7

Metamorphic code is code that outputs a semantically equivalent version of itself: https://en.wikipedia.org/wiki/Metamorphic_code

However, a polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact: https://en.wikipedia.org/wiki/Polymorphic_engine

So, is the sole difference that polymorphic code relies on some other program (polymorphic engine), while the metamorphic has this functionality built-in?

Can someone provide an example of polymorphic code either through a link or in an answer?

Thank you,

Frank C.
  • 7,758
  • 4
  • 35
  • 45
Shuzheng
  • 11,288
  • 20
  • 88
  • 186
  • 3
    Metamorphic code is a quine. It must deal with auto-reference. Polymorphic code is generated by a polymorphic engine. In short, you can think of both as two parts: a) code that change (other) code b) code that do the real work. The difference is only in the first part, a, for metamorphic such part must be able to change itself, for polymorphic code the text in parenthesis must be added. Also from the same page in wikipedia: "*This differs from polymorphic code, where the polymorphic engine can not rewrite its own code.*" – Margaret Bloom Jul 04 '16 at 13:08
  • @MargaretBloom - Thanks for your answer! Can you think of any ressources showing how to write a simple polymorphic engine or metamorphic code? Googling around, it seems but topics are a bit of a taboo or somewhat unpopular. – Shuzheng Jul 04 '16 at 14:46
  • I don't, but [this answer](http://stackoverflow.com/a/11814102/5801661) has some on topic links. Specially [this one](http://www.informit.com/articles/article.aspx?p=366890&seqNum=6). – Margaret Bloom Jul 04 '16 at 20:55

2 Answers2

10

The key difference between polymorphic code and metamorphic code is whether the code that is actually executed changes or not. A polymorphic virus decrypts its code, runs that code, and then when propagating itself encrypts the decrypted code with a different key. When run on a different machine the decrypted code is the same. A metamorphic virus simply runs its code and then when propagating itself mutates its code into different but functionally identical code. The executed code is different on every machine its propagated to.

This means that with a polymorphic virus its possible to inspect the original unencrypted code by simply running it (ideally in some sort of safe sandbox environment) and then examining the decrypted version of the code in memory. With metamorphic code this doesn't work, the virus never generates an original version of itself.

Note that the term "polymorphic code" is confusing. Out of context, to most programmers it would mean code that written using polymorphic types.

Ross Ridge
  • 38,414
  • 7
  • 81
  • 112
0

Metamorphic and polymorphic viruses are two kinds of malicious software that are termed as MALWARE'S. Metamorphic malware is the one which translates and changes itself or you can say re-write it's code with each iteration so that it can be difficult for the anti-malware software to identify its signature or pattern. The longer the malware stays in a system, the more iteration it produces and the more sophisticated the iterations are, making it increasingly hard for antivirus applications to detect or diffuse it. Polymorphic malware works by encrypting itself with a variable encryption key since the keys used for encryption are different so each copy looks different. But the virus decryption routine would remain constant and because of this static part of code, it gets easy for an antivirus program to identify the malware.

Saeed Zhiany
  • 2,051
  • 9
  • 30
  • 41
Muhammad Axif
  • 1
  • 1
  • 1
  • 1