Malicious software (malware) is software designed to perform functions contrary to the interests of a computer's user. Examples of malware are viruses, worms, spyware, and trojans. When executed, malware may perform a variety of unwanted actions including, for example, generating pop-up windows containing advertisements, sending copies of the malware to e-mail addresses in the user's address book, secretly collecting and sending user information to third parties, or disabling network security settings to allow unauthorized remote access to the computer, to name just a few. Not only does malware consume computer resources and disrupt normal use of the computer, but it often can serve more nefarious purposes as well. For example, malware can compromise financial account information or turn the computer into a zombie that can be remotely controlled to unwittingly send spam or participate in coordinated DNS attacks.
Typically, malware installed on a computer is intentionally designed to be difficult to detect and remove. For example, in computers running a version of the Microsoft Windows operating system, malware often takes advantage of weak policing mechanisms of the Microsoft Installer by installing its executables and plug-ins on the computer without registering them. Once the user realizes that malware has been installed, there is no clear record of what has been installed or what havoc it has created.
A common approach of existing anti-virus software is to scan system files for signs of known malware. To be effective, this approach requires an up-to-date database containing unique, detectable signatures for every form of malware. Constructing, maintaining, and distributing such databases, however, is costly, labor-intensive, and complicated. It requires performing detailed investigations of every known form of malware, constructing signatures that uniquely identify each type of malware, collecting the signatures in a database, and periodically updating the databases on all computers running the anti-virus software. To make matters worse, existing forms of malware are constantly mutating and entirely new types of malware regularly emerge. As a result, this type of anti-virus software does not detect or neutralize the newest forms of malware.
Another approach to combating malware is anomaly detection software. Rather than searching files for traces of malware, these programs monitor system activity and attempt to distinguish anomalous patterns of activity from normal patterns. The software can then warn the user of anomalous system activity that indicates the likely presence of malware. Although anomaly detection can be effective in fighting malware, it can be tedious and complicated to properly set up and use. For example, if the warning level is too sensitive, the user will be irritated by false positives. A warning level that is not sensitive enough, however, will allow malicious activity to go undetected. This approach is also undermined by the constant adaptation of malware that is designed to produce activity patterns that are sufficiently similar to legitimate software so that the malware escapes detection. Moreover, even if anomalous activity is appropriately detected, the problem remains how to identify and neutralize the specific malware producing the anomalous activity.
US Patent Application Publication 2005/0091192 discloses a technique for tracking file creation on a computer and storing a list of files associated with an application program or operating system. The list thus provides an association of created files with application programs responsible for creating them. The list may be used to help reduce installation errors and facilitate removal of software, including malware. However, many forms of malware elude detection and remain hidden from conventional file system filters. For example, malware is notorious for concealing and/or obfuscating traces of its installation and operation. In particular, malware often exploits vulnerabilities in pre-existing software in order to secretly and illicitly install itself under the guise of another legitimate program. Consequently, malware is often not detected by conventional file system filters, resulting in an inaccurate and incomplete record of file creation. Conventional file system filters are also vulnerable to direct attacks by malware. For example, malware can modify the file list in order to remove traces of detection, or it can modify or disable the file system filter itself in order to escape detection altogether. Without effective means for reliably detecting malware using such file system filters, it can not be easily disabled or removed.
In view of the above, it would be an advance in the art of computer security to overcome the above disadvantages and provide better techniques for combating malware.