Over the last decade, malicious software (malware) has become a pervasive problem for Internet users. In some situations, malware is a program or file that is embedded within downloadable content and designed to adversely influence or attack normal operations of a computer. Examples of different types of malware may include bots, computer viruses, worms, Trojan horses, spyware, adware, or any other programming that operates within an electronic device (e.g., computer, tablet, smartphone, server, router, wearable technology, or other types of electronics with data processing capability) without permission by the user or an administrator.
One type of malware is distributed over a network via websites, e.g., servers operating on a network according to a hypertext transfer protocol (HTTP) standard or other well-known standard. Malware distributed in this manner may be actively downloaded and installed on a computer, without the approval or knowledge of its user, simply by the computer accessing the web site hosting the malicious network content (the “malicious web site”).
Besides being in the form of malware-embedded objects associated with web pages hosted by the malicious web site, malware may also enter a computer on receipt or opening of an electronic mail (email) message. For example, email may contain a Uniform Resource Locator (URL) or an attachment, such as a Portable Document Format (PDF) document, with embedded malicious executable programs. Furthermore, malware may exist in files contained in a computer memory or storage device, having infected those files through any of a variety of attack vectors.
Various processes and devices have been employed to prevent the problems associated with malware. For example, computers often run antivirus scanning software that scans a particular computer for viruses and other forms of malware. The scanning typically involves automatic detection of a match between content stored on the computer (or attached media) and a library or database of signatures of known malware. The scanning may be initiated manually or based on a schedule specified by a user or system administrator associated with the particular computer. Unfortunately, by the time the scanning software detects malware, some damage on the computer or loss of privacy may have already occurred, and the malware may have propagated from the infected computer to other computers. Where the malware is polymorphic malware, which is capable of mutating to defect signature matching, antivirus scanning offers little protection.
Another type of malware detection solution employs a virtual environment that virtualizes the processing of data flows (e.g., series of related packets) within a sandbox environment. The sandbox environment comprises a virtual machine (VM) that conducts generic virtualized processing (sometimes referred to as “replay”) operations on at least some content within a data flow in efforts to detect behavioral anomalies that may signal the presence of an exploit (e.g., a detected malicious attack by malware). For example, in response to detecting a timeout event where no exploit has manifested after a predetermined amount of time has elapsed, the VM may merely change its software profile and perform the same replay process. If an exploit is detected, however, and if processing time is still available, the same generic VM instrumentation will continue to run for the allotted time without any intelligence as to making run-time more efficient.
More specifically, the above-described malware detection solution is inefficient as the same replay process is used without considering the particular exploits targeted for detection, if any are specifically targeted, and/or without considering the results of an initial analysis or whether the analysis actually detected an exploits.