ELI5: What is Polymorphic Malware?
Each time this malware copies itself, it puts on a different disguise — like changing its hat, jacket, and glasses. Security tools looking for one specific outfit can’t recognize it.
Definition
Polymorphic malware evades signature-based detection by mutating its code signature with each new infection while preserving its core malicious functionality. Typically, polymorphic malware encrypts its payload and changes the encryption key and decryption stub with each copy, so each instance presents a different byte pattern to scanners—making traditional signature matching ineffective.
Key Details
- Encryption + mutation engine: The malware payload is encrypted; a decryption stub decodes it at runtime. The stub changes with each infection—so each copy has a different signature.
- Different from metamorphic: Polymorphic changes the encryption wrapper; metamorphic completely rewrites the entire code.
- Signature-based AV is largely ineffective—the malware looks different every time.
- Defeated by: behavioral analysis (detecting what the malware does after decryption), heuristic detection, sandboxing (executing samples in isolated environments to observe behavior), EDR.
- Many modern ransomware and banking trojans use polymorphic techniques to evade initial detection.
Connections
- Parent: malware-types — an evasion technique used by advanced malware
- See also: metamorphic-malware