1. Field of the Invention
The present invention is related to computer network security, and more particularly, to a system and method for detecting malicious program code.
2. Background Information
Increased access to the Internet has had the unintended effect of increasing the reach of software programs that capture personal information of users without their informed consent (“Spyware”) or that corrupt computers without the user's knowledge and informed consent (“Malware”). In addition, a cottage industry has arisen in software that automatically downloads and displays advertising while an application is being used (“Adware”).
Adware primarily comes bundled with no cost (“freeware”) or low cost (“shareware”) programs. In the past network administrators have used URL filters to block access to URLs in the ‘Adware’ or ‘Spyware’ category, but many allow access to categories in the URL filter product labeled ‘Shareware’, ‘Web Hosting’, etc. Thus, the network administrator can only partially protect network users from adware and spyware; the download of the hosting freeware or shareware executable will be allowed, but after installation, its outbound connections to the Ad servers will be forbidden by the URL filter. No ads will be shown but the adware program is still installed and may cause system instability or, other, undesired behavior on the part of the hosting application (and/or the web browser).
Adware and spyware can also be retrieved indirectly through a so-called “downloader” malware, a small malware stub that, upon successful infection of a client, downloads the actual (and bigger) malware that it wants to run on its host. Downloaders are often spread via E-mail, but could also reach the client by visiting a prepared web site with a vulnerable web browser. Once more, the delayed download of the actual adware or spyware may be blocked, but the initial infection is not prevented if the Anti Virus vendor has not yet distributed the signatures required to detect the (maybe new) downloader variant.
In addition, access to, or monitoring of access to, certain URL categories may be permitted in some situations but forbidden in others, depending on the host application that performs such action. For example, access to an online-banking site is valid when done from within the end-user's web browser, but the grant of access to, or the monitoring of access to such a sensitive site is suspicious when done from within some mobile code that the end-user downloaded. Such activity may indicate the presence of a keylogger, “password-stealer” or other form of spyware.
“Mobile code” refers to any runnable program code that can be downloaded from the internet via any web protocol, and will be executed on the downloading client later—either automatically (for example, a script or applet embedded into an HTML page) or manually (for example, a Windows executable downloaded by the user).
Past mechanisms for limiting the downloading of malicious mobile code included the use of a signature-based Anti-Malware solution. Such a solution detects known adware or spyware programs or programs infected with known adware or spyware programs. Such an approach is, however, solely a reactive measure.
A second approach is to forbid end-users from downloading any mobile code. Such an approach increases helpdesk calls, however, as users seek to whitelist required program downloads.
What is needed is a system and method for limiting the downloading of adware, spyware and malicious mobile code.