Email-borne polymorphic malware triples


Email-borne polymorphic malware tripled in September, raising fears over the worth of traditional anti-virus technologies.

The signature-shifting forms of malicious software accounted for 72 per cent of all email-delivered malware over the month, up from 18.5 per cent in August, data showed.

Some particularly nasty types of polymorphic malware has been in circulation over the past few years. Virut is one particularly dangerous piece of software that remained in Symantec's top 10 table for malware blocked at the endpoint in September.

Anti-virus technology cannot rely on signatures and heuristics alone.

W32.Sality is another and it took the number one spot this month. Both strains are associated with botnet activity.

The biggest worry for IT departments over this kind of malware is its ability to change its encryption key. This means it can't be spotted by anti-virus products relying on signature-based detection systems.

"This is something that anti-virus technology can sometimes struggle with, and many will employ emulation techniques to allow the malware to partially run in a controlled sandbox environment," Paul Wood, senior intelligence analyst at, told IT Pro.

"The latest strains of malware identified in the Symantec Intelligence Report for September include mechanisms for changing the start-up code in almost every version of the malware, subtly changing the structure of the code and making it harder for emulators to recognise the code as malicious. Anti-virus technology cannot rely on signatures and heuristics alone."

There is something of a war of words going on in the security industry at the moment about the best protection for modern threats like polymorphic malware.

The old guard, including Symantec, have been accused of using old technologies to solve new problems. In particular, the use of database detection systems has been criticised.

Yet Symantec believes its cloud-based Insight technology is more than capable of helping block zero-day or polymorphic threats, even if it isn't truly real-time.

Insight looks at the "integrity of an executable based on knowledge of its reputation and distribution in the real-world," Wood said. Essentially, the technology still relies on past facts to determine the safety of a file, but it can get hold of those facts fairly quickly to make an assessment.

Some rivals, such as M86 Security, claim this isn't fast enough.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.