The present invention relates to computer programs and, in particular, to a computer program for detecting malicious programs such as computer viruses and the like.
In the interconnected world of computers, malicious programs have become an omnipresent and dangerous threat. Such malicious programs include “viruses” that are programs attached to other programs or documents that activate themselves within a host computer to self-replicate and attach to other programs or documents for further dissemination. “Worms” are programs that self-replicate to transmit themselves across a network. “Trojan horses” are programs that masquerade as useful programs but contain portions to attack the host computer or leak data. “Back doors” are programs that open a system to external entities by subverting local security measures intended to prevent remote access and control via a network. “Spyware” are programs that transmit private-user data to an external entity.
Methods for detecting malicious programs may be classified as dynamic or static. In dynamic methods, the suspected program is executed in a “sandbox”. A sandbox is a safe execution area created in a computer that uses hardware and/or software to prevent the executing program from damaging interaction with the computer and to monitor attempts at such interaction, such as writing data outside of a predefined memory area.
Static detection does not require execution of the suspected program, but instead reads and analyzes the program instructions or “code” before it is executed. One “heuristic” detection technique looks for changes in certain program locations (normally the beginning and end of the code) where the virus is likely to be attached. A second “signature” detection technique checks for known virus-specific sequences of instructions (virus signatures) inside the program. Such signature detection is effective when the virus does not change significantly over time and when multiple viruses have the same signature.
Viruses may disguise their signature by encrypting themselves using a changing encryption key so that the encrypted viral code is always different. In this case, the signature detection may be directed to signatures in unvarying decryption programs. Another method of detecting encrypted viruses executes the programs in a sandbox until they are decrypted and then detects the decrypted virus using conventional static techniques of signature analysis. This technique requires frequent scanning of the in-memory image of the program while the program executes.
Many signature-detection systems may be defeated by relatively simple code obfuscation techniques that change the signature of the virus or the decrypting code without changing the essential function of the code. Such techniques may include changing the static ordering of the instructions using jump instructions (code transposition), substituting instructions of the signature with different synonym instructions providing the same function, changing the registers used by the viral code, and the introduction of code (“dead code”) that does not modify the functionality of the virus.
Simple obfuscation may be countered by more complex search instructions, “regular expressions” that ignore simple dead code like no-op instructions at instruction boundaries. Also new signatures can be developed for each different obscured version of the viral code.
More complex metamorphic viruses may evade these more sophisticated signature detection systems by changing the obfuscation specifics as the virus is propagated. Such viruses may weave the viral code into the host program, also defeating the traditional heuristic approach to finding the virus.