In the United States and elsewhere, computers have become part of people's everyday lives, both in the workplace and in personal endeavors. This is because a general-purpose computer can be programmed to run a variety of software programs each providing different processing and networking functions. Typically, the software programs are selected and installed at the request of or on behalf of the user of a particular computer, and operate according to expectations. Furthermore, with the advent of global communications networks such as the Internet, computers can now be connected in a “virtual network”—thus allowing companies and people to retrieve and share vast amounts of data, including software programs. The ability to distribute software programs using the Internet quickly and at a significantly reduced cost when compared to traditional means (e.g., diskettes, CD-ROMs) has made the delivery of software to endpoint devices (e.g., desktop computers, laptop computers, tablets, smartphones, set-top boxes, wearable devices, point-of-sale devices, and/or any other suitable client devices) an almost trivial exercise. The proliferation of endpoint devices (“endpoints”) and the implementation of “BYOD” (Bring Your Own Device) policies at many companies, schools, government agencies and other institutions has only increased the importance of maintaining malware-free endpoints, as they often serve as the entry point into a secure computing environment.
Along with the benefits of these devices and a more open environment, however, come opportunities for mischievous and even illegal behavior. Unwanted software programs are distributed throughout the Internet in an attempt to elicit information from unsuspecting users, take control over individual computers, alter computer settings, and in some cases even disable entire networks. The threat posed by such malicious software (“malware”) is well-documented and continues to grow. Furthermore, the sophistication and covert nature of malware seem to outpace industry's attempts to contain it.
Conventionally, malware detection has focused on a “signature” based approach. Signature methods generally rely on a list or database of filenames and/or fingerprints of files commonly used by malware vendors, and, when a candidate file matches a signature that is known to represent malware, isolate the file for further testing. One example is the identification of executable files (e.g., .EXE, .COM, .DLL, etc.) and the systematic analysis of the various functions that these files initiate once active. Generally, this is done in a partition of the computer or set of memory addresses that are isolated from the rest of the computer, so as not to accidentally infect the computer during scanning. Any files suspected of being malware are then quarantined for further analysis and/or user review.
However, the signature-based approach may not always be 100% effective at detecting and quarantining malware, and computer users often unknowingly facilitate malware attacks on their own computer and computer networks by initiating execution of programs containing malware. One method often exploited by the purveyors of malware is to rely on the end user's trust of certain entities (e.g., well-known software providers), and disguise files, links or other operations as being sent from a trusted provider. For example, a file containing spyware, adware, or keyboard logging files might present itself using an icon from an otherwise reputable provider.
What is needed, therefore, is a method and system for detecting malware that masquerades as if being from a trusted provider by presenting a known, trusted image or icon.