Polymorphic malware is the kind of threat that changes its own code — its signature, its behavior, even the command-and-control server it reports to — specifically so your antivirus can't catch it. In this episode, Dr. Mike Saylor of Black Swan Cybersecurity joins Prasanna and me to break down exactly how this works, why signature-based detection keeps losing the race, and what defenders actually need to do differently.

Mike walks us through ViraLock, one of the most well-known early examples of polymorphic malware, and explains the gap between infection and detection that attackers exploit. We also get into the difference between polymorphic and metamorphic malware — and metamorphic is a lot scarier. Then we cover waterhole attacks, a red team story that will make you rethink how fast attackers can own a network, and what behavioral detection looks like when it's actually working.

If you thought keeping your antivirus updated was enough, this episode is going to change your mind.

Chapters:

00:00:00 – Intro

01:35 – Meet the guests: Prasanna Malaiyandi and Dr. Mike Saylor

02:58 – What is polymorphic malware? The ViraLock story

05:52 – How polymorphic code changes its own signature

10:04 – Disguised executables and the human factor

12:23 – Polymorphic vs. static malware: what's the real difference?

14:15 – Metamorphic malware: nation-state-level scary

16:01 – The Frankenstein virus: a conceptual metamorphic example

16:52 – Waterhole attacks: infecting the shared file everyone downloads

18:32 – How polymorphic malware stays alive: the red team story

21:28 – Behavioral detection and baselining: how you actually fight back

26:57 – Risk-based defense: protect what matters most