1. Field of the Invention
Embodiments of the present invention generally relate to computer system security and, more particularly, to a method and apparatus for detecting executable software in an alternate data stream.
2. Description of the Related Art
Today, a computer has become a basic necessity, and is used in many organizations, such as government agencies and businesses, for communication, research, productivity and the like. As the usage of the computer increases, threats to the stability and performance of the computer also increases and hackers and malware being amongst the predominant threats.
Hackers aim to disrupt the operations of and exert control over a computer. A hacker may use malware (i.e., malicious software code) to achieve such aim, for example, with an intention of stealing confidential data, corrupting data or the computer system, among others. In certain cases, malware is transmitted to the computer by the hacker, and as the malware is executed the programs, or data, or the computer may be damaged. As a result, the computer ceases to operate properly and users experience a loss in productivity.
Hackers exploit various weaknesses to invade and control the computer. For example, the fact that alternate data streams are not displayed on browsing utilities is exploited to surreptitiously invade and control computers. Although the use of alternate data streams augment the functionality of the file system; unfortunately, hackers hide rootkits and malware in the alternate data streams to avoid detection. For example, hackers can couple a 5 megabyte (MB) malware as an alternate data stream to a 10 kilobyte (KB) executable file. When a user tries to view the directory, only the 10 KB executable file is visible and the alternate data stream comprising the 5 MB malware is not displayed. As such, the user is not aware that malware has infected the computer.
This is due to the fact that the MICROSOFT WINDOWS operating system has the ability to fork file data into existing files (alternate data streams) without affecting their functionality, size or display to traditional file browsing utilities like the DOS command DIR or Windows Explorer. Generally, the alternate data streams are used by variety of computer programs, including the native MICROSOFT WINDOWS operating system, to store file system information such as file or directory attributes and metadata (e.g., non-resident attribute information). Such computer programs may read data from and write data to the alternate data streams. Some file systems, such as NTFS, implement both primary and alternate data streams. All data for a file is stored on the primary data stream, but by using the syntax ‘file:stream’, an alternate data stream is coupled to the file. Consequently, when computer programs read or execute data from the file, the computer programs also read or execute the contents of the alternate data stream. Additionally, a computer running the New Technology File System (NTFS) may use alternate data streams to be compatible with the APPLE MAC operating system and MAC file systems.
Based on data submitted to the security subscription service, only malicious programs use alternate data streams to execute content (e.g., another malicious program). Hence, if any application requests that the executable file be accessed and run (e.g., using a file “open for execute” request), the malware is executed from the alternate data stream. As a result of execution of the malware, the computer will cease to operate properly and the user may experience a loss in productivity, a loss in data or any other form of damage to the computer system.
According to one of the prevalent methods, alternative data stream-based malware is detected using signatures (e.g., a piece of the malicious code that indicates a particular group of malware). Such a method relies upon data submitted by subscribers to a security service to develop such signatures. Hence, such a method creates signatures only after the hacker has already used alternate data stream-based malware to attack the computer. As a result, current signature-based malware detection technology is limited to detecting malware for which signatures have already been created and do not detect malware that do not have signatures. Further, signature based malware detection is increasingly becoming difficult and costly, because hackers adapt the malicious code very quickly in response to the latest signatures.
Accordingly, there is a need in the art for a method and apparatus for detecting executable software in the alternate data stream before execution where malware is an example of executable software.