1. Field of the Invention
The present invention relates to computer viruses. More specifically, the present invention relates to a method and an apparatus for detecting a macro virus in a computer system by statically analyzing macro operations in a document to determine whether the macro operations give rise to security violations in the computer system.
2. Related Art
The advent of computer networks has led to an explosion in the development of applications that facilitate rapid dissemination of information. For example, electronic mail is becoming the predominant method for communicating textual and other non-voice information. Using electronic mail, it is just as easy to send a message to a recipient on another continent as it is to send a message to a recipient within the same building. Furthermore, an electronic mail message typically takes only a few minutes to arrive, instead of the days it takes for surface mail to snake its way along roads and through airports.
While applications such as electronic mail facilitate rapid dissemination of information, they can also act as a conduit in spreading computer viruses between computer systems. If designed properly, a computer virus can spread itself between millions of computer systems that are linked together through computer networks in only a few short hours. Once a computer virus infects a computer system, it can perform malicious actions, such as destroying important data, causing the computer system to fail or monopolizing computer system resources. Computer viruses can also tie up computer networks by generating large numbers of communications that spread the computer virus.
As developers of computer viruses have become more sophisticated, they have generated new forms of computer viruses. In particular, macro viruses have recently caused a great deal of trouble. In March of 1999, a macro virus, known as the xe2x80x9cMelissa virusxe2x80x9d rapidly spread to millions of computer systems worldwide, causing hundreds of millions of dollars in lost productivity, and snarling computer networks with large volumes of email traffic.
Macro viruses, such as the Melissa virus, operate by exploiting macro operations that often appear within documents used by applications, such as word processors. For example, macro operations are supported by the xe2x80x9cMicrosoft Wordxe2x80x9d word processor program, which is distributed by the Microsoft Corporation of Redmond, Wash. Historically, macro operations have been used to perform operations on the documents in which they appear. However, macro operations are becoming increasingly more powerful, and they are presently able to perform actions such as sending electronic mail and deleting files. In particular, the Melissa virus is contained within a Microsoft Word document that is attached to an email message. When a user opens the Word document, the macro operations within the Word document cause 50 copies of the email message to be sent to email addresses retrieved from an address book on the infected computer system.
A number of techniques are presently being used to detect computer viruses. Commonly used virus scanners perform pattern matching on code to determine whether a known virus is present in the code. Pattern matching is a very simple technique, and leads to a very low false alarm rate. However, pattern matching is unable to detect new viruses.
Another technique is to emulate the code in an insulated environment, to determine whether the code performs malicious actions. Unfortunately, emulation can be very time-consuming, and it is impossible to exhaustively emulate every pathway through the code.
What is needed is a method and an apparatus that is able to detect new macro computer viruses without the time-consuming processing involved in emulation.
One method for locating suspect macro operations is disclosed in U.S. Pat. No. 5,951,698, entitled xe2x80x9cSystem, Apparatus and Method for the Detection and Removal of Viruses in Macros,xe2x80x9d by Chen, et al. This method operates by scanning through a document looking for suspect macro operations. Unfortunately, more information is often required in order to determine whether a macro operation is suspect. For example, a macro operation that writes to a file may not be suspect by itself, but if the macro operation writes to a system configuration file it is suspect. In order to determine which file a macro operation writes to, it is typically necessary to determine the value of a xe2x80x9cfilenamexe2x80x9d variable. This variable value cannot be determined from simply examining the macro operation: more analysis is required.
Additionally, what is needed is a method and an apparatus that is able to detect new macro computer viruses based upon values of variables within the macro operations.
One embodiment of the present invention provides a system that detects a macro virus in a computer system by statically analyzing macro operations within a document. The system operates by receiving the document containing the macro operations. The system locates the macro operations within the document, and performs a flow analysis on the macro operations within the document to determine associated values for variables within the macro operations. Next, the system compares the macro operations including the associated values for variables against a profile containing information about suspect macro operations and associated values for variables to determine whether the document contains suspect macro operations. If so, the system informs a user that the document contains suspect macro operations.
In one embodiment of the present invention, after informing the user, the system receives instructions from the user specifying an action to take with regards to the document. In a variation on this embodiment, the action can include, deleting the document or cleaning the document to remove suspect macro operations.
In one embodiment of the present invention, the profile includes information specifying suspect macro operations.
In one embodiment of the present invention, the profile includes information specifying non-suspect macro operations. In this case, all other operations are considered suspect.
In one embodiment of the present invention, performing the flow analysis involves performing data flow and control flow analysis on the macro operations.
In one embodiment of the present invention, the system informs the user by specifying a level of safety for the macro operations.
In one embodiment of the present invention, the system receives the macro operations in source code form.
In one embodiment of the present invention, the system informs the user that the macro operations can perform a suspect action, such as modifying data within another document, modifying other files in the computer system, deleting other files in the computer system, modifying operating system parameters in the computer system, exhausting a resource in the computer system, killing a process in the computer system, sending an electronic mail message to another computer system, causing a program to be run on the computer system, modifying macro operations in the document, locking a file in the computer system, and invoking a common object model (COM) object in the computer system.
In one embodiment of the present invention, the document can include a word processing document, a spreadsheet document, a presentation document, or a graphical image document.
In one embodiment of the present invention, determining whether the macro operations specify suspect behavior may include using one of the following factors: an identity of the user who is executing the macro operations in the document; an identity of an owner of an object upon which a macro operation operates; and information specifying a context in which a macro operation is called.
Note that it is possible to perform static analysis on macro viruses, because unlike other viruses which are propagated in executable code form, macro viruses are propagated in source code form, which is more amenable to static analysis.