In computer systems, including any kind of computer systems in electronic devices such as computers, smartphones, tablets, control equipment or the like, security is a vital issue. One of the most common security attacks are based on malware which is brought into the computer system by an attacker, and which can execute various kinds of malicious operations in the computer system, if not detected and disinfected.
For detecting such malware, malware scanning software and/or hardware is commonly available. Yet, such malware scanning software and/or hardware is typically capable of identifying malware files as such only. That is, such malware scanning software and/or hardware is typically not capable of identifying malware when the malware makes use of an inherently clean file (i.e. a file which as such does not constitute malware) for its malicious purposes.
This is for example the case when an advanced persistent threat (APT) and common malware uses a clean file as launch mechanism for itself or for sandbox escape. What the malware does is that a vulnerable clean (executable) file such as a driver or other component is transported to and dropped in the targeted computer system. Then, the malware executes this vulnerable clean (executable) file with payload that takes over the process of the vulnerable clean (executable) file, and thereby inserts malware into the clean process. Typically, this trick is used for “fileless” autostart so that the malware payload exists as registry key which launches the vulnerable clean (executable) file such as the driver or other component and makes use of it by utilizing its vulnerability known by the attacker. Such kind of threat based on usage of a clean file as malware or, stated differently, malware using a clean file cannot be detected and/or prevented by conventional malware scanning software and/or hardware, basically because the inherently clean file cannot be detected as malware or malware-usable.
Accordingly, there is a need for enabling the detection of a malware-usable clean file or, stated differently, the detection of malware using a clean file.