Polymorphic & Metamorphic - O-LavenderAshburn/Knowledgebase_MalwareAnalysis GitHub Wiki
Two of the most advanced forms of self-modifying malware are polymorphic and metamorphic malware. Malware authors use code mutation techniques to evade detection by antivirus (AV) and endpoint detection and response (EDR) systems. Both techniques help malware evade signature detection/identification.
Polymorphic
Malware modifies its code using encryption with a variable key. The core logic stays the same, but the encryption makes it appear different each time it replicates. It typically uses a decryption routine that remains constant while the payload is encrypted.
Metamorphic
Malware completely rewrites its own code with each infection, making each version structurally different but functionally the same. Unlike polymorphic malware, it does not rely on encryption; instead, it can change instructions, reorder code blocks, or insert junk code to evade detection.
Key differences
| Feature | Polymorphic Malware | Metamorphic Malware |
|---|---|---|
| Main Technique | Encrypts payload and changes decryption key | Rewrites and restructures its own code |
| Code Transformation | Changes appearance but core logic stays the same | Completely rewrites itself while maintaining function |
| Detection Avoidance | Avoids signature detection via encryption | Avoids detection by changing structure |
| Complexity | Easier to implement | More complex and resource-intensive |