Asked and answered: ‘What is the best defense against polymorphic malware?’

In the early days of malware detection, it was almost too simple. Antivirus tools would look for a distinguishing sequence of malicious code, or “signature.”

Then threat actors caught on, and started adding the software equivalent of an eyepatch, a funny hat, and Groucho Marx glasses.

“Polymorphic” code, programmed to change its features and evade signature detections, led to anti-malware tools that focused on malicious-ish behavior, like a registry change or an open port, rather than known code.

Though polymorphic code appeared as early as 1989, an IT Brew reader asked us this year what the best defense against it is.

Generative AI and the evolving answers of the always-learning language models provide some new relevance to the decades-old threat of contorting code. With language-models’ potential to serve up malware (and mutations of it), behavior-based recognition and healthy cybersecurity habits like not clicking everything are still a strong move against malware that morphs.

What is polymorphic malware?

• Polymorphic malware frequently uses varying encryption and decryption mechanisms to change itself and dodge signatures. Loaders can also download components from various sites, modifying the code’s makeup.
• “That ‘innocent’ app will connect to another computer, and on that computer it will bring some more code from the network,” Check Point Software CEO Gil Shwed told IT Brew in February.
• A recent report from the cybersecurity software company OpenText found that 87.5% of malware was unique to one PC.

Generatively speaking. A January demo from CyberArk found that, with a little text trickery, one could bypass ChatGPT’s content filters and get the model to write malicious code variations.

As the language models improve, Candid Wüest, VP of cyberprotection research at Acronis, imagines viruses themselves doing the querying, reaching out to AIs for different code options. The scenario presents a detection challenge, given the output variation, but one that would still require monitoring behavior: the request.

“So, if you ask it, ‘Create a code to steal the bitcoin wallet,’ then I’m going to detect the behavior, ‘steal the bitcoin wallet,’ and I don’t really care what the response is,” said Wüest.

Endpoint detection and response, or EDR, vendors like SentinelOne, Trend Micro, CrowdStrike, and Microsoft Defender watch for suspicious system-level behavior, like the encryption of data or the exporting of a file. Next-generation firewalls also exist to learn “good” network behavior so it can flag the bad.

“You want to look for those anomalous activities and behaviors that can raise alarms, rather than just: Is this file matching this known malicious file number?” said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance.

Other ideas to stop the polymorphin’ power malware: the usual basics like patching, limiting privileges, and getting employees to not fall for phishing scams that lead to the download of changing code.

“Malware needs to run as an administrator. So, if you disable that in the local machine, then that stops it from accessing certain parts of the system,” said Steinhauer.

That kind of “basic hygiene” is timeless and has been around since antivirus only used signatures.