How Polymorphic Malware Evades Detection — And What to Do About It

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we get into something that should terrify every IT and security

professional polymorphic malware.

This is the kind of malware that literally changes its own code.

Its signature, its behavior.

Even the IP addresses it talks to just so your antivirus can't catch it.

Dr. Mike Saylor joined persona in me to break down how polymorphic malware

works, why it's been so effective at, uh, evading detection and what the, it's

scarier cousin metamorphic malware can do.

That's even worse.

Well, we also cover waterhole attacks and what behavioral detection

actually looks like in practice.

If you thought your antivirus or anti-malware had it covered this episode.

Hopefully will change your mind and probably scare you a little bit.

If you don't know who I am.

I'm w Curtis Preston, AKA, Mr. Backup, and I've been passionate about backup

and recovery for over 30 years.

That's right.

30 years ever since, uh, there were no backups of the production

database that we just lost.

So that's why I do this because I don't want you to do that.

On this podcast.

We turn unappreciated backup admins into Cyber Recovery Heroes.

This is the backup wrap up.

Welcome to the backup wrap up.

I'm your host, w Curtis Preston, AKA, Mr. Backup.

And with me, I have a guy that's starting to remind me of

my wife Prasanna, Malaiyandi.

How's it going?

Prasanna.

So basically I'm awesome because your wife is amazing, is what you're saying.

Yeah, that's what it was.

That was what it was.

I was just like, you were saying something.

I was like, man, you're starting to sound like my wife, becoming

very predictable and how

But in fairness, but yes, because the last episode, I was judgy mc

Yeah.

this time though, but be honest, right?

You knew I was going to ask

Yeah.

That's what I'm

So you did it, but you didn't actually complete it.

whatever,

So you failed.

blah, blah, blah.

Anyway, hi.

we have also with us to watch our bickering, we have Dr. Mike Sailor,

CEO of Black Swan Cybersecurity and co-author with me of this lovely book.

Learning ransomware response and recovery.

That should ship any day now for anyone who wants to order it.

and I believe the, the electronic version is already on its way out.

Doctor Mike Saylor.

How's it going,

Mike?

everybody.

Thank you.

All right,

like a married couple?

I think we need a third party to.

Make

It Ha it happens

sometimes.

so Mike, there's a phrase that you brought up a lot in the book.

and so I. I wanted to give you an opportunity to talk about it, to talk

about what it is, why it matters, and is there anything we can do about it?

And of course, what we're talking about today is polymorphic

ransomware, AKA, the shapeshifter.

Do you wanna start this out by talking about VeriLock?

what was VeriLock or is VeriLock and, how does that factor into

the, into this whole thing?

Sure.

Yeah, it was one of the most, talked about, polymorphic, malware, it

functioned by compromising your computer with malware that had yet

to be defined in a, anti-malware antivirus signature base, or heuristics.

so it, it was designed to, to look different, to behave different, so

that it could survive the filters.

and it was usually delivered in a, in an attachment that.

That you would expect.

so if you worked in accounting, maybe it was an invoice if you worked

in, the warehouse, maybe it was a shipping label, if you worked in, the

computer room or the mail room, maybe it was a PO or something like that.

So it was designed so that, you, you wouldn't suspect that attachment was,

malware or something unsolicited.

But yeah, when you open that attachment, the, it triggered the payload.

The payload would drop, and start to slowly or, unsu suspiciously, deploy

itself within the computer and start to, to, to then progress into the, the Mitre

attack, phases of reconnaissance and.

asset value identification spreading and those kind of things.

So the polymorphic part of that was really designed so that, and backing up too.

So a lot of antivirus software works on a schedule.

So you could have the latest and greatest, antimalware in a

ransomware software on your computer.

Yeah, there is a period of time between infection and detection and some of that

is analyzing how the software is behaving.

Some of that is sending snippets of code or heuristics to the vendor and they're

gonna sandbox it and do their analysis and then it pushes that back out as an update.

until recently, those updates took about seven to 10 days.

So you could be infected with something that the antivirus has

never seen before that could maintain, persistence on that device for seven

to 10 days before update comes.

And that's why updates are important.

