Polymorphic, metamorphic and oligomorphic malware
Cyberattacks continue to be part of everyday life, and according to the Bundeskriminalamt (Federal Criminal Police Office), there were more than 130,000 cases of cybercrime in 2022 alone. As before, 92 per cent of all cyberattacks are carried out via email. Polymorphic and metamorphic malware poses a particularly high risk. You can find out why this is the case and what types of malware are involved in our blog article.
What is polymorphic malware?
Polymorphic malware is malware that, unlike static malware, continuously changes its appearance and signature files. Although its appearance changes, its malicious function remains the same. In other words, polymorphic malware constantly undergoes dynamic mutations in the code, which pose a particular threat to IT infrastructures.
The mutations are made possible by constantly new encryption routines, whereby part of the virus must still be available in unencrypted form in order to decrypt the rest during execution. The decryption routine is created anew for each infection. The routine that always recreates the decryption routine is itself located in the encrypted part of the virus and can, for example, exchange independent commands and encode operations with different command sequences to create different variants.
Signature-based security software is powerless against this type of malware, as signatures have already mutated again after detection and thus become invisible. Today, many malware strains have polymorphic capabilities that allow them to bypass conventional AV solutions. This change means that signature-based security solutions do not recognise the file as malicious.
What is metamorphic malware?
The term “metamorphic” refers to a more comprehensive and profound change compared to the more superficial change of polymorphic malware. With metamorphic malware, the change goes beyond simple encryption and reorganisation of the code. Metamorphic malware can create entirely new algorithms and routines to conceal itself. This makes detection by conventional security mechanisms even more difficult, as not only the signature but also the behaviour patterns can vary greatly.
In contrast to polymorphic viruses, which only change the shape of the code (through variable encryption or permutation), in metamorphosis the virus is temporarily rewritten into a meta-language. The meta-language is recompiled with the help of an obfuscator. The formal grammar of the virus always remains the same.
This method works because the assembly language allows different ways of executing a command. Since a mutation is a change to the command sequence of the malware (and not just a different representation of the same command sequence), metamorphic malware is more difficult to detect than polymorphic malware.
What is oligomorphic malware?
The term “oligomorphic malware” is not as standardised in the IT security industry as the terms “polymorphic” or “metamorphic” malware. In some cases, the term “oligomorphic” is used to describe a hybrid between polymorphic and metamorphic malware, which includes both changes in the code structure and deeper changes in the code itself.
In general, the term “oligomorphic malware” refers to the fact that the malware combines different methods to make it more difficult to detect. This can include a combination of encrypting the code, rearranging the code and even adding new functions or algorithms.
As the term is not standardised, its specific characteristics may vary depending on context and source. In practice, however, the focus will be on malware using multiple methods of disguise to protect itself from security mechanisms.
Why are polymorphic, metamorphic and oligomorphic malware so dangerous?
Polymorphic, metamorphic and oligomorphic malware is dangerous because it uses sophisticated techniques to evade detection by protection mechanisms. In addition to the ability to evade signature-based detection systems, the following points are relevant in terms of potential danger:
AI makes it even worse
Ransomware-as-a-Service already offers you the opportunity to indulge in your own ransomware attack. This has already been foreshadowed, as AI also makes phishing scalable. As a classic Large Language Model (LLM), ChatGPT is powerful and flexible in its handling of languages. For this reason, phishing emails were one of the first types of attack to be automated using AI. The companies used by the major AI models such as OpenAI for ChatGPT have of course built in filters that make it more difficult to access certain content. However, as always, it depends on how exactly you ask.
But it gets worse: AI-based chatbots such as ChatGPT can also create polymorphic malware or at least help with its development – if you ask nicely (i.e. correctly). At the very least, they can be used to create code modules that criminals with the right skills can assemble into complete malware.
32Guards
With 32Guards, you can use metadata to recognise threat patterns more quickly and respond to cyberattacks in a more targeted manner. 32Guards is not signature-based, but recognises threat trends based on the attached file types. The database is made up of metadata from German-speaking countries, which means that the service offers optimum protection for companies in the DACH region.
Recognising trends is made possible above all by the networking of the individual NoSpamProxy instances. And this is precisely why 32Guards protects against polymorphic, metamorphic and oligomorphic malware: In contrast to conventional cybersecurity solutions, the service takes a global approach to analysing current threat situations.
The information on the individual emails, such as file name, file size or hash value, is collated by higher-level malware intelligence and analysed in real time. This allows threats to be analysed quickly and enables an immediate response to acute danger situations.
Examples of this are email attachments with the same file names but different hash values or an increased volume of emails from certain geographical regions.
Verifying the sender reputation
Analysing the sender reputation of emails offers an effective way of preventing phishing attacks and thus thwarting blackmail attempts. This prevents malicious code from reaching your computer in the first place.
Analysing attachments and URLs
NoSpamProxy makes it possible to automatically convert attachments in Word, Excel or PDF format into harmless PDF files based on rules. Any malicious code is removed so that the recipient receives a harmless attachment. Many other formats such as executable files can be recognised so that the attachment is blocked or the entire email is rejected.
URL Safeguard rewrites URLs in inbound emails to ensure that when the user clicks on them, the system checks again whether there are any negative ratings for this URL. This increases security, as some attackers change the destination of URLs a few hours after they have been sent. URL Safeguard can be configured individually and only switched on for unknown communication partners, for example.
Last but not least: protection through allowlisting
We have long recommended an allowlisting approach in conjunction with well thought-out attachment management. As with a firewall, the lowest rule of the content filter consists of a so-called any-any-drop rule. This defines a small number of precisely defined formats required by the company that are permitted as email attachments. Everything else, and especially the unknown part, is not.
This allows you to exclude all unnecessary attachment formats from delivery in advance and significantly reduce the risk of polymorphic, metamorphic and oligomorphic malware.
Not yet using NoSpamProxy?
With NoSpamProxy you can reliably protect your company from cyber attacks. Request your free trial version now!
