ELI5: What is Metamorphic Malware?
This malware completely rewrites itself each time it spreads, like a spy who gets a new face, new clothes, and a new name at every city. It does the same bad things, but looks totally different each time.
Definition
Metamorphic malware is an advanced form of evasive malware that completely rewrites its own code with each infection or generation while preserving its original functionality. Unlike polymorphic malware (which encrypts its code with a changing key), metamorphic malware uses code transformation techniques—instruction substitution, code transposition, register reassignment—to generate a structurally different but functionally identical copy, defeating signature-based detection.
Key Details
- No constant signature: Each generation is structurally different—traditional signature-based AV cannot reliably detect it.
- Transformation techniques: dead code insertion (adding no-op instructions), instruction substitution (equivalent instructions), code transposition (reordering independent blocks), register renaming.
- Much more sophisticated than polymorphic malware—requires a sophisticated mutation engine within the malware itself.
- Defeated by: behavioral analysis (what the malware does, not what it looks like), heuristic detection, EDR solutions.
- Examples include: the W32/Simile (Evol) virus; modern APT malware increasingly uses metamorphic techniques.
Connections
- Parent: malware-types — an advanced malware evasion category
- See also: polymorphic-malware