As more and more computers and other computing devices are interconnected through various networks, such as the Internet, computer security has become increasingly more important, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, denial of service attacks, even misuse/abuse of legitimate computer system features—all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will realize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all malicious computer programs will be generally referred to hereinafter as computer malware, or more simply, malware.
When a computing device is attacked or “infected” by computer malware, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computing device; or causing the computing device to crash. Yet another pernicious aspect of many, though not all, computer malware is that an infected computing device is used to infect other systems.
A traditional defense against computer malware, and particularly computer viruses and worms, is antivirus software. Generally described, antivirus software scans incoming data, looking for identifiable patterns associated with known computer malware. Also, increasingly, antivirus software is utilizing heuristic techniques that compare incoming data with characteristics of known malware. In any event, upon detecting a computer malware, the antivirus software may respond by removing the computer malware from the infected data, quarantining the data, or deleting the infected incoming data. Unfortunately, antivirus software typically works with known, identifiable computer malware. Frequently, this is done by matching patterns within the data to what is referred to as a “signature” of the malware. One of the core deficiencies in this malware detection model is that an unknown computer malware may propagate unchecked in a network until antivirus software on a computing device is updated to identify and respond to the malware.
As antivirus software has become more sophisticated and efficient at recognizing thousands of known computer malware, so too have the computer malware become more sophisticated. For example, malicious computer users now encrypt malware to obscure the malware signature behind unrecognizable patterns. For example, a polymorphic malware consists of a malware decryption routine and an encrypted malware “payload.” When, a user executes an infected program, the malware decryption routine gains control of the computing device, and decrypts the previously encrypted malware payload. Then the decryption routine transfers control of the computing device to the decrypted malware payload. Each time a new target is infected, the malware replicates both the decryption routine and the malware payload. Typically, the encryption key used to encrypt the malware payload is changed when the malware is replicated. As a result, the encrypted malware has no identifiable pattern or “signature” by which the malware may be recognized by antivirus software.
When oligomorphic malware was created, antivirus software developers recognized that the decryption routine remained constant between versions of the malware. The antivirus software developers exploited this weakness by scanning not just for malware signatures, but also for specific decryption routines known to be associated with malware. In response, malicious computer users developed more sophisticated malware designed to prevent the decryption routine from being identified (hereinafter all types of malware that use techniques designed to hide a malware signature will be referred to as “obscured malware”).
FIG. 1 is a pictorial diagram illustrating one type of obscured malware known as polymorphic malware 100 that may be used to distribute a “payload.” As illustrated in FIG. 1, the polymorphic malware 100 attaches to a host program 102 and, in this instance, is illustrated as a virus 104 that includes an encryption engine 106, a polymorphic file infector 108, and a decryption routine 110. The polymorphic malware 100 encrypts a segment of the virus 104 to prevent an identifiable signature from being identified. However, the virus 104 also includes an encryption engine 106 that generates randomized encryption routines each time virus 104 propagates. When the virus 104 is launched, the polymorphic file infector 108 identifies a new target and replicates the virus 104 in computer memory. At this point, the encryption engine 106 randomly generates a new encryption routine that has little or no similarity to previously developed encryption routines. Then an encrypted copy of the virus 104 is appended to the identified target. As a result, the virus 104 is encrypted and routines used for encryption and decryption vary between infections. Without a fixed malware signature or fixed encryption routine, conventional antivirus software is unable to detect the polymorphic malware 100 as a signature is not identifiable.
In light of the above-identified problems, it would be beneficial to computer users to have software that proactively protects a computer against malware such as obscured malware.