With the expansion of the application fields for computer devices, the number of various malicious programs is also growing, such as network worms, trojan programs and computer viruses. Generally, the purpose of malicious programs is to gain control over a computer system, in order to perform such actions as, for example, theft of confidential information.
One of the approaches used to detect malicious programs involves analyzing the behavior of applications. This approach is based on the interception of functions called by an application and on their subsequent study. The study discovers various suspicious actions, such as an attempt to access system files by a non-trusted process (for example, a process launched from a file which appeared in the system relatively recently).
Conventional approaches of this type for detecting malicious programs tend to have one substantial deficiency. This deficiency is due to the fact that the malicious code, using, for example, program or operating system vulnerabilities, can be implemented in the address space of a trusted process in order to create threads or in order to be launched among the existing process's threads, which will be executed on behalf and at the privilege level of that process. In this case, the attempt to access the system files, initiated by the malicious code and discussed above as an example, will not be considered suspicious because it will be executed on behalf of a trusted process. The malicious programs that use the above-described infection pattern are known in the field as exploits.
An example of a trusted process, on behalf of which a malicious code can be executed, is svchost.exe—a process in the Microsoft Windows® operating system family, for services loaded from dynamic libraries. In an operating system, several copies of this process can be launched for each of the services registered in a special partition of the system registry. If a malicious program succeeds in registering as such a service, then the malicious program code will be executed in the address space of one of the svchost.exe processes.
A browser process can be considered as another example of a trusted process traditionally exploited by malicious programs. A malicious code located on a page visited by the user can be automatically downloaded and launched in the address space of the browser process if vulnerabilities exist.
A number of solutions intended to detect a malicious code that uses the above-discussed infection pattern have been proposed.
For example, in one approach, as disclosed in U.S. Pat. No. 7,228,563 when a critical function (for example, a new process creation function) is called, the address of the code which calls for that function in the memory is determined. If the calling code is not located in the memory area where executable code storage is allowed, the call for the function is deemed suspicious and is forcefully terminated. The non-executable memory area can be, in particular, an area of the dynamically allocated memory (a heap) in the virtual address space of a process. This area is used to place data objects dynamically created by a process in the memory allocated for the process. Since the above-mentioned area contains data, the presence of an executable code in this area is non-typical and is deemed suspicious.
Another approach, as disclosed in U.S. Pat. No. 8,230,499, is intended to detect a malicious code executed in the address space of a browser process. At the interception of a download function (for example, UrlDownloadToFileA, UrlDownloadToFileW, UrlDownloadToCacheFileA, and UrlDownloadToCacheFileW), the return address of the called function is determined; if the return address is located in a heap, the download is prohibited.
It should be noted that, when the above-mentioned approaches are used, the malicious code will not be detected if it is located in the executable area of an address space. Also, verification of the calls for critical functions for all processes without exceptions is a resource-consuming task and can result in “freezing” of the applications being run by the user.
A need therefore exists for a solution that overcomes deficiencies such as those discussed above, while providing effective and efficient detection of malicious code.