The update comes and now your antivirus says, Hey, I found out that

there's this thing on this computer.

I need to clean it or quarantine it.

So that's how it used to work.

So now polymorphic code says, all right, now I know that on some

periodic basis I need to change the way I look and the way I behave,

so that even if, and I, this antivirus anti malware detected how I was

looking and behaving yesterday, the update that comes in isn't gonna

catch the way I look and behave today.

Yeah, interesting.

So hence the term polymorphic, right?

So we morphic meaning changing and poly meaning many.

So not only is it changing, it's changing multiple times, in a single deployment.

Would that be the right term,

We would call it a life

so that, that payload has a lifespan and it would do these, these changes and.

And I think we're gonna get into it in a little bit, but polymorphic

code, it's coded, it's hard coded in the malware, how often to change

the way it looks and behaves.

could you go over what you mean by looks and behaves?

is it, oh, I'm just changing my extension or my location where I'm running.

Maybe it's the footprint of the malware itself, or is there like significant

parts of the malware that change

while it's

changing it, it doesn't, the changing the extension or the

file type or, or even some of the.

The consumable content, is somewhat irrelevant to antivirus, antimalware.

those tools are looking for, file type headers, the flags that say,

even though it says it's a text file, it's an executable file.

really what the polymorphic code is doing is changing the signature of

the malware, and it doesn't take much.

for example, If I install malware and it's hard coded to communicate back

to a command and control server at a particular IP address, that is part

of the signature now of that malware.

And so when the update comes anti-malware gonna go, Hey, that file contains that

IP address for a known bad command and control, and we're gonna quarantine it.

So what the malware is hard coded to do is say, use that IP

address for the first 72 hours.

And then change it to this other IP address, increment

by one or 10, or, some math.

and that will coincide with the threat actors changing their

lease on the command and control server, or they build a new one.

and so that's an example of how that antivirus update is gonna miss the change

that this malware made, to how it behaves.

Gotcha.

So it isn't necessarily as an example, changing out the underlying, say

on a window system DLLs that it's leveraging or other things like

Oh, it could for sure.

Notepad Plus is in the news, and so maybe it's using Notepad plus.

and some of the related, file structures and support files that are associated

with Notepad puts plus, and that helps it do, the first day or two

worth of activity and then it changes its behavior to start using, the

DLLs, in Microsoft calculator or, or, maybe from the command and control.

It downloads additional modules.

And so now the file structure or the file, the malware itself has changed.

It's no longer a 150 kilowatt file.

Now it's a megabyte file, and because we've added stuff

to it, it's been rewritten.

So now, all the metadata's changed.

and there's any number of examples.

just get creative on how you can modify how a file looks and behaves.

And bad guys are doing that because.

Antivirus.

In a lot of cases, most cases, those signatures are point in time things.

And so you've got a, you've got a period of oper, of time to operate as malware

before those signatures get updated.

There's even malware that detects based on it.

It'll detect what antivirus you're using and behave differently based on that.

So if you've got trend micro versus eset versus.

McAfee or some CrowdStrike.

it will just, it will identify that first and then behave

accordingly, based on the antivirus capabilities and update schedules.

Let's go back to, when we, you were talking about Viralock.

one of the things I read about it was that it would send a document that

you were expecting, but change it so that it was actually an executable.

And this is, this is going, this is gonna happen a lot, but that

seems like something that, that the average person wouldn't fall for.

You're changing invoice dot doc to invoice doc exe.

And then people gonna click on that anyway.

some people just don't realize it and some people are just very busy, right?

So I've gotta get through a hundred invoices today, and

there's another invoice, right?

So they're just trying to do their job.

and so yeah, very often bad guys, again are taking advantage of human

nature, Right, We're just, we're too busy to be diligent.

when you're like, Hey, I expected that sort of document to come here

I'm gonna ask a dumb question

in Windows it does, it, does it have to have, do XE to be an executable?

I know there's DLLs, but don't, doesn't it have to have XE to

actually be an executable, or can it just run with anything?

So there are a few file types like, self-expanding, containers,

like a zip or a tar ball.

so there's a couple, and it doesn't have to say EXE in order to execute

like an EXE because again, I can call a file, whatever, I can call

it A DLL, and it'll look like a DLL.

