The Field of the Invention
The present invention relates to network security technologies, and more specifically, to mechanisms for detecting viruses by executing code associated with an electronic message in a virtual machine.
Background and Relevant Art
Computing technology has revolutionized the way people work and play and has contributed enormously to the advancement of humankind. Computers now aid in innumerable applications such as word processing, computer simulations, advanced gaming, voice recognition, among many more. With the advancement of networking technology, computing systems (and their associated users) may access and exchange information from all over the globe using any Internet-enabled computing system such as a desktop computer, a laptop computer, a Personal Digital Assistant (PDA), a mobile telephone, or the like. Accordingly, never before have so many had so ready access to so much information. Computers and networking technologies have played such a major role in our lives that recent years have been dubbed the “information age.”
E-mail and instant messaging applications, for example, allow one user to send an electronic text message to another user. Most typically, that electronic text message would be delivered much quicker than would a letter delivered via conventional postal service. It can take a matter of minutes, seconds, or potentially even just fractions thereof, to deliver an electronic text message over many miles or even between continents. Needless to say, e-mail and instant messaging have revolutionized communications and have provided a significant contribution to the quality of life for many millions of people.
One of the advantages of e-mail, for example, is that it allows for the delivery of text messages with attachments. The attachments may be of almost any type, even executable types such as “.dll” or “.exe” files or script files such as Javascript or VB script. When one selects an executable attachment, the attachment is typically executed. Executable code may also be embedded within the e-mail so as to be executed simply by opening the e-mail. For example, a-mails may now be in HyperText Markup Language (HTML) format, which permits script language to be executed when the HTML e-mail is simply opened.
Instant messaging is advantageous in that it permits rapid two-way text communications to occur much like a real-life conversation might occur. However, more recently, it has become possible to send files within instant messages. An instant message may even have an executable file or script as an attachment, or may include executable script in the text of the instant message itself.
Unfortunately, some in our society have discovered that they can inflict harm on others by sending e-mail or instant messages with associated executable code that is harmful or viral in nature, whether that code be an attachment or embedded within the e-mail or instant message. The executable code is specifically drafted such that, when executed, harm is inflicted upon the receiving computing system and/or the viral code is replicated and sent to yet other computing systems. Typically, the associated text message and/or the name of the attachment is maliciously designed to induce the user to select the attachment to thereby induce the execution of the harmful attachment. If the executable code is simply embedded in the e-mail, then mere opening of the e-mail is sufficient to cause the harm. It is anticipated that many millions, if not billions, of dollars of economic harm have been lost due to such harmful e-mail code. Also, with the rapid proliferation of instant messaging technologies, instant messaging has become an attractive target for virus authors.
Firewalls can help greatly in protecting against such attacks in some cases. Conventionally, firewalls may maintain a list of known viruses and potentially their structural characteristics. If the firewall detects electronic message code that matches these characteristics, the firewall does not allow for delivery of the electronic message. The mechanism works well for known viruses. However, new viruses are constantly being written and/or discovered. In addition, there can typically be significant time between the time that the virus is discovered and the time that the firewall is updated to protect against the new virus. Accordingly, a new virus can cause widespread harm before protective measures are put in place, even assuming the protection of a conventional firewall.
Another more dramatic approach allows system administrators to disallow the delivery of any executable attachment at all. However, there are many legitimate reasons to deliver executable attachments via e-mail. Disallowing all executable attachment deliveries would impair the meeting of such legitimate needs. Furthermore, an electronic message may still be delivered that has executable code other than in attachment form.
One conventional virus detection mechanism described by U.S. Pat. No. 6,775,780 issued Aug. 10, 2004 to Muttik (hereinafter referred to as “Muttik”) emulates and analyzes code such as that which may be associated with a received e-mail in order to estimate that when execution of the code is likely to result in malicious behavior. During the emulation process, the suspect code makes a number of system calls. These system calls are compared against profiles of system calls that are made by malicious programs. A decision on whether or not the code is malicious is made by comparing the actual system call pattern generated by emulating the code against system call patterns that are characteristic of malicious code.
However, monitoring patterns of system calls can result in an inaccurate determination as to whether or not actual malicious behavior will result. For example, some patterns of system calls may cause harm on one environment, but not another. Furthermore, the Muttik relies on knowledge of malicious system call patterns. This method has a tendency toward ‘false positives’, or false alarms because innocent code could also make similar calls. However, operating systems are becoming increasingly complex. As a result, there may be unknown system call patterns that result in malicious harm. This may be especially true the more complex the system call patterns, and the more complex the operating system. It may even be possible to generate viral behaviors without using system calls.
Furthermore, as newer operating systems are introduced, those newer operating systems may have different vulnerabilities to different system call patterns. Accordingly, a comparison to a single database of system call patterns (without regard for the ultimate environment in which the system calls will be made) may result in inaccurate predictions of farm or safety. This is especially true in an environment in which there may be many new versions of operating systems forthcoming. Furthermore, viral behavior may be different depending on other software configurations.
Accordingly, what would be advantageous are mechanisms that mitigate harm caused by viral electronic messages by accurately detecting viral behavior as it would occur in it intended destination environment even in cases when the associated virus has not yet been identified or discovered.