What is a Polymorphic Virus?
Detection and Best Practices

Kurt Baker - July 22, 2022

What is a Polymorphic Virus?

A polymorphic virus, sometimes referred to as a metamorphic virus, is a type of malware that is programmed to repeatedly mutate its appearance or signature files through new decryption routines. This makes many traditional cybersecurity tools, such as antivirus or antimalware solutions, which rely on signature based detection, fail to recognize and block the threat.

Expert Tip

How can a polymorphic virus evolve?

File name changes | Compression | Encryption

How often can a polymorphic virus evolve?

≈ 10 minutes

How prevalent are polymorphic viruses?

Nearly all malware attacks include some form of polymorphic techniques

How does a Polymorphic Virus work?

A polymorphic attack usually follows this process:

  1. The cybercriminal hides the malicious code via encryption, allowing it to bypass most traditional security tools.
  2. The virus is installed on an endpoint and the infected file is downloaded and decrypted.
  3. Once downloaded, a mutation engine creates a new decryption routine that is attached to the virus, making it appear to be a different file, and therefore unrecognizable to security tools — even if an earlier version of the computer virus had been detected and placed on a blocklist.

While polymorphic viruses may evolve in terms of their file name, size or location, the function, operation and goal of the malware remains the same. For example, a trojan that has polymorphic properties will always operate as a trojan — even if the file signature changes.

Examples of Polymorphic Viruses

Polymorphic viruses first emerged in the 1990s as part of a research program to demonstrate the limitations of existing antivirus scanners. The very first, a virus called 1260, or V2PX, was meant to serve as a warning to internet users, though it inadvertently inspired a wave of criminal activity based on the virus’s capabilities. In the decades that followed, countless polymorphic viruses have emerged and today nearly every malware infection employs some form of polymorphism.

Some of the most well-known examples of polymorphic viruses and malware include:

  1. The Storm Worm: A multi-layer attack, The Storm Worm used social engineering techniques to trick users into downloading a trojan, which would then infect the computer and turn the target’s system into a bot. The campaign infected more than 1 million endpoints and disrupted internet service to hundreds of thousands of users at a time.
  2. VirLock: Considered to be the first example of polymorphic ransomware, VirLock was a malware attack that spread through shared applications and cloud storage. It behaved as typical ransomware, restricting access of the victim to the endpoint and altering files until an extortion was paid.
  3. Beebone: An advanced polymorphic malware attack, Beebone took control of thousands of computers worldwide to form a botnet with the goal of disrupting banking activity through ransomware and spyware.

Though polymorphic virus is a common term in the cybersecurity world, not all polymorphic attacks are viruses. Some rely on other types of malware — such as Trojans, keyloggers, bots, spyware and ransomware — that have been equipped with a mutation engine. Technically speaking, these attacks involve polymorphic malware or metamorphic malware.

How to Detect a Polymorphic Virus

Polymorphic viruses — or any type of malware that contains polymorphic techniques — can be difficult to detect by traditional threat detection methods because of their advanced mutation capabilities.

In simple terms, traditional antivirus or antimalware software looks for signatures or heuristics, which are sequences of code within the file. These tools cannot recognize the threat once it is re-encrypted. This is true even if another endpoint has been infected previously on the same network by a known polymorphic virus that has been added to the blocklist.

To detect polymorphic viruses, organizations must employ advanced cybersecurity tools that enable signature-less malware protection.

Signature-less malware protection uses machine learning (ML) algorithms to determine the likelihood that a file is malicious by analyzing the broader picture and extracting so-called “features” from the files analyzed. These are high-level characteristics that numerically describe the structure of the file. For example, the ML model can look at the amount of randomness in various areas of the file, as well as images, icons, user interface templates or string tables. The tool can also dissect and describe the code in a numerical fashion so that it can be fed into a machine learning classifier.

One of the most effective ways to protect the organization from a polymorphic virus is to implement a robust next-generation antivirus solution (NGAV) that includes protection from both known and unknown threats, including fileless attacks and signature-less attacks, as well as prevention of malware-free attacks and integration with threat intelligence tools.

For more information please read our related post, What is NGAV?

Best Practices to Prevent Polymorphic Viruses

A large portion of polymorphic virus attacks begin with compromise at the user level. For this reason, it’s important that all internet users remain vigilant of attack indicators and exhibit responsible behavior.

Some common tips include:

  • Always install a reputable next-generation antivirus software, preferably a cloud-native security solution, and ensure it is updated regularly.
  • Keep your operating systems and applications updated.
  • Use a pop-up blocker or avoid clicking pop-up ads.
  • Never open unsolicited or suspicious email attachments from unverified senders.
  • Never use an unsecured Wi-Fi connection.
  • Only access links that begin with HTTPS.
  • Be wary of free software and make sure to carefully read the terms and conditions.
  • Put a screen lock on your smartphone.
  • Use strong passwords on all devices.
  • Enable multi-factor authentication on all devices and applications.
  • Carefully review all permissions you grant to apps at the time of installation.
  • Be cautious about consenting to website cookies.

Replace Your Outdated Antivirus Solution

CrowdStrike Falcon® Prevent™ is the new standard in prevention, delivering superior protection from malware, exploits, malware-free intrusions and advanced persistent threats. Organizations gain an unprecedented level of visibility into attempted attacks in an easy-to-read process tree that provides the details and context necessary to understand what’s happening on the endpoint and how to remediate effectively.

CrowdStrike Falcon® Prevent enables state-of-the-art protection:

  • Machine learning and artificial intelligence detect known and unknown malware and ransomware
  • Behavior-based indicators of attack (IOAs) prevent sophisticated fileless and malware-free attacks
  • Exploit blocking stops the execution and spread of threats via unpatched vulnerabilities
  • Ability to detect and quarantine on write stops and isolates malicious files when they first appear on a host
  • Industry-leading threat intelligence is built into the CrowdStrike Security Cloud to actively block malicious activity
  • Automated IOA remediation cleans up known artifacts left behind from blocked malicious activity

Watch the video below to see how CrowdStrike’s next generation AV solution offers superior protection to help your company prevent breaches:


Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.