The main difference between polymorphic and metamorphic virus is that the polymorphic virus encrypts itself using a variable encryption key so that each copy of the virus appears different while the metamorphic virus rewrites its code itself in order to make each copy of the virus appear different without using a variable encryption key.
Malware is malicious software that is intentionally created to harm data and resources in a computer. They can disrupt the entire functionality of the computer. Virus is one type of malware. A virus replicates by itself and modifies the other programs by inserting its code. Polymorphic and metamorphic virus are two types of viruses. They both are capable of changing themselves as they propagate. A polymorphic virus uses a variable encryption key to change each copy of the virus. A metamorphic virus is capable of rewriting its own code while maintaining its functionality.
Key Areas Covered
1. What is Polymorphic Virus
– Definition, Functionality
2. What is Metamorphic Virus
– Definition, Functionality
3. Difference Between Polymorphic and Metamorphic Virus
– Comparison of Key Differences
Malware, Metamorphic Virus, Polymorphic Virus
What is Polymorphic Virus
A polymorphic virus is a complicated computer virus. It is encrypted with a variable encryption key. Therefore, each copy of the virus is different from others. In other words, it is a self-encrypted virus designed to avoid detection by an anti-virus software or scanner.
Assume that one user went to a website and downloaded an executable file. Then another user goes to the same link and downloads the same executable file. Both users receive two different files. The attack code is located inside the file. Even though the attack code is the same, it is encrypted with different keys each time. It is possible to recognize that both are the same by decrypting the attack code. Therefore, a polymorphic virus is difficult to detect using scanners and antivirus software.
Polymorphic viruses can be detected using two techniques. They are the entry point algorithm and the generic description technology. The entry point algorithm uses a special virus detection program to check the machine code at the entry point of each file. The generic description technology runs the file on a protected virtual computer.
What is Metamorphic Virus
Metamorphic virus reprograms itself. It translates it is own code and creates a temporary representation. Then, it edits that temporary representation and writes itself back to the normal code. In other words, it translates and rewrites its own code so that each time the copies of the virus appear different.
A metamorphic virus does not use a key encryption method like in polymorphic virus. When the virus creates a new copy of itself, it converts its existing instructions into functionally equivalent instructions. Therefore, no section of the virus remains constant and the virus will not return back to its original form during the execution. Therefore, it makes it difficult for the Anti-virus software to recognize it. Geometric detection and using emulators for tracing are two methods to detect a metamorphic virus.
Difference Between Polymorphic and Metamorphic Virus
A polymorphic virus is a harmful, destructive or intrusive type malware that can change, making it difficult to detect with anti-malware programs. A metamorphic virus is a virus that is rewritten with every iteration so that every succeeding version of the code is different from the proceeding one.
Polymorphic virus encrypts itself with a variable encryption key so that each copy of the virus appears different. Metamorphic virus rewrites its code itself to make it appear different each time. In other words, it changes itself from instance to instance. This is the main difference between polymorphic and metamorphic virus.
Writing the Virus
A metamorphic virus is considered to be more difficult to write than a polymorphic virus. The programmer has to use multiple transformation techniques.
Another important difference between polymorphic and metamorphic virus is the detection techniques. Polymorphic viruses are detected using the Entry Point Algorithm and the Generic Description Technology. Metamorphic viruses are detected using Geometric detection and by using emulators for tracing.
The difference between polymorphic and metamorphic virus is that polymorphic virus encrypts itself using a variable encryption key so that each copy of the virus appears different while metamorphic virus rewrites its code itself, to make each copy of the virus appear different without using a variable encryption key. Both of them are difficult to identify with regular antivirus programs.
1. Polymorphic Malware – CompTIA Security SY0-401: 3.1, Professor Messer, 6 Sept. 2014, Available here.
2. “Mechanism Of Polymorphic And Metamorphic Virus.” LinkedIn SlideShare, 10 Dec. 2011, Available here.