Destructive computer programs much as viruses, spyware, malware and others have become a mainstay in the computing world. What began in the 1970's with the creation of somewhat primitive programs that harmed specific machines has evolved into highly complex programs capable of spreading and proliferating over networks of attached computers. Along with the evolution of malware and harmful programs, the programs used to protect systems against these harmful programs have developed as well. Programs that began by utilizing simple filename comparisons or file size comparisons have evolved to utilize additional technologies to increase performance and coverage such as similarity determinations or utilizing hashing or other encryption.
Several companies, including Kaspersky, Symantec, McAfee, Panda, Eset and others offer programs aimed at providing solutions to provide protection against the harmful programs. These programs utilize various methods of protection, many of which focus on the comparison of received files with signatures stored in a local or centralized database. For example, an email attachment received by a user will be investigated and the attachment name, size and extension will be captured and compared against a local database of known harmful files. If a match is found in the known database, the user will be notified that the file is harmful and given options to terminate or continue in the user action. Additionally, select programs are able to examine data stored within unprotected archives that have been compressed.
However, existing programs are inefficient in processing attachments. Current attachment analysis programs utilize a specific set of metadata such as size, name, extension and in some cases, date, for comparisons. Various file compression programs exist and are able to compress data into transportable archives. Programs marketed using trademarks such as Gzip, Zip, 7zip, WinRar and others provide user interfaces and command line options of implementing the compression. This compression reduces file sizes and thus reduces the bandwidth required to transfer information. In addition, the archive formats effectively “hide” or “obfuscate” the contents of the archive, so that the contents are not directly discernible without first decompressing the archive. Many of these compression programs allow the archive creator to apply various access credential technologies to the archives. For example, an information supplier may create a compressed archive of a computer executable program and apply a password to the generated archive file so as to prevent unauthorized access. Typically, a protected archive will have its contents encrypted so that a key would be needed to gain access to those contents. While these features are certainly useful for protecting data from being accessible to persons other than the intended recipient, they can also be exploited as tools to defeat security measures. For instance, a malicious program can be encrypted and transmitted to a target computer. In this form, the malicious program is virtually undetectable until decompression, and is encoded based on the encryption key. Accordingly, the same malicious program can be copied a multiplicity of times with each copy being encoded with a different key, thereby appearing different from all of the other copies.
Current anti-virus and other protection technology cannot examine the contents of protected archives and thus, a protected archive containing malware or malicious code may pass the initial scan. The user may obtain the access credentials for the protected archive in a later transmission or other communication and attempt to access the information in protected archive and unwittingly execute malware or malicious code on their machine. While certain efforts have been made to reduce this occurrence, such as examining email addresses, and attachment sizes, the malware and malicious code creators have altered their practices to steer clear of these protections. For instance, the protected archive and access credential information may come from distinct email addresses, but maintain visual congruency in order to trick the user into opening the protected archive.
While some of the current security programs are able to extract data from unprotected compressed archives and compare the archive content to the local or remote malware databases, none of the programs available today are able to extract data from protected archives within any practical amount of time as part of a malware scan or intrusion detection screen. Currently, when confronted with an archive requiring access credentials, security software will attempt to compare the name, size and extension of the archive, as a whole, to the files stored in the local or remote virus database. Since a known malware program can be so readily obfuscated into a multiplicity of forms, virus databases simply cannot keep up with the rate at which the copies of malware can be made and distributed.
As a practical matter, distributors of malware in compressed archives need to provide the access credentials along with the compressed archive itself, so that the compressed archive can be decrypted to be executed. Malware distributors will want to make the access credentials easily available to human users, but difficult to identify for security programs. For example, the access credential information for accessing the malicious program may be supplied in a separate transmission or in a separate format, making it extremely difficult to automatically match up the credentials to the compressed archive.
Moreover, challenge-response gate technology aimed at ensuring that an actual human is interacting with a service or feature, such as Captcha, can be used to confound security programs. This technology has been conventionally applied to inhibit “bots” or automated computing devices tasked with the proliferation of malware, spam or other harmful payloads. However, the same technology can be readily used to proliferate attacks by inhibiting the protection software.
Accordingly, a practical solution is needed to address these and other challenges of efficient and effective containment of malware.