One major issue facing modern communications systems, such as the Internet, is the prevalence and propagation of computer malware, or “malware”. Herein, malware includes, but is not limited to, any software and/or code designed to infiltrate a user's computing system without the user's informed and/or explicit consent. Some of the better known forms of malware include computer viruses and spyware.
Many types of computer malware are formatted as Portable Executables or “PEs”. PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data. On NT operating systems, the PE format is used for EXE, DLL, OBJ, SYS (device driver), and other file types. The Extensible Firmware Interface (EFI) specification states that PE is the standard executable format in EFI environments.
Due to the widespread, and now relatively well known, problem of malware propagation, many users are hesitant to open, or activate, an unknown PE file. Consequently, in order to hide the nature of the PE file malware, many PE file malware distributors use advanced “social engineering” techniques to trick a user into activating PE file malware and/or to lure a user into complacency by presenting the user with known and/or trusted features. For instance, in many instances of targeted and/or password stealing malware, such as the bankers Trojan malware, malware distributors disguise their malware as a legitimate document, notepad text, PDF, etc. by including a well known, and/or trusted, Icon to convince the user that the PE file malware is a legitimate document created in the application format indicated by/represented by the Icon. Consequently, in many cases, it would be beneficial to identify Icons to help identify and/or isolate certain files that potentially include certain forms of malware.
Currently, some security systems do attempt to identify Icons. However, these currently available security systems typically analyze potential Icons using hashing systems such as the well known MD5 hash. Unfortunately, using hashing systems, even a small, and virtually unnoticeable, change to a given Icon, such as a minor change in color shade or even the addition or removal of a single image pixel, can cause the Icon to go unidentified, thereby defeating the hash analysis, while still appearing quite legitimate to the user. Consequently, there is currently no efficient and effective mechanism available to reliably and dynamically identify an Icon. In addition, hashing systems are extremely resource intensive in that they typically require large MD5 databases and consume significant processing cycles.
As a result of the situation described above, many users are currently taken in, and induced to activate malicious PE files, by seemingly legitimate and trusted Icons.