Because Windows is associating the file extension with what it thinks

is necessary to open that file.

So that's why that icon changes.

But if you double click on it, windows goes, Hey, wait, I thought it was a

DLL or a text file, and I'm opening what I think is associated with

that file type and it's not working.

So file corrupted, file not readable, whatever.

Because I just changed the extension.

But if you look at the file itself in the binary, there's actually

file type flags and headers that identify it as an executable.

So you just have to know how to address that file as an

executable without double

clicking on

What I'm hearing you say is if you double click on it,

it's got the wrong, extension.

It's not gonna do the thing you want it to do, but there is a way to run it.

Okay.

All right.

So if I think though about polymorphic ransomware.

Isn't a lot of ransomware implementations where you're downloading modules from

command and control servers, wouldn't all of those fall under this classification?

No.

so traditional, or we would call it static.

and correct me if I misunderstood your question, but, all of the

additional, so there is a, the point of polymorphic or metamorphic, which

I think we'll get to in a minute, is to, evade detection and built in.

There is also sometimes a capability of disabling antivirus because we're

now resident on the machine and, we can escalate privileges and.

Issue commands especially.

And there's vulnerabilities disclosed recently, of pretty elementary ways of

disabling windows Defender as an example.

so there's that.

then all the other files I call down, are just adding to, my base, executable.

And so it's not my executable plus five other files.

It is my base executable that's creating a new executable and in

a lot of cases, cleaning up after my, cleaning up after myself.

Gotcha.

it's always evolving, if

yep.

And one other thing to add about, vi lock is, that made it a little

different is that as it infected other files, it replicated itself.

So it wasn't just ransomware, it was also a virus.

And so you could.

Let's say you, you paid the ransom and you decrypted all your files.

now all those files still have the virus in them and could very well just

become reinfected or communicable now,

Oh.

others that you might share those files

Communicable.

now you brought up the term metamorphic code.

how is metamorphic versus polymorphic?

So polymorphic is primarily hard-coded changes.

this is going to happen in 24 hours.

This is gonna change from this to that.

Metamorphic does its own like almost AI analysis of what needs to change and it

does it when it thinks it's necessary.

So metamorphic is actually a lot more scary than polymorphic.

Interesting.

and is there.

An understanding of like how common either of those two types are.

Polymorphic iss probably pretty common 'cause that's just easy to do.

Metamorphic is like nation state, CIA scary stuff, so probably pretty prevalent.

You just, we just don't know about it.

Do you have an example of a metamorphic ransomware attack out there?

And it's okay if you don't off the top of your head.

I don't.

Okay.

Okay.

When, like nothing like VE lock, like not a tool like VE lock.

I'll keep thinking about it as we

talk, but, I, I've got scenarios in mind without necessarily

any identifiable names to put

on it.

With the stuck net.

which?

Which is the

one

Stuck Stucks nut was hard coded.

Okay.

so that was polymorphic.

even, Like some of the other ransomware, like the hit target, it was hard coded

to look for point of sale systems it would move from one asset to the other.

Cleanup after itself behave a little different, hard coded.

Yep.

Yeah, I could just see, I could just see the malware like

crawling through the thing.

Are you a point of sale system?

Nope.

I have I have a conceptual example of metamorphic code and it was

called the Frankenstein virus.

It was developed, I'm having trouble remembering his name, but it was developed

out of the University of Texas at Dallas.

Oh.

And essentially what it would do is a framework would be downloaded that

completely harmless, like nothing would think this framework was an

issue at all, but as this framework executed, it would look for resources.

it would feed off the land.

So what software, what applications, what DLLs do you have on this computer?

And it would assemble its malware based on what's available to it.

That's crazy.

be an example of metamorphic, but I don't think that made it out of the lab.

Yeah, and I'm guessing with a lot of the AI stuff, we might

see more of this in the future.

Yep.

making, making mean people smarter, but being stupid.

something in the research that came up something called a waterhole attack.

Mike, is this, does that, is that relevant in this discussion?

It is.

