By the time a signature is released for one variant, it has often already stopped circulating and has been replaced by several other variants, he said. As a result, such viruses can infect a network and remain undetected by signature-based systems, he said. Examples of polymorphic, server-side viruses include Stration/Warezov and the Happy New Year virus.
Hackers have begun employing the same techniques with self-mutating Trojan programs, said Eugene Kaspersky, founder of security vendor Kaspersky Lab. Such Trojans are planted on malicious Web sites and can mutate with every download, making them very hard to detect. The result: Each user who visits a Web site infected with such a Trojan can be infected with a different version of the same program.
Increasingly, hackers are using "special mutating technology" that allows them to inject random "junk" into Trojan program code before compiling and compressing it to create separate variants, each of which requires a separate signature to block it, Kaspersky said.
"We have to develop a special utility to extract this junk out of the malicious code, but it takes time" because each Trojan is a distinct variant, he said. So far, efforts to develop an automated tool for fighting such Trojans have proved "challenging," Kaspersky said.
An early example of a mutating Trojan was Swizzor, a Trojan download program discovered early last year that used a "packer" tool to encrypt the code and evade detection by signature-based tools. Swizzor repacked itself once per minute and recompiled itself once every hour to get past virus defenses.
The use of polymorphic code to mutate malware -- combined with encryption to evade detection -- are only a couple of the techniques being used by malicious hackers to evade signature-based tools.
Modern malware programs are also designed to split themselves into several co-dependent components once they are installed on a system, to make them harder to locate and remove. Each fragment or component keeps track of the others, and when an attempt is made to delete one component, the remaining fragment instantly respawns or reinstalls it.
One example of such malware is WinTools, which has been around since 2004 and installs a toolbar, along with three separate components, on infected systems. Attempts to remove any part of the malware cause the other parts to simply replace the deleted files and restart them. The fragmented nature of such code makes it harder to write removal scripts and to know whether all malicious code has actually been cleaned off a computer.