As used herein a “threat” comprises malicious software, also known as “malicious software” or “pestware”, which comprises software that is included or inserted in a part of a processing system for a harmful purpose. The term threat should be read to comprise both possible, potential and actual threats. Types of malicious software can comprise, but are not limited to, malicious libraries, viruses, worms, Trojans, adware, malicious active content and denial of service attacks. In the case of invasion of privacy for the purposes of fraud or theft of identity, malicious software that passively observes the use of a computer is known as “spyware”.
A hook (also known as a hook procedure or hook function), as used herein, generally refers to a callback function provided by a software application that receives certain data before the normal or intended recipient of the data. A hook function can thus examine or modify certain data before passing on the data. Therefore, a hook function allows a software application to examine data before the data is passed to the intended recipient.
An API (“Application Programming Interface”) hook (also known as an API interception), as used herein as a type of hook, refers to a callback function provided by an application that replaces functionality provided by an operating system's API. An API generally refers to an interface that is defined in terms of a set of functions and procedures, and enables a program to gain access to facilities within an application. An API hook can be inserted between an API call and an API procedure to examine or modify function parameters before passing parameters on to an actual or intended function. An API hook may also choose not to pass on certain types of requests to an actual or intended function.
A process, as used herein, is at least one of a running software program or other computing operation, or a part of a running software program or other computing operation, that performs a task.
An entity can comprise, but is not limited to, a file, an object, a class, a collection of grouped data, a library, a variable, a process, and/or a device.
A hook chain as used herein, is a list of pointers to special, application-defined callback functions called hook procedures. When a message occurs that is associated with a particular type of hook, the operating system passes the message to each hook procedure referenced in the hook chain, one after the other. The action of a hook procedure can depend on the type of hook involved. For example, the hook procedures for some types of hooks can only monitor messages, others can modify messages or stop their progress through the chain, restricting them from reaching the next hook procedure or a destination window.
In a networked information or data communications system, a user has access to one or more terminals which are capable of requesting and/or receiving information or data from local or remote information sources. In such a communications system, a terminal may be a type of processing system, computer or computerised device, personal computer (PC), mobile, cellular or satellite telephone, mobile data terminal, portable computer, Personal Digital Assistant (PDA), pager, thin client, or any other similar type of digital electronic device. The capability of such a terminal to request and/or receive information or data can be provided by software, hardware and/or firmware. A terminal may comprise or be associated with other devices, for example a local data storage device such as a hard disk drive or solid state drive.
An information source can comprise a server, or any type of terminal, that may be associated with one or more storage devices that are able to store information or data, for example in one or more databases residing on a storage device. The exchange of information (ie. the request and/or receipt of information or data) between a terminal and an information source, or other terminal(s), is facilitated by a communication means. The communication means can be realised by physical cables, for example a metallic cable such as a telephone line, semi-conducting cables, electromagnetic signals, for example radio-frequency signals or infra-red signals, optical fibre cables, satellite links or any other such medium or combination thereof connected to a network infrastructure.
A system registry is a database used by operating systems, for example Windows™ platforms. The system registry comprises information needed to configure the operating system. The operating system refers to the registry for information ranging from user profiles, to which applications are installed on the machine, to what hardware is installed and which ports are registered.
One problem faced when restricting malicious activity by malicious software in a processing system is that there is a risk that the malicious software may reinfect the processing system. Entities which were not necessarily performing malicious activity may not be restricted and thus may attempt to reinfect the processing system with one or more malicious entities, such as to reinfect the processing system with the malicious software.
Another problem faced when detecting malicious software is that variants of the malicious software may also attempt to infect a processing system, wherein the processing system may be configured to detect an earlier version of the malicious software. A variant of malicious software may be a modification to an earlier version of the malicious software in an attempt to increase the maliciousness of the earlier malicious software or an attempt to prevent detection, although there may be other reasons why variants of malicious software are created and released.
In order to protect a client's processing system, it is important that vendors of malicious software detection products detect the variant as quickly as possible such that a method of restricting the variant malicious software can be determined. Using methods of restricting the earlier version of the malicious software may not necessarily restrict the variant malicious software, and as such leave the processing system compromised. Due to the complexity of malicious software, a variant of malicious software can be difficult to identify, and can be a time-consuming exercise. As this process of identifying a variant is generally performed manually, there is a significant problem in attempting to accurately and quickly identify variant malicious software. Also, these problems impact on accurately and quickly generating a method of restricting the variant malicious software.
The reference in this specification to any prior publication (or information derived from it), or to any matter which is known, is not, and should not be taken as an acknowledgment or admission or any form of suggestion that that prior publication (or information derived from it) or known matter forms part of the common general knowledge in the field of endeavour to which this specification relates.