Server-side polymorphism: How mutating web malware tries to defeat anti-virus software [VIDEO]

Filed Under: Featured, Malware, Video

Potato head. Image from Shutterstock
Server-side polymorphism is a technique used by malware distributors in an attempt to evade detection by anti-virus software.

Regular polymorphic (literally "many shapes") malware is malicious code which changes its appearance through obfuscation and encryption, ensuring that no sample looks the same. Although the idea of mutating malware sounds quite scary, it's actually been used by malicious hackers since the early 1990s.

Early examples of polymorphic malicious code include the Tequila virus, SMEG (which literally stood for "Simulated Metamorphic Encryption Generator") and Dark Avenger's Mutation Engine (which lesser-skilled virus authors could plug into their malware to grant it the ability to be polymorphic).

As the years passed, polymorphic malware got more and more sophisticated - hoping to beat anti-virus software one of two ways. The malware author's hope was that we would either fail to detect all instances of their mutating code, or would false alarm on innocent code making our detection routines more of a pain than the actual virus.

The good news is that most anti-virus software does a good job today of detecting polymorphic malware - perhaps by looking for the encrypted part of the code's decryptor (which can itself be variable, of course) and other techniques.

Which is why cybercriminals grasped the idea of server-side polymorphism.

Once again, the code mutates its appearance. But the engine driving the mutation is no longer in our hands for examination - it's hidden away on the server's side of the website, out of our reach.

That means that the code which is run in your browser is completely different each time. If we simply tried to compare the code to previous examples of the malware we have seen, we wouldn't get a match.

Check out the following video by our own Chet Wisniewski, showing server-side polymorphism in action:

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

If you want to learn more you can subscribe to our YouTube channel for similar videos. But even better than that, we hold regular "Anatomy of Attack" events where we demonstrate malware threats and you can quiz Sophos experts.

If there's not an "Anatomy of an Attack" event scheduled in your area soon, drop us a note and we'll let you know if and when one is coming to your part of the world.

Potato head image from Shutterstock.

, , , , ,

You might like

7 Responses to Server-side polymorphism: How mutating web malware tries to defeat anti-virus software [VIDEO]

  1. lewis · 1161 days ago

    Does this not meen time to panic??

    surely of this becomes popular in the future with malware, more and more computers are going to be infected and AV's cannot do nothing about it as there will have to be thousands of definitions updated daily.

    • Graham Cluley · 1161 days ago

      Don't panic! Although the bad guys have got more sophisticated - so have the chaps wearing the white hats. :)

      Keep your anti-virus up-to-date (and turn on features like "Live Protection" for the highest level of protection), keep your OS and apps patched with security updates, and ensure you are using a defence in depth approach to protecting your valuable data.

    • WTFIgavemyFBlogin · 964 days ago

      I'd say it's time to put a bounty on malware writer's heads.

  2. Ken Everett · 1161 days ago

    I still cannot help but wonder why, after all these years, no-one has thought to protect the registry and other areas where malicious code needs to reside so as to become active\resident.

    Simply by 'playing' with the permissions on certain registry keys, it is possible to prevent malicious software from adding or changing critical start-up values.

    I could have hundreds of virii or malware programs on my PC - but if they are unable to execute what threat do they pose? By removing all permissions on a malicious executable, it becomes nothing more than a filler.

    Some sage once said that prevention is better than cure..... Why on earth go to all this trouble of trying to anticipate every permutation that might ever appear when all you need is a simple, protected, intelligent execution manager.

    I think I'll develop one and sell it for a $ a pop......

  3. snert · 1161 days ago

    I disremember what it's called but isn't there anti-malware that detects malware based on it's behavior? If the malware mutates it's still going to behave, basically, the same because it's trying to do the same nasties, right?

  4. snert · 1160 days ago

    Will heuristic scanners be any good against these mutating nasties?

  5. Dave Ott · 1136 days ago

    I had a kid named're not my kid, are you?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley