Email Security

    What is a Polymorphic Virus? How It Works and Prevention

    Polymorphic viruses are continually mutating code used in ransomware and other malware, making them hard — but not impossible — to detect. Here’s how to fight them.

    by Renatta Siewert

    Key Points

    • Polymorphic viruses are designed to evade cybersecurity defenses.
    • Increasingly sophisticated polymorphic techniques are used in nearly every type of malware, from botnets to the current wave of ransomware.
    • Companies can inoculate themselves against polymorphic viruses and malware by using best security tools and practices.


    Back in 1990, a new strain of computer viruses emerged and entered the cybersecurity lexicon: polymorphic viruses. Thirty-plus years later, these nasty viruses continue to bedevil computer users, businesses and networks around the world.

    Essentially, polymorphic viruses were developed to evade early antivirus software. And in the decades since their creation, they have become even more complex and more of a threat to businesses. Today, a variety of polymorphic malware are deployed to hijack networks, destroy data, steal information and even trigger ransomware attacks. Here's what you need to know about the threat and how to avoid polymorphic malware.

    What Is a Polymorphic Virus?

    Polymorphic viruses are the chameleons of cybersecurity. They are designed to change their appearance or signature files to avoid detection by traditional antivirus software, which scans for specific files and looks for specific patterns. A polymorphic virus will continue changing its file names and physical location — not only after each infection, but as often as every 10 minutes.[1]

    To further evade cybersecurity efforts, polymorphic viruses will also constantly reset their encryption methods and keys. To do this, they generally use mutation engines that can change the software billions of times and alter decryption routines in the process. Attackers hope that by using such a strategy, even if the malware is detected, companies will not be able to locate subsequent infections and clean them from their systems. 

    While polymorphic viruses may change their appearance, the associated malware and goals remain the same: steal information, disrupt a company's operations or perform one of many types of ransomware attacks. Today, polymorphic viruses have become standard weapons in the cybercriminal's arsenal. It has been estimated that 97% of all malware now employs some form of polymorphic virus.[2]

    Examples of Polymorphic Malware

    Polymorphic viruses are usually spread using standard cyberattack techniques including spam, phishing emails, infected websites or other malware. Some of the more notorious polymorphic viruses include Ursnif (also known as Gozi), a banking Trojan; Vobfus, a Windows worm virus; and Bagle, an email worm. Combined with other forms of malware, such polymorphic viruses can be devastating. For example:

    • Storm Worm: Using social engineering, a spam email about deadly storms in Europe back in 2007 caused an estimated 8% of all malware infections worldwide that year. This polymorphic virus changed its appearance every 30 minutes and used an email attachment to turn the victim's system into a bot.
    • Virlock: The Virlock polymorphic virus evolved in 2015 to include ransomware routines. As ransomware, not only could it lock the target computer but it could also infect other files, replicate and change the format of files.
    • CryptoWall: A form of polymorphic ransomware, CryptoWall encrypts files on the victim's computer. The idea, of course, is to demand a ransom to decrypt the information. To evade usual protective measures, the polymorphic engine behind CryptoWall creates a new variant of the malware for each target.
    • Beebone: Remotely controlled servers and computers that are then used to attack other systems, known as botnets, have also been further enabled using polymorphic malware. In one of the more sophisticated attacks demonstrating this capability, the Beebone botnet infected an estimated 12,000 computers in 2015. Using a polymorphic downloader to deliver a variety of malware, Beebone proved difficult to detect and trace. It required the coordination of several international law enforcement agencies including the FBI and Europol to eventually take down the botnet.[3]

    How to Know if Your Computer Is Infected with a Polymorphic Virus

    So if polymorphic viruses can adopt nearly any appearance, how can you tell if a computer is afflicted with the virus? Fortunately, administrators can look for some telltale signs that a system is infected, including:

    • Slowdowns: Unusual or sudden system slowdowns are often an indication that polymorphic malware is attacking a computer, usually taking up extra cycles as it encrypts files on the system.
    • Odd requests: Users who see an unusual request to enter a password when it has never been required before should take it as a good indication that malware is trying to infect the system or the network. Individual users may also see strange requests to enter sensitive information like employee numbers, birth dates or social security numbers.
    • Misdirection: If a web browser suddenly takes a user to a URL or web site that the user didn't enter, it can be a sign that malware is trying to direct them to an infected site. Unusual pop-up ads that block sites also indicate malware.

    Best Practices to Prevent a Polymorphic Virus Infection

    While polymorphic viruses present a wily adversary, companies can protect themselves by following a proven set of safe cybersecurity practices.

    • Keep software up to date: While polymorphic malware will change its appearance, the targets are usually the same. Most software companies maintain security updates to protect those targets, so it's essential to keep up with any patches on client and server computers.
    • Don't open odd links or attachments: Email continues to be cybercriminals’ preferred entry point, so it's a prime opportunity to stop polymorphic infections. In addition to deploying email security tools, train employees not to succumb to phishing attacks and not to open any suspicious links — even from known email addresses.
    • Update passwords: Lists of known passwords and other information are regularly bought and sold on the dark web, so requiring employees to regularly change their passwords can thwart attacks. Like the previous caveat against opening suspicious attachments, this requirement should also be part of regular employee security awareness training.
    • Back up your data: It cannot be repeated often enough: Back up your data on a regular basis. Data backups can save a company millions of dollars and thwart ransomware attacks.
    • Use heuristic and behavior detection: Security software that uses current information about known polymorphic malware techniques can prevent an infection. A heuristic approach, for example, will prevent certain virus-like actions, such as encrypting important files. Behavior-based detection can alert users to previously unreported polymorphic threats based on, for example, unusual access requests.

    The Bottom Line

    Polymorphic viruses have a long history, and cybercriminals have had many years to develop more advanced techniques to hide their appearance and infections. Indeed, polymorphic malware is used extensively in all types of cyberattacks, including ransomware. By following tried and true cybersecurity practices, companies can stay one step ahead of the criminals.

    FAQs: Polymorphic Malware

    How Does a Polymorphic Virus Work?

    Polymorphic viruses are complex file infectors that modify themselves in order avoid detection while retaining the same basic routines after every infection. Polymorphic viruses vary their physical file makeup during each infection, encrypting their codes and using different encryption keys every time.

    Which Industries are more Vulnerable to Polymorphic Virus Attacks?

    Any industry in any part of the world is just as vulnerable to a polymorphic attack as any other. The difference comes when organizations train their employees to look for attacks and use automated solutions to help prevent attacks.

    Can Polymorphic Malware be Spread Through Email Attachments?

    Yes. Just like any malware, polymorphic malware can be spread via email attachments.

    What are Metamorphic and Polymorphic Malware?

    The main difference between metamorphic and polymorphic malwares i that polymorphic malware can change itself and its code using a variable encryption key, whereas metamorphic malware rewrites its code without an encryption key. Polymorphic malware is the more common of the two.

    Polymorphic Malware vs. Polymorphic Virus: Do they mean the same?

    Malware is a catch-all term for all of the different types of malicious software, but a virus is a specific type of malware that self-replicates by inserting its code into other programs. The terms are different, though they tend to be used interchangeably.



    [1]Polymorphic Virus,” TechTarget

    [2]What Is the Polymorphic Virus?”, Kaspersky

    [3]International Police Operation Targets Polymorphic Beebone Botnet,” Europol


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page