Malware is software designed to infiltrate or damage a computer system, without the owner's consent. The term is probably a combination of “malicious” and “software”, and describes the intent of the creator, rather than any particular features. The term malware normally encompasses computer viruses, Trojan horses, spyware and adware.
Many early infectious programs, including the Internet Worm and a number of viruses, were written as experiments or pranks. That is, they were intended to be annoying rather than to cause serious damage. For example programmers might write one just to prove that they can do it, or to see how far it could spread.
A slightly more hostile intent can be found in programs designed to vandalize or cause data loss. For example, some viruses are designed to destroy files or corrupt a file system by writing junk data. Other viruses include network-borne worms designed to vandalize Web pages. In other cases, revenge is the motivator for writing malicious software. For example, a programmer about to be fired from a job will generate a virus to damage the former employer's systems or destroy their own earlier work.
Moreover, a large portion of malicious software is focused strictly on a profit motive. For example, a majority of viruses and worms have been designed to take control of users' computers. Infected computers are “hijacked” and are remotely used to send email spam, host contraband data or engage in distributed denial-of-service attacks as a form of extortion.
Another strictly for-profit category of malware has emerged in spyware. That is, programs designed to monitor users' Internet browsing. In some cases, the spyware displays unsolicited advertisements which provide marketing revenues to the spyware creator.
Presently, pluralities of anti-virus methods are used in order to detect and stop malware spread or initial infection. One method for detecting malware is signature based detection. In general, the malware signatures are derived from the malware code or strings that are used in the code. For example, when malware is discovered, an anti-virus provider will analyze the malware code and provide a signature, e.g., a hash, string based structure, or the like, to recognize the malware code. Then, whenever the malware code appears, the anti-virus software will recognize the malware signature and the malware will be defeated.
For example, many anti-virus software and intrusion detection systems attempt to locate malicious code by searching through computer files and data packets. If the security software finds patterns that correspond to known computer viruses or worm signatures, the appropriate steps are taken to neutralize the threat.
However, malware writers have come up with a plurality of ways of overcoming the code signature detection methods. For example, overcoming methods include polymorphic code, metamorphic code and the like. In general, polymorphic code is code that mutates while keeping the original algorithm intact. Polymorphic algorithms make it difficult for anti-virus software to locate the offending code as the malware is constantly changing its signature.
Moreover, metamorphic code is code that can reprogram itself. Often, the reprogramming is accomplished by translating its own code into a temporary representation, and then back to normal code again. This is used by some viruses when they infect new files. The result is “children” that do not look like the “parent”.
Encryption is the most commonly used method of achieving metamorphism and polymorphism in code. However, all of the code cannot be encrypted or else it would be completely unusable. Therefore, a small portion of the malware is left unencrypted and is used to start the encrypted software. In other words, the actual algorithm does not change, but everything else might. Thus, by rewriting the unencrypted decryption engine each time the virus or worm is propagated, signature recognition as used by anti-virus software is significantly reduced.
Therefore, what is needed is a method for detecting malware or other code that is not deceived by metamorphic or polymorphic code.