Society's use of computing technology has been both helped and hindered by two trends.
The first trend is the use of connected computers, via networks and the Internet. The use of connected computers has tremendously enhanced the ability to share information. On the other hand, the use of connected computers has also tremendously enhanced the ability to spread harmful and malicious programs, such as viruses. The infamous Melissa code in early 1999 made use of the Internet to multiply and infect many computers via email. The dramatic increase in communication via email means this malicious threat will increase.
The second trend simultaneously helping and hindering the use of computers is the near universal use of Microsoft's Office suite of products. Having information in a common format, such as Microsoft's Word, Excel, etc. helps share information. On the other hand, having information in a common format means that harmful and malicious programs are spread easier and impact more program users.
Computer viruses usually spread through infecting other programs. Programs take many forms and can be written in many languages. Microsoft's Office suite of applications presently use a language known as Visual Basic for Applications or VBA. Using VBA, the programmer can change virtually all the functions of any particular Office program (or other programs such as Visio that also implement VBA.) These changes can be through an actual program or through a subroutine known as a macro, which for all intents and purposes operates like a program.
The power of VBA can be harnessed by authorized and unauthorized programmers. Essentially VBA provides a portal for entry into a VBA compliant program. Viruses, worms and other malicious programs and code can attack VBA compliant programs through the VBA portal. Moreover, Word or other VBA programs can, through infection by a certain type of malicious code, create a VBA virus: the malicious code may itself not be a virus but creates a virus. The attack by malicious code is not limited to VBA compliant programs as the malicious code can also manipulate a VBA program to affect other, non VBA programs on the user's machine as well.
A common attack by malicious code is through infection of the default global template in Word, which is a file called normal.dot. Once normal.dot is infected, each subsequent document created in Word will be infected. If copies of the infected documents are then made and provided to new users, the infection will travel with the document and infect the normal.dot template on the new user's machines. In turn, each document then created with the new user's infected normal.dot will be infected. Thus, the document itself provides a transmission medium for viruses and once infected, a document may infect every subsequent copy or revision. An early macro virus, W97M/Wazzu.A, operated in this fashion by first infecting normal.dot and spreading to each subsequent document.
Of course, malicious code is not limited to VBA compliant programs. Malicious code may take many forms and infect many levels of the system's operation.
The primary method of detecting and eliminating any viruses is through use of an antivirus program. Antivirus programs generally use two detection methods. The first detection method checks program code against a database of known virus code. This first detection method relies on automatic scanning, such as by scheduling, and/or manual scanning of the user's programs. The second detection method checks program code by heuristics, or approximate rules. Using a heuristics approach, it is not necessary to update a database, however, it is necessary to understand in advance the common approaches or attacks a virus may make on a computer system in order to construct the approximate rules.
New viruses are constantly being created. In order for a database antivirus program to be constantly effective, therefore, the antivirus database must be constantly updated to include new viruses. If the antivirus program relies on heuristics, those rules must be constantly verified to insure the new viruses are liable to be detected.
A second method of preventing virus attacks, occasionally used in conjunction with the antivirus program method, is to disable, usually temporarily, the ability of a VBA compliant program to use macros. This disabling does not require constant updates as does an antivirus program. Of course, this disabling also prevents the user from fully utilizing the program's design.
A third method of preventing virus attacks is to password protect normal.dot, the primary template for Word, by way of a program such as Microsoft's WordProt. If a password is lost, or another user desires to use the machine without knowing the password, the password scheme fails.
The implementation difficulties of the methods set forth above are magnified when network and enterprise-wide implementation of VBA compliant programs is attempted. Possible email and other computer to computer communication in such an environment, with the attendant viral infection possibilities can be overwhelming.
Accordingly, it is an object of the present invention to simply and efficiently detect malicious code.
It is a further object to simply and efficiently detect viruses in VBA compliant programs.
It is a further object to detect viruses in VBA compliant programs automatically or virtually automatically so that little or no user interaction is required.
It is a further object to detect malicious code in a network or enterprise environment.