Creators gain an advantage over security vendors that

This preview shows page 7 - 9 out of 12 pages.

creators gain an advantage over security vendors that use traditional signature-baseddetection to find and block malicious code.How polymorphic code is generatedPolymorphic code typically uses a mutation engine that accompanies the underlyingmalicious code. The mutation engine doesn't change the underlying code; instead, theengine generates new decryption routines for the code. The mutation engine can also alterthe file names of the polymorphic code. As a result, each time the code is installed on a newdevice or system, the mutation engine generates a brand new decryption routine.A polymorphic virus includes an encrypted payload and a mutation engine. The encryptionhides the malicious payload from scanners and threat detection software, which are left toidentify the virus by its decryption routine. Once the virus is installed on a target, the payloadis decrypted and it infects the system; the mutation engine randomly creates a new
decryption routine so that when the virus moves to the next target, it appears to be adifferent file to scanners.Learn more about malware detection and polymorphic malware.More recent examples of polymorphic viruses and malware have demonstrated increasedsophistication. The Storm Worm, which featured a backdoor Trojan, was first discovered in2007. The worm spread via malicious email messages and, once the Trojan executed, itwould turn systems or devices into bots. The Storm Worm featured a polymorphic packer,which is similar to a polymorphic engine; a packer can contain several different variants ofmalware in a single item such as an email attachment. The worm's polymorphic packerwould change every 10 to 30 minutes, depending on the version, in order to avoid detection.The Virlock ransomware family, which was first discovered in 2014, is considered the firstinstance of polymorphic ransomware. The virus's decryption codes were randomlygenerated each time the virus spread to and executed on a new file. The Virlockransomware not only infects files, but also turns them into polymorphic file infectors; whenan infected file is sent to or shared with another user, the Virlock ransomware executes andinfects the new user's files. Once the infection is completed, the mutation engine changesthe packer containing the malware body.Detection and preventionMost conventional antivirus and threat detection products rely on signature-based detection,which can be fooled by polymorphic viruses. However, newer security technologies employmachine learning and behaviour-based analytics rather than signature detection. Machinelearning algorithms focus on anomalous behaviour of unknown programs as well as otherstatic characteristics such as file names and API calls.The best approach for defending against polymorphic viruses is to employ multiple anddiverse layers of information security measure such as antimalware software and threatdetection. These programs should be kept current and should be run as often as possible.

Upload your study docs or become a

Course Hero member to access this document

Upload your study docs or become a

Course Hero member to access this document

End of preview. Want to read all 12 pages?

Upload your study docs or become a

Course Hero member to access this document

Term
Fall
Professor
N/A
Tags
Computer virus

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture