Server-side polymorphism is a technique used by malware distributors in an attempt to evade detection by anti-virus software.
Regular polymorphic (literally “many shapes”) malware is malicious code which changes its appearance through obfuscation and encryption, ensuring that no sample looks the same. Although the idea of mutating malware sounds quite scary, it’s actually been used by malicious hackers since the early 1990s.
Early examples of polymorphic malicious code include the Tequila virus, SMEG (which literally stood for “Simulated Metamorphic Encryption Generator”) and Dark Avenger’s Mutation Engine (which lesser-skilled virus authors could plug into their malware to grant it the ability to be polymorphic).
As the years passed, polymorphic malware got more and more sophisticated – hoping to beat anti-virus software one of two ways. The malware author’s hope was that we would either fail to detect all instances of their mutating code, or would false alarm on innocent code making our detection routines more of a pain than the actual virus.
The good news is that most anti-virus software does a good job today of detecting polymorphic malware – perhaps by looking for the encrypted part of the code’s decryptor (which can itself be variable, of course) and other techniques.
Which is why cybercriminals grasped the idea of server-side polymorphism.
Once again, the code mutates its appearance. But the engine driving the mutation is no longer in our hands for examination – it’s hidden away on the server’s side of the website, out of our reach.
That means that the code which is run in your browser is completely different each time. If we simply tried to compare the code to previous examples of the malware we have seen, we wouldn’t get a match.
Check out the following video by Sophos’s Chet Wisniewski, showing server-side polymorphism in action:
Potato head image from Shutterstock.
