1. Field of the Invention
The present invention is related to anti-malware technology, and more particularly, to detection and identification of new or modified malware components when those components have not yet been added to malware databases by anti-malware software vendors.
2. Description of the Related Art
One of the issues involved in modern anti-virus technology is the fact that anti-virus and anti-malware databases get updated with a certain delay, after a new malware/virus appears. This is a particularly acute problem when multiple different malware components infect a computer at one time. For example, a typical such scenario is where a browser on a local computer is infected with a small downloader file. The small downloader file then contacts a server, to download a bigger downloader file. The second downloader file then downloads a number of malware components, often between 10 and 20 distinct components. These can include malware for sending out spam, various Trojans, identity theft malware, and so on.
Of these multiple components, some are already known to anti-malware databases and anti-malware software vendors, but frequently not all of the components are known. Thus, even upon a detection of infection by the malware, the antivirus software “cures” the computer, but only of those components which are known to it. Once the “cure” is complete, the anti-malware software thinks that the incident is over, and computer operations proceed as before. However, those malware components that were unknown to the anti-malware software remain, often for days, performing their activities without the user being aware of it.
Accordingly, there is a need in the art for a system and method that addresses situations where multiple components infect a computer as part of a single incident, particularly those where not all of the components are recognized as malware by the anti-virus/anti-malware software.