1. Field of the Invention
The present invention is related to computer network security, and more particularly, to a system and method for detection of and limiting the activity of malicious software programs.
2. Background Information
Increased access to the Internet has had the unintended effect of increasing the reach of software programs that capture personal information of users without their informed consent (“Spyware”) or that corrupt computers without the user's knowledge and informed consent (“Malware”). In addition, a cottage industry has arisen in software that automatically downloads and displays advertising while an application is being used (“Adware”).
Such programs, when installed on the user's computer, can eavesdrop on the user, collect sensitive information and, in some cases, take control of the user's computer. In some cases, these software programs send messages out to other computers or servers, providing a conduit for the transfer of potentially sensitive information.
The ability of such programs to communicate with the outside world via an outbound connection can be limited in some cases. For instance, on some non-Web-typical ports, such communications can be blocked at the transport layer. Other non-Web-typical protocols can be blocked at the application layer. Outbound connections established as cookies in Hypertext Transfer Protocol (HTTP) requests can be blocked by a cookie filter.
But when malicious program code such as Adware or Spyware sends back this data embedded into an HTTP data upload request, e.g. an HTTP POST request or an HTTP GET request with the uploaded data embedded as parameters into the Request URI, this upload is not distinguishable from a regular HTTP data upload request, such as, for example, when using a Search form on a web page.
One approach to preventing the transfer of data embedded into an HTTP data upload request would be to “brute force” block all HTTP POST requests. Such an approach would, by its nature, result in a large number of false-positives. In addition, such an approach would break a number of Web forms, significantly degrading the web browsing experience for users.
As noted above, an HTTP GET request can be used to transfer data embedded as parameters into the Request URI. To block this approach one would have to use a Universal Resource Locator (URL) filter to block HTTP GET requests to suspicious sites. This is, however, a reactive measure. To prevent uploads to newly registered Ad-/Spyware home server domains, a user/customer would have to also deny access to uncategorized web sites, further degrading the user experience.
What is needed is a system and method for limiting the ability of spyware, adware and malware programs to communicate effectively with remote computers or servers.