Phenquestions
In spite of all the anti-virus programs in the world, the scope of malware attacks doesn't seem to slow down on the Internet and from there, to your computers. What makes some virus undetectable even by the best anti-malware software? The two things I can see are: constantly changing polymorphic virus and inability of antivirus vendors to come up with a solid technology to deal with the unknown virus.
What is a Polymorphic Virus
It is a general knowledge that malware come with variations so that the antimalware software solutions cannot detect them. When it is detected, the antimalware software solution blacklists that malware. Only a particular variation is banned because antimalware software cannot guess the malware will come back - in a different variation. If it is found, it is blacklisted by companies monitoring malware. Most antivirus relies on these blacklists to protect your computer or any other device. This is the main reason why any antimalware cannot be 100% effective.
A polymorphic virus is a piece of code that is characterized by the following behavior - Encryption, Self-multiplication and changing of one or more components of itself so that it remains elusive. It is designed to avoid detection as it is capable of creating modified, copies of itself.
Thus, a polymorphic virus is a self-encrypted malicious software that has the tendency to change itself in more than one way before multiplying onto the same computer or to computer networks. Since it changes its components properly and is encrypted, the polymorphic virus can be said to one of the intelligent malware that is hard to detect. Because by the time your anti-virus detects it, the virus has already multiplied after changing one or more of its components (morphing into something else).
The thing which stands out between normal virus and the polymorphic virus is that the latter changes its components to look like a different software before multiplying. This morphing activity makes it hard to be detected.
Read: Which was the first Windows virus?
Polymorphic virus protection
We'll need next generation antimalware… something that can think on its own. Maybe I am suggesting an antimalware solution based on artificial intelligence. A little of artificial intelligence and lots of study will help such antimalware to identify and remove polymorphic viruses.
The current forms of antivirus work either on blacklisting or whitelisting programs. We've already talked about how this form of the virus can change itself before multiplying. In this scenario, antivirus based on blacklists are not much useful because they will be able to detect only the variations that are blacklisted while the morphed form of the virus continues to infect files and other computers.
Whitelisting based antimalware are better but tedious. Since with whitelisting, you will have to whitelist every program that you wish to run on your computer, the polymorphic virus can't do anything as you won't authorize it until confused. The whitelist based antimalware are not for users of beginner level as they may authorize everything with a fear of blocking essential operating system services. But if whitelisting is used properly, this variety of virus won't be able to run because you never authorized it - even after it morphs itself.
In my personal opinion, none of the above listed two methods are good enough. There should be something that studies the programs onboard computer and sees how they behave. In the case of suspicious activities, the program auto blocks it or at least informs you that something is suspicious. You can then take a deeper look into it - to see if it is part of some program you installed or an unwanted malware.
There are some behavior-based anti-malware software, but they too study pre-defined behavior and look for pre-programmed activities. You can use them in addition to whitelisting approach to prevent the polymorphic virus.
Now read Evolution of Malware - How it all began!
