Computer programs are certainly not without errors, or “bugs.” If it is not possible to rewrite the computer program (or to work around the bug somehow) then a software “patch” is applied to fix the bug. A patch is a small piece of software designed to fix problems with or to update a computer program or its supporting data. The patch fixes bugs, replaces graphics, improves performance, etc. Typically, patches are distributed as binary code instead of as source code. This type of patch modifies the program executable file—the program the user actually runs—either by modifying the executable file to include the patch or by completely replacing the executable file.
Patches vary in size from bytes to megabytes; replacing entire files results in larger patches, for example. Compared with the initial installation of software, patches usually do not take long to apply. In fact, to facilitate updates, computer operating systems provide for automatic updates that will either download and apply patches automatically or will ask for user permission before downloading and applying the patches. In either case, the patches are applied transparently and nearly instantaneously from the perspective of the user.
Generally, the primary goal of patching a file is to alter the file or to alter the program flow of execution. There are a few reasons why one would patch a file. One reason is to provide a quick workaround to fix a security vulnerability of the computer program. A security patch is applied to prevent exploitation of the computer program by a user or by malware, either on purpose or inadvertently. A second reason is to implement a feature request or to implement a bug fix of the target program.
Unfortunately, unscrupulous individuals and other writers of computer malware have begun using this program patching technique to automatically execute malware. In other words, malware writers and hackers are now using legitimate files to automatically execute malicious programs. For example, if a hacker modifies a few crucial bytes of a legitimate file (e.g., the operating system file “user32.dll”) similar to a software patch, executing this legitimate file will eventually cause invocation of a malware program. In layman's terms this technique can be described as malware “piggy-backing” on a legitimate file.
A technique is desired to detect such an illegal software patch and to restore a file that has been patched in this fashion.