1. Field of the Invention
This invention generally relates to malicious software detection. More particularly, it relates to a system and method for detecting malicious software.
2. Description of the Related Art
Security threats have become increasingly able to evade conventional signature or pattern based detection techniques. In addition to viruses, additional types of malicious software (“malware”), such as zero-day attacks, targeted threats, mass variant attacks and blended threats, have become increasingly common techniques for damaging systems and accessing data. These additional types of malware use multiple secondary channels, such as active content or links embedded in a message to infiltrate computing systems.
Blended threats use active content (e.g., Java™, JavaScript™, ActiveX™, etc.) or universal resource locators (URLs) embedded within an e-mail, or other electronic message, to link a user to Web sites where malware is downloaded in the background. Some blended threats use active content embedded within the message to begin downloading malware when the user views the message in a preview pane of the user's messaging client. Conventional anti-virus products are reactive, relying on prior knowledge of the virus and a previously written virus definition or “signature” to detect the virus in the future. Because conventional virus detection techniques examine message attachments for malware, they are unable to detect malicious code embedded within the message. Similarly, web-filters examine web sites for content, not for malicious behavior, so the filters are also unable to detect these blended threats. Hence, blended threats that use a combination of channels to attack computing systems. Further, conventional malware detection techniques cannot process the embedded URLs and active content in the same context as end-user execution of the embedded content, so blended threats evade detection by using secondary channels to deliver an attack.