The term “malware” is short for malicious software and is used to refer to any software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include viruses, worms, Trojan horses, rootkits, adware, spyware and any other malicious and unwanted software. Many computer devices, such as desktop personal computers (PCs), laptops, personal data assistants (PDAs) and mobile phones can be at risk from malware. Computer systems running the Windows™ operating system are particularly at risk from malware, but all operating systems will be at some risk. Examples of other operating systems that could be at risk are Mac OS™, Linux™, Android™, iOS™, Windows Mobile™, and Blackberry OS™.
A computer system will generally run a number of benign (i.e. non-malicious) applications. Security applications are often configured to identify such benign applications, for example by comparison of an application installed on the computer system with a database of known benign applications. Once identified, the known benign applications can be excluded from some operations of the security application to free up resources on the computer system.
Malware often attempts to pass itself off as a benign application—for example, a malicious file may be a modified version of a benign file, or contain aspects of a benign file which are known to be checked by security applications. As an alternative, a malware attack may modify a benign application in order to add instructions to the application itself, causing it to execute the malicious code when run.
In yet another type of attack, a code injection may be performed to cause an otherwise benign application to execute malicious instructions. A code injection attack is an attack which causes malicious code to be interpreted or executed by a benign application, without modifying the benign application itself. Such attacks are usually made possible due to incorrect validation of inputs or outputs within the code. A properly crafted input to an incorrectly validated input field can cause the application to treat the input as code to be executed. For example, the PHP “eval( )” function may be used to perform certain operations on data input by the user. However, this function executes any PHP code which is passed to it, so if care is not taken to validate the inputs, then an attacker can input PHP code which will then be executed by the eval( ) function. Other languages and applications have similar vulnerabilities.
Several techniques, such as those used in F-Secure's DeepGuard™ technology, exist to detect code injection or modifications to files as they occur. However, once the code has been inserted into a file, or a malicious file has been created which can pass itself off as a legitimate application, it is more challenging to detect the malicious code.
Behavioural analysis techniques often rely on identifying and examining calls to external libraries such as .dll files, or API calls to other applications—in particular, where an application makes use of encrypted communications, such calls often provide an opportunity to examine the plaintext of the communications. However, sophisticated malware attacks may inject the code from the external library along with the malicious code, or inject other code which allows the application to perform the function itself, in order to remove the need for the call and therefore reduce the opportunity for security applications to analyse the behaviour of the application.