How are Polymorphic Malware are Deceiving the Traditional Cyber Security Method?

5 min readJun 20, 2019

The term ‘polymorphic malware’ refers to the types of malware that constantly change for evading detection. Polymorphic malware frequently change their identifiable characteristics such as file names, its types, or encryption keys in order to make the malware unrecognizable against many detection techniques.

Researchers have found that 93% of all the malware are polymorphic in nature. Polymorphic malware have existed since the period of the 1990s but in recent years, these types of malware have taken up an aggressive form.

Polymorphism is a technique that helps in evading pattern-matching detection that is dependent on traditional cyber security solutions such as antivirus. The functional purpose of a polymorphic malware remains the same regardless of the certain changes in its characteristics.

Here are some of the most infamous cases in the history of malware attacks:

Storm Worm Email

In 2007, an infamous spam email was sent to people with the subject line as “230 dead as storm batters Europe”. This malware attack was responsible for approximately 8% of all global malware infections. As soon as the attachment within the email is opened, it installs a wincom32 service and a trojan into the recipient’s computer and transforms it into a bot. The malicious code that was used in the malware is changed every 30 minutes.


Locky is a family of malware that is delivered in the disguise of .doc file attachments, containing a receipt, invoice, resume, or any other business documents. The .doc file contains text that is macros that automatically downloads the malicious software which then starts encrypting files. The family of Locky malware utilizes macro laden .doc files in order to permeate the computer system and encrypt files.


This family of malware targets computers that use Windows and is delivered through ZIP files which contain an executable file disguised as a PDF icon. Once the file is opened, the payload installs itself in the profile folder and adds a registry key which prompts it to run at the computer startup. Once this process is completed, it contacts the command server leading to the generation of a 2048-bit RSA key repair and is sent back to the computer. Local and accessible files with certain extensions including Office docs, CAD files, etc. are encrypted.

CryptoWall Ransomware

A form of polymorphic ransomware strain, CryptoWall encrypted files that were present on the victim’s computer and demanded a ransom payment for their decryption. The polymorphic builder used in Cryptowall helped in designing a new variant of the ransomware for every probable victim.


This malware family is delivered via malicious links in the phishing emails, but it uses a number of delivery tactics that are particularly difficult to track. The malware is utilized in the ransomware-as-a-service model which makes it easy to use for everyone. It can encrypt many file types and can easily encrypt entire enterprise databases as well as individual machines. Cerber is regularly utilized in the ransomware-as-a-service model.

Kelihos Botnet

Also known as Hlux, this botnet can send massive amounts of spam emails and stealing bitcoins. By using the peer-to-peer method, the botnet can function even if one of the servers is shut down.

How can Organizations Secure Themselves Against Polymorphic Attacks?

For many years, the viewpoint on malware protection has been inclined towards investing in traditional security methods such as firewalls, antivirus as well as IPS. However, when it comes to protection against polymorphic malware, these solutions do not work properly. Traditional security methods are inept in detecting continuous changes in the case of polymorphic malware.

The fact that polymorphic malware is being used in nearly all the successful attacks, it has become clear that organizations have not been able to measure the gravity of their effects. This ineptness of the traditional security methods and the inability of organizations to combat attacks that use Polymorphic malware makes it necessary to employ state-of-the-art cyber security measures. A layered approach to enterprise security that combines people, processes, and technology helps in providing protection against polymorphic malware. Here are some of the most successful solutions:

Keeping the Software Up to Date: One very effective way that helps in preventing malware infections is to keep the applications and software tools up to date. Enterprise software manufacturers regularly release software updates containing critical security patches for known vulnerabilities. Outdated software may contain security vulnerabilities that may leave your company open to exploits leading to many malware infections.

Avoid clicking suspicious links or attachments: Phishing emails usually contain malicious links or attachments that are used to spread malware. It is very important to create awareness among employees so that they can recognize emails that contain suspicious links or attachments, thus, helping in patching up this common entry point for malware attacks.

Using strong passwords: It is a very important practice to change the password on a regular basis. It is important to ensure that your accounts are protected with secure passwords that are unique.

Using tools that can detect anomalous behaviour: Polymorphic malware are designed with the ability to evade detection by traditional security methods. Therefore, the best solution is to use advanced threat or endpoint detection that can detect threats in real-time before any of your data gets compromised.

The rising prevalence of polymorphism, cryptojacking, ransomware, malicious URLs, increasing sophistication in phishing attacks as well as malicious mobile applications, all point at a future that requires immediate attention and multi-layered defenses.

Today, we are in dire need of solutions that can provide advanced endpoint and network protection. Cyber security companies like Kratikal provide state-of-the-art cyber security products as well as services that can effectively fence the cyber security of an organization.




Threatcop is a cybersecurity company that provides security solutions to businesses to protect them against email-based attacks and social engineering attacks.