1. Field of the Invention
This invention pertains in general to computer security and in particular to detecting computer viruses and other malicious software through signature scanning.
2. Description of the Related Art
Purveyors of malicious software such as computer viruses, worms, and spyware go to extreme lengths to keep their software from being detected. Developers of security software, in turn, constantly update their products to detect the malicious software. One common technique for detecting malicious software is signature scanning. Generally, signature scanning searches a file for a signature, such as a string of bytes, that unambiguously identifies the malicious software. When new malicious software is discovered, the developers analyze it and generate a new signature that can detect it.
Recently, malicious software purveyors have returned to an old trick for hiding their software: code packing. The purveyors use a program, called a “packer” to modify the malicious executable file so that it no longer matches its original signature. Packers have existed for a long time and have legitimate uses, such as converting the executable file into a compressed version of itself that decompresses automatically when executed. Virus purveyors first used packers in the 1980s to camouflage their software, and more recently have begun using them again. To the purveyor of malicious software, the main advantage of using a packer is that it allows older software to evade detection. It is easier for a purveyor to pack an old virus with one or more packers than to write a completely new virus.
The security software can use signature scanning to identify malicious software that is packed by some packers. However, packers can be modified to evade detection just like other software. Moreover, some scanning techniques that work well on unpacked malicious software, such as emulation, do not always work on packed software. Packed software can require a long time to emulate before the telltale signature becomes apparent. Further, the packer can defeat emulation by utilizing unsupported instructions or more memory than the emulator provides.
Using packers thus allows purveyors of malicious software to gain the upper hand in the battle with security software developers. Security software that can detect an unpacked version of malicious software might not detect the packed version. Moreover, even if the security software detects one packed version, it is likely to miss the same malicious software packed with a different packer.
As a result, there is a need in the art for a way to detect packed malicious software that does not suffer from the above-mentioned deficiencies.