Skip to main content


What is Polymorphic Malware? A Definition and Best Practices for Defending Against Polymorphic Malware

Polymorphic malware is a type of malware that constantly changes its identifiable features in order to evade detection. Many of the common forms of malware can be polymorphic, including viruses, worms, bots, trojans, or keyloggers. Polymorphic techniques involve frequently changing identifiable characteristics like file names and types or encryption keys to make the malware unrecognizable to many detection techniques.

Polymorphism is used to evade pattern-matching detection relied on by security solutions like antivirus software. While certain characteristics of polymorphic malware change, its functional purpose remains the same. For example, a polymorphic virus will continue to spread and infect devices even if its signature changes to avoid detection. By changing characteristics to generate a new signature, signature-based detection solutions will not recognize the file as malicious. Even if the new signature is identified and added to antivirus solutions’ signature database, polymorphic malware can continue to change signatures and carry out attacks without being detected.

Examples of Polymorphic Malware

Webroot researchers have found that 97% of malware infections employ polymorphic techniques. While some of these tactics have been around since the 1990s, a new wave of aggressive polymorphic malware has emerged over the past decade. Some high profile examples of polymorphic malware include:

  • Storm Worm Email: The infamous spam email sent in 2007 with the subject “230 dead as storm batters Europe” was, at one point, responsible for as much as 8% of all global malware infections. When the message’s attachment is opened, the malware installs wincom32 service and a trojan onto the recipient’s computer, transforming it into a bot. One of the reasons the storm worm was so hard to detect with traditional antivirus software was the malicious code used morphed every 30 minutes or so.
  • CryptoWall Ransomware: CryptoWall is a polymorphic ransomware strain that encrypts files on the victim’s computer and demands a ransom payment for their decryption. The polymorphic builder used in Cryptowall is used to develop what is essentially a new variant for every potential victim.

The Threat Posed by Polymorphic Malware

Many malware strains now have polymorphic capabilities, rendering traditional antivirus solutions ineffective at detecting and stopping the malware prior to compromise. For years, the conventional wisdom on malware protection has been to invest in preventative solutions like antivirus, firewalls and IPS. However, these solutions do not work against polymorphic malware. The fact that some polymorphic techniques are used in nearly all successful attacks today means that if your company is relying on these solutions then you are leaving yourself open to attack.

At present, Gartner estimates that enterprise infosec spend is 90% prevention and 10% detection. However, there are certain limitations with this prevention-centered approach and, especially in the case of polymorphic malware, many prevention controls are failing to stop malicious activities.

Best Practices for Protecting Against Polymorphic Malware

Protecting against polymorphic malware requires a layered approach to enterprise security combining people, processes, and technology. There are a number of best practices companies should follow for polymorphic malware protection, ranging from general best practices for malware protection to specialty solutions for behavior-based detection. Here are a few key tips for protecting against polymorphic malware:

  • Keep Your Software Up To Date: One straightforward way to help prevent malware infections is to keep the various applications and software tools your company uses up to date. Enterprise software manufacturers like Microsoft, Oracle, and Adobe regularly release software updates that contain critical security patches for known vulnerabilities. Running outdated software with security vulnerabilities leaves your company open to exploits that can lead to a variety of malware infections.
  • Do Not Click Suspicious Links or Attachments: Phishing emails or other unsolicited electronic communications can contain malicious links or attachments used to spread malware. Educating end users on how to recognize suspicious links and attachments can help mitigate this common entry vector for malware attacks.
  • Use Strong Passwords and Change Them Regularly: Ensuring that your accounts are protected with secure and unique passwords is another best practice for malware protection. Educate end users on secure passwords and use features like multi-factor authentication or secure password managers where necessary.
  • Leverage Behavior-Based Detection Tools: Because polymorphic malware is engineered to evade detection by traditional antivirus tools, the best solutions for this threat use advanced, behavior-based detection techniques. Behavior-based detection solutions like endpoint detection and response or advanced threat protection can pinpoint threats in real time, before any of your data is compromised. Behavior-based malware protection is more accurate than traditional signature-based methods which struggle to deal with polymorphic attacks.

Further Reading on Polymorphic Malware: