Polymorphic Malware

Hi guys

In 2015, security experts at Webroot have scanned over 27 billion URLs, 600 million domains, 4 billion IP addresses, 20 million mobile apps, 10 million connected sensors, and took a look over 9 billion file behaviour records.

They found that 97% of all detections, malware is unique to the system it infects, even if, at its core, in many infections, it’s the same malware variant.

A technique called polymorphism is used by malware operators to alter the malware’s binaries in a way to generate unique executables. This is not a new technique and is usually applied on the server where malware is distributed, before packaging it for each victim, or on the client’s side, where the malware changes itself with each new infected victim. Here a new signature is created for each new malware infection and cyber-security companies like Dell or Panda Security reports new malware numbers in the range of billions per year and millions per month.

Webroot specialists said, “This tactic poses a major problem to traditional security approaches, which struggle to discover singular variants, let alone do so in time to stop data breaches and other compromises,”

Grayson Milbourne, Security Intelligence Director for Webroot explained, “While polymorphic malware has been around for over a decade, it is now the norm for nearly all threats today,”.

In 2014, Webroot has detected an average of 700 file instances per malware family, and nearly 30,000 file instances per PUA (Potentially Unwanted Applications). This has dramatically changed in 2015, when the same Webroot researchers said they saw less than 100 file instances per malware family, and around 260 file instances per PUA. File instances exist but use of polymorphic distribution models makes detection of all variants much harder.

Check out Webroot’s 2016 Threat Brief: Next-Generation Threats Exposed report: https://webroot-cms-cdn.s3.amazonaws.com/7814/5617/2382/Webroot-2016-Threat-Brief.pdf

Source: Akati

Comments are closed.