As more and more computers and other computing devices are interconnected through various networks such as the Internet, computer security has become increasingly more important, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, denial of service attacks, even misuse/abuse of legitimate computer system features—all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will realize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all malicious computer programs will be generally referred to hereinafter as computer malware, or more simply, malware.
When a computing device is attacked or “infected” by computer malware, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computing device; or causing the computing device to crash. Yet another pernicious aspect of many, though not all, computer malware is that an infected computing device is used to infect other systems.
A traditional defense against computer malware, and particularly computer viruses and worms, is antivirus software. Generally described, antivirus software scans information, looking for identifiable patterns associated with known computer malware. Also, increasingly, antivirus software utilizes heuristic techniques that compare detectable behaviors with characteristics of malware. Upon detecting a computer malware, the antivirus software may respond by removing the computer malware from the infected information, quarantining the information, or deleting the infected information.
Most antivirus software identifies malware by matching patterns within the information to what is referred to as a “signature” of the malware. Typically, antivirus software scans for malware signatures when certain events are scheduled to occur, such as when information is going to be written to or read from an input/output (“I/O”) device. As known to those skilled in the art and others, computer users have ongoing needs to read and write information to I/O devices, such as hard drives, floppy disks, compact disks (“CDs”), etc. For example, a common operation provided by most software applications is to open a file stored on a hard drive and display the contents of the file on a computer display. However, since opening a file may cause malware associated with the file to be executed, antivirus software applications typically perform a scan or other analysis of the file before the open operation is satisfied. If malware is detected, the antivirus software application that performed the scan may prevent the malware from being executed—for example, by causing the open operation to fail.
Unfortunately, as antivirus software has become more sophisticated and efficient at recognizing thousands of known computer malware, so, too, has the computer malware become more sophisticated. As a result, existing antivirus software suffers from several inadequacies, including, but not limited to, (1) known malware is able to avoid being detected by antivirus software using methods that conceal the malware, either by hiding the true nature of the malware or by gaining access to the computing device at an entry point that is not monitored by antivirus software; (2) antivirus software may be slow as all incoming and outgoing information may be scanned at connections such as network ports, even though some of the information may not be capable of causing harm to a computing device; and (3) development of malware detection techniques for handling previously unknown malware is difficult and costly.
As mentioned previously, some known malware is able to avoid being detected by antivirus software using methods that conceal the malware, either by hiding the true nature of the malware or by gaining access to the computing device at an entry point that is not monitored by antivirus software. For example, malicious computer users (e.g., hackers, crackers, etc.) recognize that antivirus software scans for malware when a user schedules information to be written or read from an I/O device such as a hard drive. As a result, some malicious computer users now encrypt malware or perform other actions to obscure the malware signature behind random patterns. For example, when a user schedules infected information to be executed, the encrypted malware is loaded into computer memory. A component of the malware, sometimes referred to as a decryption routine, gains control of the computing device and decrypts the previously encrypted program code that implements the malicious functionality of the malware (sometimes referred to as a “payload”). Only when the payload is decrypted is a malware signature recognizable. In this example, the malicious functionality of the malware is hidden when the malware is located on an I/O device such as a disk. Moreover, the malicious functionality of the malware is only detectable when the malware is loaded in memory and decrypted by the decryption routine. Since existing antivirus software does not scan for malware when information is modified in memory, the malware may not be detected by these existing systems. As known to those skilled in the art and others, this is just one example in which malware is able to circumvent the protections provided by antivirus software.
In other instances, the malware is configured to be directly loaded in memory, thereby bypassing entry points that are monitored by existing antivirus software. For example, some malware avoids being stored on an I/O device and therefore avoids being scanned by antivirus software by exploiting a vulnerability in a benevolent application program that is already loaded in memory. More specifically, a vulnerability in the benevolent application program is exploited and the area of memory allocated to the program is modified or otherwise corrupted by the malware. Then the malware may be directly executed from the memory allocated to the program without being written to an I/O device. As a result, information that was identified as being safe to execute when initially loaded into memory may subsequently be modified with malicious program code. When a computer malware gains access to a computing device using this type of attack, the potential damage to the computing device is significant as the benevolent application “hijacked” by the malware may be a highly trusted application running with system and/or administrator privileges. As a result, the malware may inherit the same trust level of the benevolent application.
Unfortunately, as mentioned above, existing antivirus software scans all incoming and outgoing information from a computing device for malware. As a result, the antivirus software is inefficient and resource intensive as all of the information that is transmitted over a communication system such as a network port is scanned, even though some of the information may not be capable of implementing the malicious acts of malware. In this instance, the antivirus software does not take advantage of resources provided by a computing device for distinguishing between information that may or may not be executed.
Development of malware detection techniques for handling previously unknown malware is difficult and costly. One possible method of protecting a computing device from unknown malware is to develop a set of heuristics that measures the degree to which data is “suspicious” or maintains attributes that are characteristic of malware. However, developing a set of heuristics based on existing technology in which information is scanned for malware at the entry points of a computing device is inefficient. For example, there are many possible ways for malware to gain access to a computing device. Unfortunately, a different set of heuristics may be needed at each entry point to detect malware. However, there are fewer ways to perform malicious acts after malware has been converted into program code that may be executed by the computing device. As a result, antivirus software would be more efficient and accurate in detecting previously unknown malware using heuristic techniques that scan program code in memory before the information is executed.
One possible method of protecting a computing device from the exemplary malware exploits described above is to make executable program code “read-only” once loaded in memory. In this instance, the program code would not be susceptible to modification from malware. However, this method is not feasible as legitimate application programs (e.g., virtual machine emulators and the like) have legitimate reasons for causing self-modifying program code to be loaded into memory. Thus, making executable program code read-only would unduly restrict application programs.
What is needed is a system that searches memory, including program code that is modified in memory as a result of program execution, for information and/or behaviors that are characteristic of malware before the malware is capable of being executed. Furthermore, what is needed is a system that monitors changes made to program code loaded in memory and validates the trustworthiness of those changes. Any system that addresses the above-described problems in the prior art should not prevent normal access to information in memory. Also, any such system should not require performing a scan every time the memory is accessed so that a computing device may maintain a reasonable performance level.