Metamorphic malware is malicious software that is capable of changing its code and signature patterns with each iteration.
At its very simplest, malware contains an encrypted virus that has a decryption routine (VDR) and an encrypted virus body (EVB). When the infected application executes, the VDR decrypts the EVB and the virus carries out its intended function. In the propagation phase, the virus gets re-encrypted and attached to another host application. Each copy generates a new key, but the virus decryption routine remains the same and this is how anti-virus software applications can identify malware programs.
Polymorphic malware adds an additional component to the encrypted code -- a mutation engine (ME) that changes the virus decryption routine with each iteration by using obfuscation techniques such as inserting junk code, reordering instructions and using mathematical contrapositives. This type of malware can still be recognized by anti-virus software fairly easily, however, because the decrypted virus body remains the same.
Metamorphic malware takes virus mutation to the next level. It uses the polymorphic malware’s mutation engine to change both the virus decryption routine and the encrypted virus body. The mutation engine disassembles the code and represents it with a meta-language that characterizes the code’s function but disregards how the code achieves this function. The end result is new code that bears no resemblance to its original syntax, but is functionally the same.
Metamorphic malware is more difficult for anti-virus software to recognize, but not impossible. The weakness of metamorphic software is that the mutation engine needs to analyze the code in order to disassemble it – and if the mutation engine can analyze the code, so can vendors who make anti-virus software. To prevent metamorphic malware from infecting computers on a network, administrators should use a multi-layered approach to blended threat management including:
- A well-defined and effective set of security policies.
- Remote access restrictions.
- Antivirus software that is updated frequently.
- Compliance monitoring at the server and end-user levels.
- Network and personal firewalls with unused service ports shut down.
- Email content filtering and file scanning at the server level.