The present invention, in some embodiments thereof, relates to malicious software (malware) detection and, more particularly, but not exclusively, to runtime detection of self replicating and self-modifying malware.
Malware is a general term for a variety of hostile, intrusive and/or annoying uninvited software contaminating a computing device. Malware generally appears in the form of executable binary files designed to exploit a device or the data it contains without consent. Exploitation may take a variety of forms, such as disruption of device operation, sensitive information gathering, unauthorized access to device systems or the like.
Malware is typically provided with self-replication and/or self-modification capabilities, while preserving the malicious intention of the original code. Malware mutations typically spread across devices and run without being detected, shut down, or deleted by the user or security software.
Reference is made to FIG. 1, which is conceptual scheme representing malware functionality. Activities which may take place as part of malware lifecycle on a computing device include self-replication and/or multiplication, malware clone creation and distribution, as well as malware penetration into additional, optionally neighboring computing devices and systems. Penetration may include manipulation of new devices' detectors to disguise the malware's operation affecting the newly penetrated devices, whether harmless or malicious, such as but not limited to device resource consumption. Malware may also mutate to avoid signature-based detection, and optionally re-replicate in a mutated form. Reference is also made to FIG. 2, which is a schematic flowchart demonstrating detailed operation of self-replicating malware. The flowchart commences with creation of a replicator process, optionally disguised as a useful application which performs harmless actions, to deceive a human user or malware detection programs. A replicator process typically reads its own executable file from disk into memory to generate one or more modified clones which may be saved from memory into a disk file. The replicator process may then activate the one or more generated clones to create one or more cloned process replicas, proceed with its previous harmless operation, and optionally notify the one or more cloned replicas of termination.
The design of malware may include elements such as but not limited to Trojan horses concealing harmful or malicious payloads, installation of backdoors, and rootkits which hide existence of processes from standard detection methods to allow continued privileged access to the device and its resources. Malware may disguise itself by taking advantage of otherwise legitimate binary self modification techniques, in which binaries alter their own instructions while executing to reduce repetitive code and/or improve performance.
Modern programming tools which simplify development of executable code in the form of binary modules may be used by hackers to build an arsenal of crude self-modifying and replicating malware, optionally disguised as non-executable binary files. Operating systems may inadvertently load and run such malware.
Post-factum analysis of malware is more challenging to perform when files of the cloned replicas are disguised as non-executable code and the original malware's executable file is deleted, overwritten or replaced. The one or more cloned replicas may verify upon creation that the replicator process is shut down, and delete and/or overwrite the executable file of the replicator process to hide its harmful operation. The one or more cloned replicas may wait until triggered to perform malicious activity.