Server-side polymorphism: How mutating web malware tries to defeat anti-virus software [VIDEO]

Server-side polymorphism: How mutating web malware tries to defeat anti-virus software [VIDEO]

Potato head. Image from Shutterstock
Server-side polymorphism is a technique used by malware distributors in an attempt to evade detection by anti-virus software.

Regular polymorphic (literally “many shapes”) malware is malicious code which changes its appearance through obfuscation and encryption, ensuring that no sample looks the same. Although the idea of mutating malware sounds quite scary, it’s actually been used by malicious hackers since the early 1990s.

Early examples of polymorphic malicious code include the Tequila virus, SMEG (which literally stood for “Simulated Metamorphic Encryption Generator”) and Dark Avenger’s Mutation Engine (which lesser-skilled virus authors could plug into their malware to grant it the ability to be polymorphic).

As the years passed, polymorphic malware got more and more sophisticated – hoping to beat anti-virus software one of two ways. The malware author’s hope was that we would either fail to detect all instances of their mutating code, or would false alarm on innocent code making our detection routines more of a pain than the actual virus.

The good news is that most anti-virus software does a good job today of detecting polymorphic malware – perhaps by looking for the encrypted part of the code’s decryptor (which can itself be variable, of course) and other techniques.

Which is why cybercriminals grasped the idea of server-side polymorphism.

Once again, the code mutates its appearance. But the engine driving the mutation is no longer in our hands for examination – it’s hidden away on the server’s side of the website, out of our reach.

That means that the code which is run in your browser is completely different each time. If we simply tried to compare the code to previous examples of the malware we have seen, we wouldn’t get a match.

Check out the following video by our own Chet Wisniewski, showing server-side polymorphism in action:

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

If you want to learn more you can subscribe to our YouTube channel for similar videos. But even better than that, we hold regular “Anatomy of Attack” events where we demonstrate malware threats and you can quiz Sophos experts.

If there’s not an “Anatomy of an Attack” event scheduled in your area soon, drop us a note and we’ll let you know if and when one is coming to your part of the world.

Potato head image from Shutterstock.