The rise of the Internet and networking technologies has resulted in the widespread transfer of code, data and files between computers. This material is not always what it seems to be. For example, code that is accessed on a remote machine and downloaded to a computer system can contain hostile algorithms that can potentially destroy code, crash the system, corrupt code or worse. Computer viruses also spread through infecting other programs. For example, Visual Basic for Applications, or VBA, used in Microsoft's Office suite of products, provides a portal for virus entry through malicious use of VBA. Viruses, worms and other malicious programs and code can attack VBA compliant programs through the VBA portal. Moreover, Word or other VBA programs can, through infection by a certain type of malicious code, create a VBA virus: the malicious code may itself not be a virus but creates a virus and attack other VBA and non VBA programs on the user's machine as well. An early macro virus, W97M/Wazzu.A, operated by first infecting Word's default template normal.dot and spreading to each subsequent document.
Of course, malicious code is not limited to VBA compliant programs and may take many forms and infect many levels of the system's operation. Hostile, malicious and/or proscribed code, data and files (“code” as used hereinafter generally includes “data” and “files”) can infect a single computer system or entire network and so posit a security risk to the computer system or network. The user and/or administrator (generally referred to hereinafter as “user”) may wish to intercept, examine and/or control such code. The user might also wish to intercept, examine and/or control other code as well, for example, code which the user does not know to be hostile, but wishes to intercept nonetheless, for example, potentially sexually or racially harassing email, junk email, etc. This latter type of code is known hereinafter as “predetermined code”.
Antivirus or other similar packages attempt to protect the system or network from hostile, malicious, predetermined and/or proscribed code (generally referred to hereinafter as “proscribed code.”) VFIND®, from CyberSoft, Inc., is one such product that protects systems and networks from proscribed code.
Antivirus programs generally use two detection methods. The first detection method checks program code against a database of known virus code. This first detection method relies on automatic scanning, such as by scheduling, and/or manual scanning of the user's programs. The second detection method checks program code by heuristics, or approximate rules. Using a heuristics approach, it is not necessary to update a database, however, it is necessary to understand in advance the common approaches or attacks a virus may make on a computer system in order to construct the approximate rules.
Proscribed code is constantly being created. In order for a database antivirus program to be constantly effective, therefore, the antivirus database must be constantly updated to include new viruses. If the antivirus program relies on heuristics, those rules must be constantly verified to insure the new viruses are liable to be detected.
The utility of antivirus software therefore is limited because of the need to update antivirus database software and the need for constant verification of a heuristics database. Moreover, each of these methods of scanning for viral or malicious code usually presumes the code is present as a contiguous character string. Yet a malicious code creator may attempt to disguise the code by various methods in order to make the virus be a non contiguous character string or otherwise disguise the code. For example, the code creator can attempt to disguise the code through a number of methods, including providing code in a piecemeal format and subsequently having a program reassemble the code. Known code disguises include encrypted viruses, which include an encrypted virus and a decryption routine in their code body, polymorphic viruses, which generate decryption routines almost at random, armored viruses, and others. Combinations of these are also used. Once the program runs the disguised code, in the form of a macro or otherwise, the code is reassembled and the virus can attack the system.
Disguised code is usually undetectable to anti virus programs as the programs do not attempt to execute the code they are scanning but rather “passively” scan the code for the presence of proscribed code. Thus the proscribed code may successfully penetrate the target system.
Accordingly, it is an object of the present invention to provide methods and apparatus for disguised code detection.
It is a further object to simply and efficiently detect disguised code.
It is a further object to simply and efficiently detect viruses disguised code in VBA compliant programs.
It is a further object to detect viruses in VBA compliant programs automatically or virtually automatically so that little or no user interaction is required.
It is a further object to detect proscribed code in a network or enterprise environment.