There have been many security accidents (incidents) in which confidential information in a company is transmitted from a computer in the company to an outside computer by a malicious program called malware, such a virus or a Trojan horse.
To detect malware promptly, many companies have adopted anti-virus software provided by an anti-virus vendor.
Measures for preventing malware infection and leakage of confidential information by checking that a malicious program or confidential information is not included in communication data have also been adopted.
However, anti-virus software detects malware based on a known pattern of program codes included in the malware, and thus cannot detect packed malware, that is, compressed or encrypted malware.
In a case where malware encrypts communication data, it is difficult to detect communication data which includes data generated by the malware or confidential information stored in a computer.
Further, many types of malware masquerade as a legitimate program to avoid prompt detection.
For example, masquerading methods include (a) a method in which an executable file name of a legitimate program is used, (b) a method in which an executable file of a legitimate program is replaced with an executable file of a malicious program, and (c) a method in which a memory area for a process of a legitimate program is used. A memory area for a process will hereinafter be referred to simply as a “memory area”.
On the other hand, there is a conventional technique for detecting malware.
In this conventional technique, static information of a legitimate program is registered in advance, and static information of a test target program is compared with the registered static information so as to determine whether or not the test target program is malware. The static information includes information about an API (Application Programming Interface) and a DLL (Dynamic Link Library) and information such as a program size and a hash value of a program code. These pieces of static information are stored on a hard disk.
However, this conventional technique can detect malware masquerading as a legitimate program by the above method (a) or (b), but cannot detect malware masquerading as a legitimate program by the above method (c). This is because, in the case of the above method (c), the static information stored on the hard disk is not altered, and thus the static information stored on the hard disk matches the static information of the legitimate program.
There is a conventional technique that is capable of dealing with the above method (c).
In this conventional technique, APIs and DLLs used by a process of a legitimate program are registered in advance, and APIs and DLLs used by a process of a test target program are compared with the registered APIs and DLLs so as to determine whether or not the test target program is malware.
However, this conventional technique can detect malware that dynamically uses APIs and DLLs which are different from those of the legitimate program, but cannot detect malware that dynamically uses the same APIs and DLLs as those of the legitimate program.
In addition, there is a conventional technique as described below.
In this conventional technique, program codes stored in a memory area for a process of a legitimate program are registered in advance, and program codes stored in a memory area of a test target program are compared with the registered program codes so as to detect a malicious program code injected by malware in the memory area of the test target program. A malicious program code injected by malware in a memory area will hereinafter be referred to as a “malicious code”.
However, if a malicious code is injected in a memory area reserved dynamically (to be hereinafter referred to as a “dynamic memory area”), the conventional technique cannot detect this malicious code. This is because addresses of a dynamic memory area vary each time the memory area is reserved and it is therefore not possible to identify dynamic memory areas and compare the dynamic memory areas.
There is also a legitimate program for dynamically rewriting program codes (Just In Time Compiler). Thus, when program codes stored in memory areas are compared, a malicious code may be detected erroneously.
To promptly report what damage has been caused by a security accident caused by malware, a malware analyst is required to promptly identify a malicious code injected in a memory area and analyze which function the identified malicious code has.
In many conventional techniques, it is necessary to provide, in advance, a template for a legitimate program (or its process) listing its static information and dynamic information (APIs and DLLs used by the process).