Society has become increasingly reliant on network-accessible services. Attacks on such services are therefore regarded as significant threats. FIG. 1 illustrates one such mode of attack. In this example, a user device 102 interacts with one or more services (not shown) via a wide area network 104, such as the Internet. In the course of this interaction, a malicious entity (referred to as an item-originating entity 106) may “infect” the user device 102 with any type of undesirable item 108, e.g., by causing the undesirable item 108 to be stored in memory 110 of the user device 102. The undesirable item 108 can represent any type of content that is provided to the user device 102 without the permission of a user associated with the user device 102. In one case, the undesirable item 108 can represent instruction-bearing content, also known in the art as malware, a robot (or more simply, a bot).
Subsequent to infecting the user device 102 with the undesirable item 108, an item-controlling entity 112 can invoke the undesirable item 108 to perform various actions. The item-controlling entity 112 can represent the item-originating entity or another malicious entity. In one case, for instance, the item controlling entity 112 can invoke the undesirable item 108 to cause damage to any part of the user device 102. In another case, the item controlling entity 112 can invoke the undesirable item 108 to retrieve sensitive data maintained by the user device 102. For example, the item-originating entity 112 can access account information maintained by the user device 102 and attempt to use that information to steal funds from a user. In other cases, the item-controlling entity 112 can access data which reveals the websites visited by a user; the item controlling entity 112 can use this information to then mount a “phishing” type of attack on a user, e.g., by impersonating the websites that the user is known to visit and then stealing sensitive data from the user. The item-controlling entity 112 can invoke the undesirable item 108 to achieve other objectives that are undesirable from the standpoint of a user associated with the user device 102.
Various mechanisms have been proposed to help counter to the above-described type of threat. In one approach, a device detection and clean-up module 114 (more simply, a “clean-up module” 114) can be used by the user device 102 to scan the memory 110 of the user device 102 to determine whether it includes the undesirable item 108 (e.g., by reference to a known signature associated with this item 108). Once detected, the clean-up module 114 can also help remove the undesirable item 108. A potential shortcoming of this approach is that the undesirable item 108 can be specifically designed to circumvent the safeguards provided by the clean-up module 114, thus preventing it from detecting and removing the undesirable item.