Malicious software, known as “malware,” can attack various computing devices via a network, such as the Internet. Malware may include any program or file that is intentionally harmful to a computer, such as Internet bots, computer virus programs, computer worms and other standalone malware computer programs that replicate in order to spread to other computers, Trojan horse and other non-self-replicating malware, spyware, or any computer program that gathers information about a computer, its user, or otherwise operates without permission. Various processes and devices have been employed to prevent the problems that malware can cause.
For example, antivirus scanning software is often installed on a computer to scan the particular device for malware. Scanning may be performed by the antivirus software determined by a schedule specified by a user associated with the particular computer, a system administrator, and so forth. Unfortunately, by the time a virus is detected by the antivirus software, some damage on the computer may have already occurred.
In some instances, malware can comprise an Internet “bot.” A bot is a software robot configured to remotely control all or a portion of a computer without authorization by the computer's user. Bot related activities can include bot propagation and attacking other computers on a network. Bots commonly propagate by scanning nodes (computers or other digital devices) available on the network to search for a vulnerable target. When a vulnerable computer is scanned, the bot may install a copy of itself on the vulnerable computer. Once installed, the newly replicated bot may continue to seek other computers on the network to infect.
New malware, such as Internet bots, computer worms, Trojan horse programs, as well as numerous other types of malware or spyware is being created daily. In an effort to analyze emerging malware and develop defenses, malware samples are collected to research threat techniques and develop antivirus software. One means of collecting malware samples by researchers is using so-called “honeypots.” A honeypot is a decoy Information technology (IT) infrastructure component designed and deployed to be attacked. Another means researchers use to collect malware samples is to download new malware samples from known malicious websites and web addresses.
The number of malware samples obtained by researchers each day continues to rise. Up to thousands of malware samples that need to be executed, either manually or automatically, in order to provide antivirus/intrusion protection service (AV/IPS) detection for the newly created malware may be received by researchers daily. With limited resources at hand for researchers, Identifying and classifying each malware sample as malicious can be a significant challenge. It can also be helpful to identify certain categories of malware samples, such as bots or binaries that can be part of an advanced persistent threat (APT) targeted attack.
Current automated malware analysis systems execute all received malware samples, without focusing on separate categories of the samples. Based on analysis reports, the samples may be classified as bots or malware samples that exhibit network activity. Researchers typically must wait until each sample has executed, which can take between five and ten minutes to execute, to determine which samples may be bots and/or exhibiting network activity.
However, a disadvantage of executing all received malware samples is that this analysis method can be a time consuming and inefficient approach. Allowing researchers to focus on particular type of malware binary may reduce the number of samples that need to be analyzed, and allow researchers to focus on certain subsets of malware samples, which may optimize the sample processing capacity of malware analysis systems.