Polymorphic Virus: Deadliest For Your System and Network

Cyber criminals have made a business of their attacks and it has proven to be quite profitable for them. They typically have one of two purposes: access critical and proprietary information for sale or ransom or to simply encrypt the content of your computer system or network and demand a ransom for the encryption key. To understand why the polymorphic virus is the most devious, one must know the differences.


The evolution of the computer virus began with the original format. The definition supplied by Symantec, one of the world’s security companies indicates:

Simple Virus:

“A simple virus that merely replicates itself is the easiest to detect. If a user launches an infected program, the virus gains control of the computer and attaches a copy of itself to another program file. After it spreads, the virus transfers control back to the host program, which functions normally. Yet no matter how many times a simple virus infects a new file or floppy disk, for example, the infection always makes an exact copy of itself. Anti-virus software need only search, or scan, for a tell-tale sequence of bytes — known as a signature — found in the virus.”

Encrypted Virus:

“In response, virus authors began encrypting viruses. The idea was to hide the fixed signature by scrambling the virus, making it unrecognizable to a virus scanner. An encrypted virus consists of a virus decryption routine and an encrypted virus body. If a user launches an infected program, the virus encryption routine first gains control of the computer, then decrypts the virus body. Next, the decryption routine transfers control of the computer to the decrypted virus. An encrypted virus infects programs and files as any simple virus does. Each time it infects a new program, the virus makes a copy of both the decrypted virus body and its related decryption routine, encrypts the copy, and attaches both to a target…however the encryption remains the same, generation after generation.”

Polymorphic Virus:

“In retaliation, virus authors developed the polymorphic virus. Like an encrypted virus, a polymorphic virus includes a scrambled virus body and a decryption routine that first gains control of the computer, then decrypts the virus body. However, a polymorphic virus adds to these two components a third — a mutation engine that generates randomized decryption routines that change each time a virus infects a new program. In a polymorphic virus, the mutation engine and virus body are both encrypted. When a user runs a program infected with a polymorphic virus, the decryption routine first gains control of the computer, then decrypts both the virus body and the mutation engine. Next, the decryption routine transfers control of the computer to the virus, which locates a new program to infect.

At this point, the virus makes a copy of both itself and the mutation engine in random access memory (RAM). The virus then invokes the mutation engine, which randomly generates a new decryption routine that is capable of decrypting the virus, yet bears little or no resemblance to any prior decryption routine. Next, the virus encrypts this new copy of the virus body and mutation engine. Finally, the virus appends this new decryption routine, along with the newly encrypted virus and mutation engine, onto a new program.”

The ability for a polymorphic virus to change or morph from one generation to another, is the central theme that removes the ability to track down or trace. Each new release represents an entirely new process that cannot be related to any prior launch. While ingenious, it makes these versions even more deadly as once the virus has infiltrated a computer system or network, it can take extended lengths of time for professionals to bring a system back. This is a high price to pay in both downtime and reputation for a company.

https://www.symantec.com/avcenter/reference/striker.pdf Image : sanjiv kawa


More articles