1. Field of the Invention
This invention pertains in general to computer security and in particular to the detection of malicious software.
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware and crimeware. Modern malware is often designed to provide financial gain to the attacker. For example, malware can surreptitiously capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
Software applications that are downloaded and installed on a client can either be vulnerable to malware attacks or contain malware. For example, many viruses attach themselves to legitimate executable files installed on a client. If a client launches an executable file with virus attached, the virus' code may be executed simultaneously. The virus may gain control of the client computer and attempt to infect other files. In another example, malicious code at a web site can exploit a vulnerability of a legitimate file at a client, and cause the legitimate file to perform malicious actions.
Security software can detect malware by scanning files for specific strings of bytes (i.e., “string signatures”) characteristic of malware. However, because of the large number of legitimate and malicious software applications present in modern computing environments, it can be difficult for security software to use string signatures to accurately identify malware, especially previously unknown malware. There is thus an ongoing need for ways to accurately detect malware.