1. Field of the Invention
This invention pertains in general to computer security, and more specifically to detecting malicious code based on its behavior relating to deletion or modification of its uninstallation module.
2. Description of the Related Art
Computer systems are continually threatened by a risk of attack from malicious computer code, also known as “malware.” Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing web sites. Malicious code can spread through a variety of different routes. For example, malicious code can spread when a user inserts a disk or other infected medium into a computer system. In a network-based attack, malicious code can be transmitted to the computer as an executable program in an attachment to an electronic message. In this case, the malicious code can attack the computer when the user clicks on the attachment, or the attachment might open automatically when the user reads or previews the electronic message. In addition, malware can access and cause damage to a user's computer when a user installs new programs that are infected.
Given all of the different types of malware and mechanisms for gaining access to and infecting computers, a multitude of different detection techniques must be designed and constantly updated to protect computers today. Antivirus or security software on the computer can use techniques such as signature scanning and behavior monitoring heuristics to detect the malware. For example, various types of heuristic detection can be used to detect malware behavior where a user has installed a potentially infected application. Before damage can be done to the user's computer, the malware can be promptly removed or disarmed.
With the many detection techniques instituted regularly, the designers of malware are constantly evolving new methods for eluding detection. For example, malware may be designed to evade heuristic detection and to trick users into installing the malware by being packaged in a standard installer. Since the installer is known to the user's computer for typically installing legitimate software, the malware and its installation package is not detected. One example of such an evasion technique has been seen currently where a malicious executable file gains access to a computer through one of the mechanisms described above (via disk, email, etc.). The executable file stores a downloader (e.g., a VISUAL BASIC® downloader) that downloads an installation package recognized by the computer as a standard installer. Since a standard installer is used for the installation, the user recognizes the installation process as normal and unknowingly agrees to the installation of the malware. Finally, once installed and able to run on the computer, the malware deletes the uninstaller so that the user cannot later uninstall the malware. Other examples of this type of detection evasion are commonly seen, generally having similar features in that a known installer is used to trick the user into installing malware, and the malware then uninstalls or damages the uninstaller to prevent malware removal.
Thus, there is needed a system and method for detecting the installation of these types of malware designed to evade detection using a standard installer, and to remove such malware from the computer.