Malware detection systems often employ virtual environments to enable potentially malicious objects to be safely analyzed during run-time in one or more sandboxed virtual machines. Each virtual machine is provisioned with a guest image, where the guest image is configured in accordance with a particular software profile. This particular software profile is dependent on the type of object being analyzed. For example, where the object is a web page, the software profile may prescribe a browser application that runs over a specific operating system (e.g., Windows®, Linux®, etc.). As another example, where the object is an electronic message, the software profile may prescribe an email application running over the same or a different operating system (e.g., Microsoft® Mobile®, Blackberry® OS, etc.). The applications and operating systems may be generally referred to as software components, and may differ from one another by software vendor or version number.
For processing a suspect object, the virtual machine is provisioned with a guest image that features software components for the prescribed software profile. A virtual execution (run-time) environment features the virtual machine along with “activity monitors,” namely software components that are configured to observe and capture run-time behavior of the suspect object during processing within the virtual machine. For example, the activity monitors may be operationally situated to intercept software calls (e.g., function or system calls) made by a software component running in the virtual machine. The configuring of the activity monitors is highly dependent on the type and sometimes the version of the software component.
The process in developing activity monitors appropriate for certain software components is sometimes referred to as “instrumenting” the software profile. In this regard, instrumentation refers to the ability of a malware detection system to monitor and capture activities during run-time of the object, including both expected and unexpected activities, in order to use these captured activities in classifying the object as malicious or non-malicious (e.g., benign). Such instrumentation does not require monitoring of all functionality, but rather, the monitoring of functionality associated with an attack (or likely to give rise to indicators of compromise).
As new software components or new versions of currently supported software components are released by the software vendors, new instrumented software profiles need to be developed and tested for these software components. The completion of a fully-instrumented software profile may often require months of development and testing in order to ensure that the activity monitors appropriately capture at least certain predetermined activities associated with malware.
Given the amount of time necessary to complete a fully-instrumented software profile, malware authors generally have a window of time to develop and deploy new malware that exploits certain unknown vulnerabilities of a newly released software component, namely the period of time between release of the software component and deployment of a guest image configured to accordance with a new, fully-instrumented software profile. Such new malware represents zero-day exploits, that is, malware that exploits a vulnerability that has not been detected previously. Malware detection systems and their instrumented legacy software profiles typically are inadequate in capturing many of the activities caused by zero-day malware, and thus, may fall short in classifying an object as malicious. Of course, conventional anti-virus scanning programs are likely to be totally ineffectual in detecting zero-day exploits since new and sophisticated malware will not correspond to known malware signatures.