Today's computer antivirus industry is faced with constantly evolving opposition from producers of computer viruses and other such malware. New malware is developed to circumvent protection methods, techniques and systems for detection of malicious programs or hacking activity. Moreover, the protection mechanisms are themselves attacked in order to impede or block their protective functionality.
There have been reported incidents of hacking to compromise popular media content websites in order to distribute malware. For instance, an attacker who obtains access credential information (e.g., login, password) of an administrator of a media content website, or even simply those of a user having editing privileges of the website, could gain the ability to make repeated changes to the contents of that site. Such changes could place malicious content on a site frequented by visitors, or cause visitors to be unwittingly redirected to another website from which malware would be distributed to the visitors via file transfer or active content such as browser-executable code, a practice known as pharming. After a short time, e.g., a couple of hours, the attacker can restore the compromised website contents to their original state, thereby hiding his tracks. After the fact, it becomes impossible for security analysis to reproduce the attack vector.
The situation is further complicated by the fact that computer users often have antivirus or internet security software on their local machines which can automatically categorize the otherwise legitimate website as a phishing or other malicious or compromised host, and add the site's Internet address to a list of banned sites. Although such security software is quick to add an apparently malicious or compromised host to the banned site list, there are usually no means to remove the legitimate site once its usual functionality has been restored. Even if the site is manually excluded from the banned site list, it could automatically be placed on the list due to changes to the site's content made again by the attacker.
Therefore, it can be seen that protecting against hijacked websites poses the problem of dealing with a moving target. Conventional protection mechanisms that aim to block malicious sites tend to be both, under-inclusive, and over-inclusive in their ability to effectively protect users. Conventional protection is under-inclusive in that it tends to target malware-containing sites for blocking, the addresses and URLs of which can be rapidly changed, thereby resulting in lag time windows between exposure to malware and the start of the blocking of the malicious sites. At the same time, conventional protection is over-inclusive in that sites which are generally useful and which have been restored to their normal malware-free state will remain blocked, thereby depriving would-be visitors from accessing those sites.
At least for the above reasons, a solution is needed that provides practical protection against pharming and related malware spreading techniques over a network that overcomes some of the drawbacks suffered by conventional methods currently deployed.