Polymorphic code

Polymorphic code is computer code that can change its form while still doing the same task. The program rewrites or modifies parts of its own code each time it runs. Even though the code looks different, the result of the program stays the same.

Polymorphic code is often used in computer security research and in some types of computer viruses. It can make programs harder to detect or analyze because the code is not always identical.

Polymorphic code changes its internal structure but keeps the same behavior. This usually happens by using a special part of the program called a mutation engine. The mutation engine changes instructions, adds extra code, or encrypts parts of the program.

Because of this, each version of the program may look different to a computer security scanner even though it performs the same actions.

Many polymorphic programs use these techniques:

• Encryption – The main code is encrypted and decrypted when the program runs.
• Instruction substitution – Different instructions are used that do the same thing.
• Garbage code insertion – Extra instructions are added that do not affect the program.
• Register renaming – Different processor registers are used for the same operations.

These changes make the program appear different each time it is created or executed.

Polymorphic code has both legitimate and harmful uses.

Detecting polymorphic code can be difficult^[1]. Security software often uses methods such as:

• behavioral analysis
• code emulation
• heuristic scanning

These methods look at what a program does instead of only how its code looks.

Polymorphic techniques became more widely known in the early 1990s when virus writers started using mutation engines to hide their programs. This led to the development of more advanced antivirus technologies.

Over time, computer security tools improved and began using more complex detection methods.

• Computer virus
• Malware
• Antivirus software
• Code obfuscation