Polymorphic malware – how to protect against the shape-shifting threat
6 September 2018
Vendor View: By Jan van Vliet, VP and GM EMEA at Digital Guardian
Polymorphic malware is a type of malware that constantly changes its identifiable features in order to evade detection. Many of the common forms of malware can be polymorphic, including viruses, worms, bots, trojans, or keyloggers. The malware is designed to be unrecognisable to detection methods. Commonly altered characteristics include the file’s encryption key, file format, or simply its name.
The malware is widespread. According to Webroot, 97% of malware infections use polymorphic techniques. While this isn’t a new trend – the tactic has been used since the 90s – recently new, highly aggressive waves of the malware have emerged.
One notorious example of polymorphic malware is CryptoWall, a type of strain that encrypts files on the victim’s computer and demands a ransom payment in exchange for their decryption. The polymorphic builder used in Cryptowall develops what is essentially a new variant for every potential victim. At its peak in 2016, the FBI estimated that, combined, victims lost a total of $18 million.
Also of interest: Why is malware still a threat?
How polymorphic malware works
Polymorphism is used to evade pattern-matching detection relied on by security solutions like signature-based antivirus software. While certain characteristics of polymorphic malware change, its functional purpose remains the same. For example, a polymorphic virus will continue to spread and infect devices even if its signature changes to avoid detection. By changing characteristics to generate a new variant, signature-based detection solutions will not recognise the file as malicious. Even if the new variant is identified and added to antivirus solutions’ signature database, polymorphic malware continues to evolve and carry out attacks without being detected.
For years, the conventional wisdom on malware protection has been to invest in preventative solutions like antivirus, firewalls and IPS. However, these solutions are ineffective against polymorphic malware. The fact that some polymorphic techniques are used in nearly all successful attacks today means that if organisations are relying just on these solutions, unfortunately they risk leaving themselves open to attack.
Four best practices to protect against polymorphic malware
At present, Gartner estimates that enterprise information security spend is 90% prevention and 10% detection. To deal with the threat of polymorphic malware this needs to change. Here are a few best practices that businesses can implement:
- Behaviour-based detection tools: Because polymorphic malware is engineered to evade detection by traditional antivirus tools, the best solutions for this threat use advanced, behaviour-based detection techniques. These methods offer the ability to track the way that data is accessed and used by employees over a specific period of time, flagging any suspicious activity. Behaviour-based detection solutions like endpoint detection and response or advanced threat protection can pinpoint threats in real time, before any data is compromised. Behaviour-based malware protection is more effective than traditional signature-based methods, which struggle to deal with polymorphic attacks.
- Software updates: One straightforward way to help prevent malware infections is to keep the various applications and software tools a company uses as up to date as possible. Enterprise software manufacturers like Microsoft, Oracle, and Adobe regularly release software updates that contain critical security patches for known vulnerabilities. Running outdated software with security vulnerabilities leaves a company open to exploits that can lead to trouble.
All companies, no matter how small, need to adopt a “patch early, patch often” mantra. They also need to regularly review system settings and disable unnecessary services that could leave them vulnerable.
- Employee awareness of phishing attacks: Phishing emails or other unsolicited electronic communications can contain malicious links or attachments used to spread malware. Educating end users on how to recognise suspicious links and attachments can help mitigate this common entry vector for malware attacks.
It can be assumed that threat actors and adversaries craft phishing attacks using links to sites on Google, DocuSign, or Outlook365, hoping that an unsuspecting or careless party will recognise these names and subsequently trust the content of the message. This is one of the more recent advancements in social engineering. Combining this with personalised messages results in a stong spear-phishing strategy. If employees aren’t wise to these tactics, there’s a high likelihood of being infected with any malware, not just polymorphic.
- Strong passwords: Ensuring that accounts are protected with secure and unique passwords is another best practice for malware protection. Aim to educate end users on secure passwords, and use features like multi-factor authentication or secure password managers where necessary.
Even if employees pledge to change just one or two of their passwords each day, they will be improving their personal security. Businesses should also put policies in place to ensure that employees can’t use the same password for their personal and professional accounts. They must also ensure that these policies are easy to understand and easy to remember.
A multi-layered security approach which includes behavioural-based security and endpoint detection and response will provide a baseline barrier against polymorphic malware. Combine this with security training for employees, regular patching and strong passwords, and organisations should stay safe from this shapeshifting threat.