Malware is a term used to describe malicious software. Malware consists of any malicious software used to disrupt computer operation, gather information unlawfully and/or gain access to private computers and computer systems. Malware is created intentionally to cause disruption and/or harm to computers, systems and their users. Examples of malware include: computer viruses, worms, Trojan horses and spyware.
Malware has become prevalent in modern times with the rise of the Internet. The Internet provides a tool for hackers and individuals to distribute malware to computers and computer systems. Unsuspecting computer users may fall victim to malware and its unfavourable effects. For example, malware present on a user's computer may cause sensitive information stored on that computer to be accessed by a third party and/or all or some of the functions of the computer to be restricted or damaged. Typically, hackers create malware so that themselves or others can attack and disrupt computer users and steal personal, financial or business information.
A computer virus is a malware program or piece of computer code. Viruses typically, once present on a computer and executed, replicate themselves in other computer programs on the computer. Areas of a computer's memory occupied by a computer virus or malware are said to be ‘infected’.
The term malicious content as used herein covers any software that constitutes malware. For the sake of brevity, malware shall also be used herein to describe “badware”: any software that arises by accident and is detrimental to a computer. An example of badware is a bug in a software application.
At present, two main categories of malware protection are available to protect computers from malicious content. The first category of protection is known as “reactive” protection. The second category of protection is known as “proactive” protection.
Reactive anti-malware applications are based on databases of known malware. Typically, a reactive anti-malware application will scan a computer for any malware that is present in a database of known malware. If a piece of known malware is identified on the computer or a signature of malware is detected, these can be isolated and dealt with by the application accordingly.
Reactive anti-malware applications are primarily based only on malware that is known to exist. Therefore, they offer little or no protection against malware that has yet to be discovered. In contrast, proactive anti-malware applications can analyse content for the presence of malware. Such applications may scan computer content for known virus signatures and perform “behavioural analysis” to analyse computer content for the presence of malware. Any computer content that appears suspicious may be flagged so it can be scanned and analysed in greater detail before appropriate action is taken by the anti-malware application.
A gateway security application may be put in place to scan content for malware before allowing it to be delivered to its intended destination. Such a gateway security application may be implemented on a security computer, which may act as an intermediary between a client computer, the internet or any third parties that deliver content to the client computer. In other words, the gateway computer may shield content before it is delivered to its intended destination. Gateway security applications typically utilise reactive methodologies in detecting and protecting against malware; however, certain systems including a gateway computer may utilise proactive methodologies.
Reactive and proactive anti malware applications may be used in combination to combat malware. However, dynamically generated viruses pose a new threat in the field of malicious content. Dynamically generated viruses are a type of malware that is created only at runtime. Dynamically generated viruses are difficult to detect early on using the conventional methods described above. Dynamically generated viruses pose a particular problem in implementing gateway-level malware protection, as gateway security applications will typically only scan content before it is executed on a client computer. Further, gateway-level malware protection may only use reactive protection methodologies.
Proactive anti-malware applications may run directly on a client computer to protect it from dynamically generated malicious content. However, such applications have potential to become widely available to the creators of malware and may be susceptible to reverse-engineering. Further, proactive anti-malware applications running directly on a client system will have to be installed on that system. Installation of an anti-malware application on a client system may take up valuable computational resources. There is no guarantee that anti-malware applications present on a client computer will be able provide comprehensive protection against dynamically generated malicious content.
There is need for a new form of anti-malware application which does not operate on the computer being protected or shielded, but which can capture any content that may enable dynamically generated malicious content to be generated on the computer.
U.S. Pat. No. 6,272,641 and U.S. Pat. No. 5,983,348 describe network scanners for security checking of application programs. Both documents disclose a network scanner for security checking of application programs (e. g. Java applets or Active X controls) received over the Internet or an Intranet that has both static (pre-run time) and dynamic (run time) scanning.
U.S. Pat. No. 8,141,154 concerns systems and methods for protecting computers against dynamically generated malicious code. A system for protecting a computer from dynamically generated malicious executable code is disclosed in the document. Three major components of the system are a gateway computer, a client computer and a security computer.