Malware is increasingly a problem for computer users on the Internet. An unskilled or unsuspecting computer user may inadvertently visit a website which may install a malware trojan into their computer, or download an e-mail attachment which may a computer virus. Malware has expanded as applications for computers have expanded. Malware is being transmitted through cellular networks to smart phones and other devices, such as PDAs and the like. It has even been found on peripherals and accessories, or embedded into commercial software.
Originally, most malware was created by hackers, who were interested only in testing the limits of their skills. Some malicious codes could alter data on hard drives or even erase (reformat) hard drives or re-write the boot sector. These types of computer viruses were annoying and troublesome, but other than lost data and downtime, not of great economic impact. In more recent times, such malware has been created with more immediate economic motives—to capture passwords, bank account information, PIN numbers and other personal information for use in identity theft and credit card fraud. Other types of malware, such as trojans, install themselves in a computer and pose as anti-virus programs, demanding that the user pay a fee (usually to an off-shore provider) to “remove” the virus.
Other types of malware, install “bot” programs into user computers, so that such computers can be used as part of “bot networks” to be used to transmit SPAM messages and the like, and for other illegal purposes. These types of “bot” programs may not damage the user's computer data, but may slow the computer and slow access to the Internet. Similarly, spyware and the like may be used to monitor a user's access to the Internet to monitor websites visited and then report back this data to commercial users for use in marketing. Such programs may be viewed as an invasion of privacy and also may slow computer speed and access.
Most of these types of malware programs have been fairly easy to detect, and counter-measures, in the form of anti-virus programs and malware and spyware detection programs. Many of these programs are available free to users on the Internet, at least as trial or freeware versions. Malware represents a tremendous loss in time and money to businesses and individual users, in terms of data loss, data theft, and also in the time and money spent in removing malware and also screening for it and recovering from data loss.
Until recently, the threat of malware has been mostly in the form of disruption (hacking pranks) or economic in nature (e.g., stealing banking or credit card data or passwords). However, it is possible that malware may be used for other purposes now, or in the future. Foreign governments routinely probe and attempt to hack into U.S. Government computer systems, as well as those of major businesses, industries, and educational institutions. In many instances, these attempts at access are mere probes of system weaknesses, perhaps for future exploits. In other cases, actual data is stolen. A concern exists that malware could be used as a means of economic disruption or as a political tool or even as a weapon, in order to crash networks or individual computers or to gain unauthorized access to such computers or networks.
Thus, rapid detection and evaluation of malware is an increasingly pressing need. Prior Art techniques of waiting for malware attacks to occur and then attempting to isolate and detect new malware are increasingly inefficient. Detection and immunization from such malware attacks, in the Prior Art, usually only occurred after a user's computer had already been attacked and data lost. Some more aggressive malware protection companies actively search for new malware on the Internet and attempt to develop prophylactic cures for such viruses, trojans, worms, and the like. But such active approaches require many man-hours of labor to search for such programs and then operate such programs to detect whether a virus, worm, or trojan is present.
In the Prior Art, if a user wished to test or analyze a malware program, it may have been necessary to run such a program on a stand-alone computer, so as to prevent such a malware program from infecting other computers on the network. One problem with such an approach is that if the malware causes the computer to crash, it may not be possible to analyze in real-time, how the malware functioned and performed and what actions it takes. In addition, such a technique does not allow multiple users to monitor and analyze the malware program. In the event malware is detected, it may be necessary to completely reformat and wipe the hard drive of such a machine and re-install the operating system to erase damage caused by the malware. And since the malware may be programmed to cover its tracks, detecting how the malware works and its various signatures may be difficult using a physical computer system.
Thus, a need exists in the art for a system which allows a user to operate suspected malware in a manner that is safe and observable, and also allows this data to be rapidly shared with others. In addition, a need exists in the art for a technique that allows a user to rapidly analyze suspected malware, without having to physically reformat hard drives and re-install operating systems after each use. In addition, a need exists in the art for a system which allows a user to analyze operation of suspected malware such that operation of the malware and detection of its characteristic signatures is possible, even if the malware attempts to disguise itself or erase evidence of its presence.
