Malware threats continue to grow in a large part due to polymorphic and metamorphic threats (e.g., malware variants with the same behavior but a different signature). Classifying malware may be important in order to efficiently identify remedies and/or security measures for variants and to identify new malware. Some types of malware such as, for example, non-process threats (NPTs), may be a challenge to classification. Non-process threats may use existing benign processes and/or utilities to perform one or more malicious actions. Improper classification of non-process threats may incorrectly associate an operating system utility, an interpreter, and/or a benign process (e.g., a word processor or a web browser) with malware. For example, a non-process threat may inject and execute code into a memory space of an existing process associated with a benign process. The non-process threat may then create a remote thread associated with the benign process to perform one or more malicious actions. Attempts to handle the malicious actions may incorrectly associate the malicious actions with the benign process.
Similar difficulties may exist with other non-process threats such as, for example, the execution of malicious scripts using a benign utility and/or interpreter such as, for example, perl.exe and cmd.exe. Other non-process threats which may provide a challenge include malicious Dynamic Linked Libraries (DLLs) which may be loaded by a process or a utility such as rund1132.exe and svchost.exe.
In view of the foregoing, it may be understood that there may be significant problems and shortcomings associated with current technologies for classifying non-process threats.