Increased access to the Internet has had the unintended effect of increasing the reach of software programs that capture personal information of users without their informed consent (“Spyware”) or that corrupt computers without the user's knowledge and informed consent (“Malware”). In addition, a cottage industry has arisen in software that automatically downloads and displays advertising while an application is being used (“Adware”). The term malware as used herein includes any type of software programs designed to infiltrate or damage a computer system without the owner's informed consent, regardless of the motivation for the software program, and regardless of the results caused by the software program on the owner's devices, systems, networks, or data.
Such programs, when installed on the user's computer, can eavesdrop on the user, collect sensitive information and, in some cases, take control of the user's computer. In some cases, these software programs send messages out to other computers or servers, providing a conduit for the transfer of potentially sensitive information.
Various detection programs may be used to attempt to detect the presence of malware. In some instances, the detection programs rely on detecting a signature in a software program being examined to determine if the program is or contains, malware. In some instances, a detection program uses a checksum based method to determine whether a software program is malware. However, malware authors frequently change parts of the malware programs in order to avoid detection by signature or checksum methods. New variants of known malware may be created by re-packing or compiling within short time intervals in order to evade signature or checksum based detection and to take advantage of the delay in creating and distributing updated detection signatures or checksums.
Vendors of detection software try to counteract the increased amount of new malware variants and samples by using more generic detections, and more heuristic detections. However, generic detections bear the deficiency of requiring manual analysis of one, in most cases at least two malware variant(s) in order to provide an appropriate detection. Further, heuristic detections bear the deficiency of false positives.