And so it, it's similar to that one,

to many strategy that bad guys have.

what's my least, level of effort that results in the largest possible gain?

And looking for opportunities to attack victims in, in how they collaborate.

So Microsoft Teams, zoom, WebEx, slack, SharePoint, all of those are

what we would consider Waterholes.

We, we go to those things to, interact with coworkers, update documents,

share documents, store documents.

So if I can compromise that water hole, then I've got a, I've got a

larger pool of potential victims.

if I can infect that one, that one file in SharePoint, that everybody like

time, here's the time sheet template or the expense template, right?

I'm gonna go infect that.

So now everybody downloads that to do their time sheets in their

expenses, and I'm infecting everybody that opens that template.

Is that because they're, there are, they're using like macros?

Is that what you're talking about there?

It could be macros, it could be, you know, uh, polymorphic code.

It could be viralocker on your time sheet template.

It's just something that a whole bunch of people are accessing.

right?

That's a, that's an interesting, you want to talk about the things that

a polymorphic, piece of code does to make sure that it continues to live.

Yeah, so well, the life of polymorphic is somewhat known depending

on the antivirus that you use.

And so some of the older, traditional ones that code is only gonna live for,

a couple of weeks, if you're using

while malware is running wild in

a couple of weeks.

and I'll add to that, that single deployment of that code is a couple

of weeks, but really what happens in the real world is that code will

likely establish access that then can be multiplied into different threads.

And so this is, here's another example of a red teaming exercise that we did.

and this is a, an example of that coordinated effort among

different attack skill sets.

So one of the guy on our team, our chief engineer, knew how to write malware.

I know how to break into buildings and social engineer people.

another guy is on our team.

we call him the ghost 'cause no one ever remembers seeing him.

so very good social engineer, but also very technical.

So he and I together infiltrated a physical building, social engineered

employees as if we were from it.

So I was dressed like this with a certain tie, and so I was the IT manager.

And he just had a polo shirt on and, with, slacks.

And so he was the IT engineer and together we, I had my cup of coffee and

my clipboard and together we presented a level of legitimacy and confidence

and we just started asking people, Hey, before you leave today, it looks

like you're getting ready to leave.

We just need to run an inventory application on your machine

because we're doing some upgrades to make things work better.

We all want things to work better.

I don't need your password or anything.

I just don't log off yet.

with their current session, active, plug in a self deploying USB drive, that would

create a shell, a reverse shell from that workstation all the way back to our chief

engineer sitting at the hotel saying, all right, got one, move to the next desk.

And so that malware and that thread lived on that computer for a week.

But we would do that, 20 to 50 times.

And.

The reason you do that persistence, that multi-threaded persistence is because

antivirus and most computers don't all do the same thing at the same time.

So a week from now when antivirus signatures update to catch our

malware, we would see those persistent threads start to drop, right?

But because we have access to that computer, we've already got the next

payload ready, and so we deploy our next.

Payload to one of those active threads, and then it spreads backwards to the other

machines that were previously compromised.

So now we get our threads back because we managed to change

the signature of our malware.

And so even though the

malware may only last a week or two, because I have access to the environment,

I just need to deploy a new, a fresh copy that the antivirus hasn't seen before and

restart the clock on another week or two.

So it's basically like trying to play whack-a-mole.

So as someone who's trying to defend against this, what do you do?

Like it seems like you're never going to stay ahead of them.

So

I.

but all of those things, are identifiable if you have a baseline.

the way that malware works.

If you have a baseline, you can start to look for deviations from that baseline.

So that's your perimeter IP addresses.

You're connected to data volume, network protocols being used,

File access patterns.

ingress, egress, ingress egress, file integrity.

So who touched it?

What did they do?

network and endpoint behavior.

User behavior.

All of those things you can baseline and start to track deviations

if you have the right tools.

And bad guys know, a lot of people don't have the tools.

And even if you did, there's a subset of people that do that's that, that,

that don't look at it 24 hours a day.

Yeah, so

what's interesting about that, that, engagement I was describing where we

deployed all that ransomware, we did.

We did a ton of different things.

We had thir 12 objectives to achieve, and they gave us like

180 days to achieve 12 objectives.

