The detection of viruses and other forms of malicious objects in a file can be carried out in two major ways; virus signature and code analysis, but actually there are many additional methods known in the art for this purpose.
A “Virus signature” is a unique bit pattern that a virus leaves on the infected code. Like a fingerprint, it can be used for detecting and identifying specific viruses. The major drawback of the “signature analysis” is that a virus should firstly be detected and isolated (e.g. by comparing the infected code with the original code) and only then can the signature characteristics be distributed by the anti-virus company among its users.
In order to overcome the signature analysis, the virus “author” may masquerade the signature by adding non-effective machine language commands between the effective commands, thereby creating an unknown signature. Moreover, the added commands can be selected randomly. This way the virus can strike before being detected and consequently cause a great deal of damage.
Another way of detecting malicious code within an executable is by analyzing its operation. Since the malicious code is usually added at the end of the executable and the executable is changed such that the fist command to be executed will be the added code, indicating such an operation pattern can be an indicator for malicious code. The major drawback of code analysis methods is that it is not a simple procedure and therefore a great deal of effort must be invested in order to achieve meaningful results.
A malicious executable which is not a result of an infection is actually a “legitimate” executable and therefore is very difficult to be classified as malicious. Such an executable is referred in the art as “Trojan Horse”.
The term Trojan or Trojan Horse refers herein to a program in which malicious code is contained inside apparently harmless programming or data, in order to cause damage to the computer, such as ruining the file allocation table. The Trojan can either be a compiled code or a non-compiled code, e.g. a script.
Due to their nature, Trojan Horses are difficult to detect before striking. Moreover, since the malicious code of Trojans is embedded in a program during the design time, the form of the malicious code does not differ from the rest of the program. Contrary to Trojan Horses, viruses “infect” other programs, and therefore the structure of the added code has some characteristics that distinguish them from the rest of the program.
It is therefore an object of the present invention to provide a method and system for indicating an executable as Trojan Horses, whether the executable is a compiled code or non-compiled code.
Other objects and advantages of the invention will become apparent as the description proceeds.