Server-side polymorphism: How mutating web malware tries to defeat anti-virus software [VIDEO]

Potato head. Image from Shutterstock
Server-side polymorphism is a technique used by malware distributors in an attempt to evade detection by anti-virus software.

Regular polymorphic (literally “many shapes”) malware is malicious code which changes its appearance through obfuscation and encryption, ensuring that no sample looks the same. Although the idea of mutating malware sounds quite scary, it’s actually been used by malicious hackers since the early 1990s.

Early examples of polymorphic malicious code include the Tequila virus, SMEG (which literally stood for “Simulated Metamorphic Encryption Generator”) and Dark Avenger’s Mutation Engine (which lesser-skilled virus authors could plug into their malware to grant it the ability to be polymorphic).

As the years passed, polymorphic malware got more and more sophisticated – hoping to beat anti-virus software one of two ways. The malware author’s hope was that we would either fail to detect all instances of their mutating code, or would false alarm on innocent code making our detection routines more of a pain than the actual virus.

Sign up to our free newsletter.
Security news, advice, and tips.

The good news is that most anti-virus software does a good job today of detecting polymorphic malware – perhaps by looking for the encrypted part of the code’s decryptor (which can itself be variable, of course) and other techniques.

Which is why cybercriminals grasped the idea of server-side polymorphism.

Once again, the code mutates its appearance. But the engine driving the mutation is no longer in our hands for examination – it’s hidden away on the server’s side of the website, out of our reach.

That means that the code which is run in your browser is completely different each time. If we simply tried to compare the code to previous examples of the malware we have seen, we wouldn’t get a match.

Check out the following video by Sophos’s Chet Wisniewski, showing server-side polymorphism in action:

Potato head image from Shutterstock.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.