Polymorphic Malware
What is Polymorphic Malware?
Polymorphic MalwareMalware that changes its on-disk appearance — typically via re-encryption or packing — for each infection, while keeping its core logic intact.
Polymorphic malware uses an encryption/packing layer and a small mutating decryptor so that every copy of the file looks different to signature-based antivirus, even though the decrypted payload is identical. This frustrates static hash-based detection and exact-byte signatures. Polymorphic engines often include random instruction reordering, junk-code insertion and variable register usage. Unlike metamorphic malware, the underlying payload is not rewritten — only its outer wrapper changes. Effective defences rely on behavioural detection, memory scanning post-unpack, YARA rules targeting decrypted strings, EDR/XDR, and machine-learning classifiers trained on dynamic features rather than file bytes alone.
● Examples
- 01
Storm Worm, which repackaged itself frequently to evade signature scans.
- 02
Virut, a long-running polymorphic file-infector that mutated on each propagation.
● Frequently asked questions
What is Polymorphic Malware?
Malware that changes its on-disk appearance — typically via re-encryption or packing — for each infection, while keeping its core logic intact. It belongs to the Malware category of cybersecurity.
What does Polymorphic Malware mean?
Malware that changes its on-disk appearance — typically via re-encryption or packing — for each infection, while keeping its core logic intact.
How do you defend against Polymorphic Malware?
Defences for Polymorphic Malware typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Polymorphic Malware?
Common alternative names include: Self-encrypting malware, Polymorphic virus.