As anti-malware systems have become more effective at recognizing large-scale attacks in the form of viruses or worms that infect many computers, many malware developers have turned instead to developing smaller-scale targeted attacks. A targeted attack may masquerade as a custom program created for a small group or even one single user. As a new piece of software enters an organizational ecosystem, security systems may be at a loss for what action to take. Blocking execution of a program that lacks an established reputation may prevent a user from performing important tasks while the safety of the new program is assessed.
The essential question facing an anti-malware system upon encountering a program without an established reputation is, “What does this program do?” Is it a benign and useful program, or does it pose a threat to the organization? Some clues can be obtained through static analysis of the executable code, but ultimately the question may be answered best by executing the program. Unfortunately, targeted malware typically hides behind the façade of a benign program, only unleashing its malicious functions when a specific set of resources are available to assist the malware code in its attack. Configuring a test environment that includes all or many of the resources a suspected malware program may require before initiating its attack may be time-consuming and prohibitively expensive. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for analyzing suspected malware.