With the spread of a wide range of the Internet and wireless communication devices, routes of infection of malicious software or malicious codes are becoming more diverse and the extent of damage caused thereby increases every year. The term “malicious code” used herein refers to as the software that has been intentionally produced to perform vicious behavior contrary to the intention and interests of a user, such as destroying the computer system and leaking information. There are various kinds of malicious codes such as virus, worms, Trojan, backdoor, logic bomb, trap doors, etc. used as a hacking tool, vicious spyware, vicious adware and the like. The malicious codes, through self-replication or automatic breeding, cause problems such as the leakage of personal information such as a password and an identifier (ID) of a user, system control, change/deletion of files, destruction of the system, denial of service of application/system, leakage of core data and installation of the other hacking programs, which results in very diverse and serious damage.
To solve these problems, a malware treating system (or vaccine program) has been developed to detect and treat the malicious codes. Most malware treating systems, known so far, use a file-based diagnostic method. The file-based diagnostic method originates from the fact that the malicious code takes a type of files executable in a particular system so that it can be run on the particular system. For example, most malicious codes take a type of PE (Portable Executable) files to run on the Windows system such as the Win32 operating system. By way of example, the PE file has a file extension such as exe, cpl, ocx, dll, vxd, sys, scr, dry or the like.
To detect the malicious codes having the type of execution files or executable files, the malicious code treating system also needs to have a specific format of the signature which can classify the malicious codes by recognizing the file type. Such method is one of the diagnostic methods similar to the signature-based inspection methods or the string inspection methods used in most malicious code treating systems. A signature-based inspection method checks such target objects as specific or unique parts of the files classified as the malicious code, and therefore has advantages of the possibility of an accurate diagnosis which minimizes false positive and false negative and a high speed scanning obtained by scanning only specific parts of the files during the file inspection. However, the signature-based inspection method has disadvantages that it cannot respond with respect to any modification with a slight change in files since it may occur the false negative making an incorrect diagnosis even if only hundreds of bytes change in the file itself of the malicious code. Further, the signature-based inspection method has a countermeasure against only the known malicious codes, but has shortcoming that it cannot respond to hitherto unknown malicious codes with different types.
On the other hand, an APT (Advanced Persistent Threat), which is one of the issues in recent, persistently utilizes various types of malicious codes with high attacking techniques in order to steal information targeted by an attacker. Particularly, the APT is nearly detected in an early invasion phase, and it typically employs non-executable files. For example, the APT generally uses non-PE files of the Window System such as the Win32 operating system. It is because that the programs for running the non-PE files, such as word-processors or imaging programs, have essentially some degree of security vulnerability and that variant malicious codes can be easily made with the change in the non-PE files if the malicious codes are included in the non-PE files.
Owing to the above properties, there are many cases where the APT employs a malicious non-executable file exploit to achieve the Zero-day attack. For example, if a recipient inadvertently opens the malicious non-executable file attached to the email on his/her computer system, the computer system is then infected with the malicious file, such that the malicious file can attack other computer systems and invade the computer systems to steal key data. In addition, since the non-executable file has a variety of formats, needed are the substantial amount of time and effort that an expert examines whether the non-executable file is malicious and analyzes the vicious activities done by the non-executable file. Moreover, from the standpoint of almost all the conventional techniques, it is not easy to find a countermeasure against some variant malware deformed and newly created even for the analysis duration.
For example, for the conventional signature-based inspection method, a large amount of signature databases is necessary to identify different types of attacks, which is far from realistic. Therefore, the conventional signature-based inspection method could not effectively protect the computer systems against the Zero-day exploit employing the malicious non-executable files.
Further, in the conventional action-based inspection method, it is required to obtain information such as design methods necessary for detecting the behaviors of different attackers, which leads to a false positive and false negative.
Accordingly, there is a strong need to develop a malware treating system capable of quickly and correctly inspecting whether or not non-executable files include the malicious codes.