot says that this doesn't mean that the file instances don't exist, but the use of polymorphic distribution models makes detection of all variants much harder.

More details on polymorphic malware can be found in Webroot's 2016 Threat Brief: Next-Generation Threats Exposed report, along with other 2015 trends on mobile malware and cyber-attacks.