We achieved 11 objectives in seven days,

Wow.

and then we spent the rest of the time helping them, identify the

problems and fix the problems.

But one of the problems, and this goes back to the behavior, is because we

had access and one of our objectives was to exfiltrate a lot of data.

And we decided to do a little bit to achieve the objective and then do a lot to

see how much it would take to get caught.

And in the debrief, we were talking to the firewall admin and

said, look, do you review your firewall logs and your bandwidth?

And he is yeah, every morning I come in, I said, okay, the other

day we pegged your bandwidth.

what did you think about that?

He said, I thought it was weird.

But then the next day when I came in and it was still pegged,

I just thought it was normal.

yeah, you're can't help you buddy.

so what you're talking about there is shifting from pattern, like file pattern

recognition to behavioral, recognition.

I'm not shifting to it.

But adding, so

security's all about layers.

What, how many things can I put between me and the bad guys so that I can

identify things faster and respond faster before they get to what they

want or they spread and so yeah.

It's like when I build a house, do I just need a yard?

it'd be nice to have a sidewalk and a curb.

It may be a fence, right?

So it's all those things that are gonna help me determine when someone

comes off the street towards my house.

So it can detect things like the, the, it can detect just weird stuff

like you talked about a mass upload tra, a mass upload of traffic.

It could also obviously detect, a lot of encryption going on.

what other

But it could, it could,

might it notice?

it could also be, over the last six months, Curtis

does not work after 6:00 PM.

He does not log in, or if he does, he, this is what he does.

he has this behavior during this period of

time and this behavior during another period of time.

And that could be during the day, it could be the weekends.

you open Microsoft Word, you open the internet.

but today you opened Excel and Notepad and you went to 50 websites, and those

could

Notepad.

Those could all be harmless activities, but they'll be flagged

as a deviation from normal behavior,

and that's

how you get ahead malware, not because

it's identified as truly suspect.

It's identified as a deviation.

I don't work after four, by the way, just for the record,

but.

That's five o'clock.

I know in one of the previous points you discussed sort of these

tools, Curtis, I think at some point we're gonna have a podcast episode,

maybe talking about some of these

yeah, Of the various tools.

Yeah.

Yeah.

Can't cover everything in one episode or even 10 episodes.

It's a lot.

It's a lot to cover.

so in this topic of polymorphic ransomware and also metamorphic ransomware, can

you think of anything that we haven't covered that you think is important?

So one of the things that.

It is important to security cybersecurity specifically.

'cause cybersecurity impacts everything.

if it turns on and has value it, cybersecurity has a, there's a risk to it.

So we're also limited.

from a defense perspective, by our resources.

So that's time, money, tech people,

right?

And so one of the things that's very important to an organization or even

individuals is identify those things that are really valuable, where they are, and

invest more in protecting that thing.

and then start to, pull away from that to add layers as resources become available.

But if you don't, if you don't identify or you don't know where the important things

are and you just decide to blanket, cover everything, if you had a hundred computers

and your budget's, a thousand dollars and that's $10 a computer, nine out of

10 of those aren't as important and you could have invested more, in capabilities

and recoverability in that one computer.

Uh, and, do the kind of, the bare minimum good hygiene on the others.

But then, segmentation, hardening, good policy, good monitoring, good response.

Have a response plan, uh, good backups.

what I'm hearing though is just like in, in backup and recovery,

we talk about not everything is the same from a recovery perspective.

there are applications that have a much.

A higher business value and much higher business criticality.

And so you're not gonna back up Joe's laptop the same way you buy, you

back up the primary database server.

And it sounds like the same is true of, cybersecurity.

It is.

And so yeah, your retention, classification, or even identification,

that's all risk-based, value-based approach to applying resources to protect

what you think is the most valuable.

What's gonna keep your organization running, and how fast can we

recover if something bad happens?

All right.

Mike, thank you for continuing to contribute to my cyber depression.

Hey, don't pull your hair

Yeah.

too late.

Too

late.

Yeah.

Prasanna.

Oh, too, that was hurtful right there at the end.

Anyway, thanks Prasanna.

You're welcome.

And thank you to the listeners.

That is a wrap.