As used herein a “threat” comprises malicious software, also known as “malware” or “pestware”, which comprises software that is included or inserted in a part of a processing system for a harmful purpose. The term threat should be read to comprise possible, potential and actual threats. Types of malware can comprise, but are not limited to, malicious libraries, viruses, worms, Trojans, adware, malicious active content and denial of service attacks. In the case of invasion of privacy for the purposes of fraud or theft of identity, malicious software that passively observes the use of a computer is known as “spyware”.
A hook (also known as a hook procedure or hook function), as used herein, generally refers to a callback function provided by a software application that receives certain data before the normal or intended recipient of the data. A hook function can thus examine or modify certain data before passing on the data. Therefore, a hook function allows a software application to examine data before the data is passed to the intended recipient.
An API (“Application Programming Interface”) hook (also known as an API interception), as used herein as a type of hook, refers to a callback function provided by an application that replaces functionality provided by an operating system's API. An API generally refers to an interface that is defined in terms of a set of functions and procedures, and enables a program to gain access to facilities within an application. An API hook can be inserted between an API call and an API procedure to examine or modify function parameters before passing parameters on to an actual or intended function. An API hook may also choose not to pass on certain types of requests to an actual or intended function.
A process, as used herein, is at least one of a running software program or other computing operation, or a part of a running software program or other computing operation, that performs a task.
A hook chain as used herein, is a list of pointers to special, application-defined callback functions called hook procedures. When a message occurs that is associated with a particular type of hook, the operating system passes the message to each hook procedure referenced in the hook chain, one after the other. The action of a hook procedure can depend on the type of hook involved. For example, the hook procedures for some types of hooks can only monitor messages, others can modify messages or stop their progress through the chain, restricting them from reaching the next hook procedure or a destination window.
In a networked information or data communications system, a user has access to one or more terminals which are capable of requesting and/or receiving information or data from local or remote information sources. In such a communications system, a terminal may be a type of processing system, computer or computerised device, personal computer (PC), mobile, cellular or satellite telephone, mobile data terminal, portable computer, Personal Digital Assistant (PDA), pager, thin client, or any other similar type of digital electronic device. The capability of such a terminal to request and/or receive information or data can be provided by software, hardware and/or firmware. A terminal may comprise or be associated with other devices, for example a local data storage device such as a hard disk drive or solid state drive.
An information source can comprise a server, or any type of terminal, that may be associated with one or more storage devices that are able to store information or data, for example in one or more databases residing on a storage device. The exchange of information (ie. the request and/or receipt of information or data) between a terminal and an information source, or other terminal(s), is facilitated by a communication means. The communication means can be realised by physical cables, for example a metallic cable such as a telephone line, semi-conducting cables, electromagnetic signals, for example radio-frequency signals or infra-red signals, optical fibre cables, satellite links or any other such medium or combination thereof connected to a network infrastructure.
A system registry is a database used by operating systems, for example Windows™ platforms. The system registry comprises information needed to configure the operating system. The operating system refers to the registry for information ranging from user profiles, to which applications are installed on the machine, to what hardware is installed and which ports are registered.
An entity can comprise, but is not limited to, a file, an object, a class, a collection of grouped data, a library, a variable, a process, and/or a device.
Local communication devices such as video cameras (also commonly referred to as “webcams”) and microphones are becoming more commonplace in modern processing systems. For example, current laptop computers are provided with in-built webcams and microphones.
Due to such devices becoming more popular, threats, such as malware, have recently been configured to utilise local communication devices for exploitation. Herein, this form of threat is referred to as an “audio/visual threat”.
In some instances audio/visual threats have been configured to spy on an unsuspecting user of a compromised processing system using a webcam or microphone. The visual and/or audio data recorded by a webcam can be transferred to a third party, wherein the third party may use the visual and/or audio data for exploitation, such as determining when a user has left their premises so that a robbery can be performed. In some instances the audio/visual data has simply been used for voyeuristic activities.
In other instances, if the user has unsuspectingly left private information, such as details of their credit card, within visual range of the webcam, the visual data captured by the threat can be analysed by a third party to determine the details of the credit card for financial exploitation.
In other instances, the webcam can be controlled by the threat to record typing performed by the user on the keyboard of the processing system, in order to determine secret information such as usernames and passwords.
Recently, proof of concept computer programs have been developed which can utilise the sound of a user typing on the keyboard recorded by a microphone to determine keystrokes performed by the user within an acceptable accuracy. Again, secret information such as usernames and passwords can be determined using the audio data obtained by appropriately configured threat controlling the microphone of the compromised processing system.
Current approaches to detect audio/visual threats have involved using signature based detection software. Such software comprises a database of signatures, wherein each signature generally represents a file size of the malware, a file name associated with the malware, a cryptographic hash or checksum value of the malware, and pseudocode which represents program flow of the threat.
However, signature based approaches are becoming unsuitable as it can take a number of days for a vendor of such software to develop an appropriate signature which can detect and restrict the audio/visual threat. During the period of time when audio/visual theat is compromising a user's processing system, and the time when an appropriate signature is released by the vendor, the audio/visual threat can exploit audio/visual data obtained from the compromised processing system. Furthermore, unless a user continually updates signatures for their malware detection software, this compromised time period can also be unsatisfactorily extended.
Other approaches to deal with audio/visual threats have been to unplug microphones and webcams from the processing system. In some instances, placing an object such as a container over the webcam or microphone has also been suggested in order to overcome the compromised time period prior to a signature being released. Not only is this unsightly, but it can sometimes be extremely difficult and inconvenient for users of processing systems where the webcam and/or the microphone is in-built, such as a laptop computer.
Therefore, there exists a need for a method, system, computer readable medium of instructions, and/or a computer program product which can detect an audio/visual threat which has compromised a processing system and optionally restrict an audio/visual threat performing malicious activity in the processing system which overcomes or at least ameliorates at least one of the above mentioned disadvantages.
The reference in this specification to any prior publication (or information derived from it), or to any matter which is known, is not, and should not be taken as an acknowledgment or admission or any form of suggestion that that prior publication (or information derived from it) or known matter forms part of the common general knowledge in the field of endeavour to which this specification relates.