1. Field of the Invention
The invention relates generally to computer security and more particularly to detecting malicious software operating in computers and other digital devices.
2. Related Art
Malicious software, or malware for short, may include any program or file that is harmful by design to a computer. Malware includes computer viruses, worms, Trojan horses, adware, spyware, and any programming that gathers information about a computer or its user or otherwise operates without permission. Owners of the computers are often unaware that these programs have been added to their computers and are often similarly unaware of their function.
Malicious network content is a type of malware distributed over a network via websites, e.g., servers operating on a network according to Hypertext Transfer Protocol (“HTTP”) or other well-known standard. Malicious network content distributed in this manner may be actively downloaded and installed on a computer, without the approval or knowledge of its user, simply by the computer accessing the website hosting the malicious network content (the “malicious website”). Malicious network content may be embedded within objects associated with web pages hosted by the malicious website. Malicious network content may also enter a computer on receipt or opening of email. For example, email may contain an attachment, such as a PDF document, with embedded malicious executable programs. Furthermore, malicious content may exist in files contained in a computer memory or storage device, having infected those files through any of a variety of attack vectors.
Various processes and devices have been employed to prevent the problems associated with malicious content. For example, computers often run antivirus scanning software that scans a particular computer for viruses and other forms of malware. The scanning typically involves automatic detection of a match between content stored on the computer (or attached media) and a library or database of signatures of known malware. The scanning may be initiated manually or based on a schedule specified by a user or system administrator associated with the particular computer. Unfortunately, by the time malware is detected by the scanning software, some damage on the computer or loss of privacy may have already occurred, and the malware may have propagated from the infected computer to other computers. Additionally, it may take days or weeks for new signatures to be manually created, the scanning signature library updated and received for use by the scanning software, and the new signatures employed in new scans.
Moreover, anti-virus scanning utilities may have limited effectiveness to protect against all exploits by polymorphic malware. Polymorphic malware has the capability to mutate to defeat the signature match process while keeping its original malicious capabilities intact. Signatures generated to identify one form of a polymorphic virus may not match against a mutated form. Thus polymorphic malware is often referred to as a family of virus rather than a single virus, and improved antivirus techniques to identify such malware families is desirable.
Another type of malware detection solution employs virtual environments to replay content within a sandbox established by virtual machines (VMs) that simulates a target operating environment. Such solutions monitor the behavior of content during execution to detect anomalies and other activity that may signal the presence of malware. One such system sold by FireEye, Inc., the assignee of the present patent application, employs a two-phase malware detection approach to detect malware contained in network traffic monitored in real-time. In a first or “static” phase, a heuristic is applied to network traffic to identify and filter packets that appear suspicious in that they exhibit characteristics associated with malware. In a second or “dynamic” phase, the suspicious packets (and typically only the suspicious packets) are replayed within one or more virtual machines. For example, if a user is trying to download a file over a network, the file is extracted from the network traffic and analyzed in the virtual machine using an instance of a browser to load the suspicious packets. The results of the analysis constitute monitored behaviors of the suspicious packets, which may indicate that the file should be classified as malicious. The two-phase malware detection solution may detect numerous types of malware, and even malware missed by other commercially available approaches. The two-phase malware detection solution may also achieve a significant reduction of false positives relative to such other commercially available approaches. Otherwise, dealing with a large number of false positives in malware detection may needlessly slow or interfere with download of network content or receipt of email, for example. This two-phase approach has even proven successful against many types of polymorphic malware and other forms of advanced persistent threats.
In some instances, malware may take the form of a bootkit, also known as a kernel rootkit. As used herein, the term ‘bootkit’ refers to malicious code that installs itself in a boot record of the kernel of an operating system of a compromised computer without the knowledge or authority of the infected computer's user. The infected boot record may be the master boot record, partition boot record, boot loader, or volume boot record. A bootkit may actively hide its presence from administrators by subverting standard operating system functionality. Moreover, a bootkit is inherently hard to detect because it may be executed before the operating system and may subvert operating system functionality to hide its presence. For example, bootkits may be able to hook and bypass operating system routines, initialization (processor mode switch), and security checks (integrity, code-signed, etc.). Bootkits may create a hidden file system within the infected computer, in which it can hide other malware and/or copies of infected files.
Generally speaking, a bootkit functions at a fundamental level of operation of a computer, associated with the kernel of its operating system. Known operating systems communicate with an external device such as a disk controller, peripheral device and other hardware through the use of an electronic signal called an interrupt. For example, when an application sends a system call seeking to read or write to a hard disk, it issues an interrupt. Then, an interrupt handler function of the operating system normally handles and completes the interrupt. A bootkit installed in the operating system may hook (intercept) the interrupt and/or related kernel functions in order to modify the way the interrupt is handled. The bootkit may place an internal address in the system service descriptor table (SSDT) of a Windows® operating system or the system call table (SCT) of a Linux® operating system in order to handle an interrupt itself instead of the original handler. Indeed, a bootkit may modify data structures in a Windows' kernel using a method known as direct kernel object modification (DKOM). This can permit the bootkit to rewrite a portion of code of the operating system, for example, when the kernel loads to handle the interrupt. The rewritten code may allow the bootkit to bypass or modify integrity testing and other security protection mechanisms, and even bypass advanced operating protection systems, such as patch guard, and thereby remain concealed. Even full disk encryption is to no avail in protecting a compromised computer since, even if all other data on a boot-up drive is encrypted, the boot sequence located in the master boot record typically cannot be encrypted.
It has been suggested that a defense against bootkit attacks is the prevention of unauthorized physical access to the system, but this is impractical in today's networked world. Moreover, virus scanning and next generation firewall technology have not prevented advanced forms of bootkits from gaining access to operating system kernels. Recently, operating systems themselves have incorporated counter-measures to thwart the threat of bootkits. For example, 64-bit versions of Microsoft Windows implement mandatory signing of all kernel-level drivers in order to make it more difficult for untrusted code to execute with the highest privileges in a computer, and implement kernel patch protection. However, bootkits are also rapidly evolving to circumvent such counter-measures.
Further enhancement to malware detection effectiveness is desirable of course, particularly as malware developers continue to create new forms of exploits, including more sophisticated bootkits, which can have potentially serious impact on computer and network infrastructure.