Virtual Machines are known in the art for emulating the operating systems of a number of computers. A Virtual Machine (VM) comprises software running on a computer system that emulates the operation of, for example, a particular operating system. Using a Virtual Machine, a user can run applications intended for a number of different operating systems, such as Windows, Mac O/S, Linux, and the like, without using the physical hardware ordinarily associated with such operating systems. Thus, for example, a user could operate a Linux program on a Windows-based system by creating a Linux VM operating within the Windows O/S. Such Virtual Machines are useful in operating non-native programs on a particular hardware infrastructure and for other purposes.
Bull et al., U.S. Pat. No. 6,065,118, issued May 16, 2000, assigned to Citrix Systems, Inc. and incorporated herein by reference, discloses a mobile code isolation cage. This system is described as reducing the risk of damage to data or programs in an end user computer system programmed to operate in response to an imported data stream containing one or more mobile program components from an external source. The incoming data stream is screened to identify mobile program components of that data stream. Some of the mobile program components are passed to a program execution location isolated from the end user system prior to being executed to operate in a desired manner. The execution location has an interface with the external source of the data stream and an interface with the end user system. The operation of the interface between the execution location and the end user system is programmed so that only data which has been interacted on by the program component within the execution location in a specified and controlled manner can be passed to and from the end user system. The system of the Bull Patent appears to be capable of isolating mobile code, but does not appear to be applicable to use with detecting and analyzing potential malware.
Mazzaferri et al., Published U.S. Patent Application Ser. No. 2007/07198656, published Aug. 23, 2007, assigned to Citrix Systems, Inc. and incorporated herein by reference, discloses methods and servers for establishing a connection between a client system and a virtual machine executing in a terminal services session and hosing a requested computing environment. Mazzaferri discloses that his system receives a request from a client system for an enumeration of available computing environments. Collected data regarding available computing environments are accessed, and accessed data are transmitted to a client system, the accessed data indicating to the client system each computing environment available to a user of the client system. A request is received from the client system to access one of the computing environments. A connection is established between the client system and a virtual machine hosting the requested computing environment via a terminal services session, the virtual machine executed by a hypervisor executing in the terminal services session provided by an operating system executing on one of a plurality of execution machines. The Mazzaferri application appears to disclose the use of selecting and operating a virtual machine over a computer network.
Croft, et al., Published U.S. Patent Application Ser. No. 2007/0192329, published Aug. 16, 2007, assigned to Citrix Systems, Inc. and incorporated herein by reference, discloses a method for executing, by a virtual machine, an application program requested by a client machine. The method includes the step of receiving a file including access information for accessing a plurality of application files and for executing a first client capable of receiving an application stream. An identification of the plurality of application files is retrieved, responsive to the received file. At least one characteristic required for execution of the plurality of application files is retrieved, responsive to the file. A determination is made as to whether a client machine includes the at least one characteristic. A second client is executed, responsive to a determination that the client machine lacks the at least one characteristic, the second client requesting execution of the plurality of application files on a remote machine comprising a virtual machine providing a computing environment having the at least one characteristic. Croft et al. appears to teach the concept of executing a Virtual Machine over a network.
Arnold et al., U.S. Pat. No. 6,981,279, issued Dec. 27, 2005, assigned to International Business Machines Corporation and incorporated herein by reference, discloses a system and a method for dynamically analyzing software, some of whose potentially-important behaviors (such as worm-like behavior) may only be displayed when the software is executed in an environment where it has, or appears to have, access to a production network and/or to the global Internet. The software may be executed in a real or an emulated network environment that includes a monitoring component and an emulation component. The monitoring component serves to capture and/or record the behaviors displayed by the software and/or other components of the system, and the emulation component gives the software being analyzed the impression that it is executing with access to a production network and/or to the global Internet. The software being analyzed is effectively confined to the analysis network environment, and cannot in fact read information from, or alter any information on, any production network or the global Internet. Arnold et al. appears to teach the idea of emulating a communications network to determine how a worm-type program propagates over such a network.
In examining a standard Virtual Machine (VM) configuration, a series of undocumented and unpublished settings create serious security threats that may potentially allow harmful data, root kits, and other malicious code to access a network. Thus, using a Virtual Machine (VM) on a network to examine potential malware could create a security concern for the network, as the malware could exploit these security threats and infect or access computers connected to the virtual machine through the network. Thus, it remains a requirement in the art to provide a means of addressing these embedded security flaws and provide a series of solutions to ensure that potentially harmful data is unable to leak from a virtual machine environment onto a network.