Polymorphic viruses are not new. The first polymorphic virus was written in 1990 by Mark Washburn. You’d think that the AV vendors with 16 years to prepare would have been able to do something effective to counter them and, you’d think wrong. A polymorphic computer virus is one that changes itself when it reproduces. Actually if you are an expert in the evolution of viruses you’ll also know that there are also metamorphic viruses which rewrite themselves completely (rather than just make a little change) when they reproduce, but we’re not concerned with them here. No need to go metamorphic when polymorphic is so effective.

As you will know, if you read these blog postings regularly, AV technology is a crock. It doesn’t protect its users against new viruses – the so called “zero day threats”. I’m not sure who invented the term “Zero Day Threat” but I’m moved to smile every time I see it written. “Zero day” means “you’re screwed”. Now if you happen to be a polymorphic virus then every day is a new “zero day” – at least it is if the AV software you are up against only uses signatures.

But, truth to tell, some AV products use “statistical pattern analysis” of the virus body to try to recognize a polymorph. Does it work? Well it wont work against a metamorph anyway and it will only work against a polymorph if the polymorph doesn’t implement too many radical changes. That’s why the AV vendors went into blind panic early this year when the Storm Worm (named after Halle Berry in the XMen I was hoping, but not so) emerged.

When the Storm Worm (by the way it was misnamed because it wasn’t a worm) was originally spotted on January 18th this year, it had 350 variants. Four days later, the number of slightly-different versions jumped to more than 7,300. By the end of January there were more than 54,000 varieties. Worse than that, most of the variants didn’t last more than 3 hours so if you (as an AV vendor) produced a signature, then it was irrelevant in respect of further infections, before it was ever implemented. Are you getting the picture.

Last year somewhere between 80,000 and 100,000 new viruses appeared, and here’s one little polymorph that creates 54,000 new viruses in the space of thirteen days. If your AV product is signatures-only then all I’ve got to say to you is “zero day”. But actually some of its variants seem to have got past all the AV products.

The Storm Worm was actually a Trojan specifically designed for harnessing hundreds of computers into a Zombie network (or bot net). By February reports were circulating that it had (probably) created a Zombie network with between 20,000 and 100,000 PCs which was merrily disgorging spam across the globe. If it never got your PC then it’s quite possible that at least you got some spam, courtesy of Storm, and if it did get your PC you may have even sent spam to yourself.

Now if you had a whitelisting product installed from SecureWave, Savant Protection, AppSense, Bit9 or CA then the Storm Worm will have been less than a storm in a tea cup. These products stop malware stone dead. (And I’ll not stop saying this until the world comes to its senses and start replacing useless AV products with products that actually do protect you).