Malicious software, also known as “malware” or “pestware”, includes software that is included or inserted in a part of a processing system for a harmful purpose. Types of malware can include, but are not limited to, malicious libraries, viruses, worms, trojans, malicious active content and denial of service attacks. In the case of invasion of privacy for the purposes of fraud or the theft of identity, malicious software that passively observes the use of a computer is known as “spyware”.
There are currently a number of techniques which can be used to detect malicious activity in a processing system. One technique, employed by many antivirus vendors, is file scanning. Many malware authors protect their executable files (which contain malicious code) by packing and/or encrypting them. Antivirus vendors update their file scanners with algorithms to unpack/decrypt the packed/encrypted files so that these files can then be scanned via signature-based detection. Once malware authors discover that antivirus vendors can now successfully unpack/decrypt and therefore, detect their samples, they then develop more sophisticated packers/encryptors in order to avoid detection. Both malware authors and antivirus vendors constantly advance their algorithms in order to outsmart each other. This becomes a cyclic process, in which the first half of the cycle involves malware authors advancing their packers/encryptors which successfully carries out an attack against a user by evading the user's antivirus software with unknown packers/encryptors. In the second half of the cycle, antivirus vendors upgrade their unpackers/decryptors in order to catch these new packers/encryptors. At this point, a user is protected by their antivirus software. Unfortunately, malware authors then advance their packers/encryptors and the cycle starts again. A problem with file scanning is that there are periods of time in which a user's computer system is vulnerable to attack due to the lack of proper unpackers/decryptors or emulation support from their antivirus vendor.
A more proactive detection method attempts to overcome the situation where malware includes signatures that are unknown to the processing system or which utilise anti-emulation tricks employed by malware authors that prevent protected threats from being emulated. The proactive detection method is designed to block unknown threats by judging activity carried out by a process. The method involves placing hooks on a number of important system activities (e.g. user-mode API and kernel-mode system services) such that whenever a process attempts to call an API or a system service, the proactive detection intercepts such a call, and inspects its parameters. If it finds that the parameters are suspicious enough, it will alert the user about suspicious action that is about to happen asking the user if the requested action should be allowed or should be blocked.
A problem with current proactive detection methods is that they are prone to a high rate of false positives due to their frequent triggering on various behaviours which are associated with processes being run by legitimate software applications.
Memory scanners attempt to overcome the false positive problem by performing periodic or on-demand scanning of memory contents in the system processor in order to detect generic signatures of known threats inside the running processes. Memory scanners are not prone to false positives as they only detect known threats. Thus, if the quality of the detection signatures is high, then the risk of a false positive is very low.
However, a problem with existing memory scanners is an issue of timing. That is, when to scan memory and when to scan a particular process. When a file is loaded into memory, it is not immediately available for scanning with the generic signatures because the file needs to be unpacked to run the code within the file. The time taken to unpack the file is variable and only once the file has been unpacked is it possible to scan the file with generic signatures in order to find out if the running process is a known threat. If the file is a malicious threat, it may initiate its malicious payload immediately upon completion of unpacking. The memory scanner may only block the execution of a malicious process when it establishes the fact that the process is malicious. The only time when it can do so is when it locates the signature of a known threat in a process. The only time it locates the signature is when it performs a process scan. Thus, the only time when such process scan will detect the known threat signature is after a threat is unpacked. If the memory scanner waits until the process unpacks itself then the process will initiate its malicious payload. The problem with existing memory scanners is that they are unable to resolve the timing issue of 1) scanning a process after it is unpacked (otherwise the signature will not be found) and 2) determining (and blocking) the process before it initiates its malicious payload (otherwise it's too late).
Current memory scanning solutions do not resolve the timing issue explained above.
Therefore, there exists a need for a method, system, computer readable medium of instructions, and/or a computer program product which can efficiently determine the maliciousness of program code which addresses or at least ameliorates at least one of the problems inherent in the prior art.
The reference in this specification to any prior publication (or information derived from it), or to any matter which is known, is not, and should not be taken as an acknowledgment or admission or any form of suggestion that that prior publication (or information derived from it) or known matter forms part of the common general knowledge in the field of endeavour to which this specification relates.