As more and more computing devices such as personal computers, personal digital assistants, cellular telephones, etc., are interconnected through various networks, such as the Internet, computing device security has become increasingly more important. In particular, security against computing device external attacks from malware has become increasingly more important. Malware, for purposes of the present discussion, is defined as a software source of an unwanted computer attack. As such, those skilled in the art will appreciate that malware includes, but is not limited to, computer viruses, Trojan horses, worms, denial of service attacks, abuse/misuse of legitimate computer system functions, and the like. The primary defense against malware is anti-virus software.
Anti-virus software scans computing device data looking for malware. The computing device data may be incoming data, or data stored in the computing device, or a hard drive, for example. Previously developed anti-virus software scans the data for identifiable patterns associated with known malware. Thus, unfortunately, current anti-virus software identifies only known malware. New, unknown malware is not detected by current anti-virus software. Consequently, current anti-virus software is considered to be reactionary, operating on malware after it has been released and identified.
The typical manner in which current anti-virus software operates to protect computing devices from new malware is as follows. First, unknown malware is usually released via network messages, infecting unprotected computing devices. Infected computing devices include computers that have anti-virus software, but not up-to-date anti-virus software because the malware is unknown. Upon detecting that unknown malware has been released, an anti-virus software provider examines/analyzes the unknown malware in order to identify at least one recognizable pattern by which the malware can be detected in transit. Once a pattern is identified, the anti-virus software provider creates and publishes an update for its anti-virus software. This update uses the identified pattern to enable anti-virus software installations to recognize the now-identified malware as it arrives. However, this update only protects a computing device after the computing device has received and installed the updated anti-virus software. Unfortunately, the period of time that it takes to update a particular computing device may range anywhere from a matter of minutes to several days depending on individual circumstances.
As already mentioned, the current anti-virus software protection paradigm is a reactionary system; i.e., the anti-virus software is updated to protect a computer from malware only after the malware is released. Unfortunately, this means that at least some computers will be infected before anti-virus software is updated. Furthermore, the anti-virus update cycle is an extremely costly process for anti-virus providers, and ultimately for the consumers that purchase anti-virus software.
A substantial portion if not almost all unknown malware that exploits computer vulnerabilities are rewrites of previously released malware. Indeed, encountering absolutely novel malware is relatively rare. However, due to the pattern matching system employed by current anti-virus systems, it is not difficult to rehash/rewrite known malware such that the malware will get past the protection provided by anti-virus software. For example, malware code is readily accessible and it is a simple task to change variable names, reorder lines of code, or slightly modify the behavior of the malware such that the rewritten malware will not be recognized by anti-virus software. In order to provide an update, anti-virus software providers must locate an identifying pattern in the rewritten malware and create an update for the anti-virus software even though the malware has previously been dealt with.
Certain malware specifically targets operating systems that make Application Programming Interface (API) calls, such as the Microsoft™ 32-bit operating systems (hereinafter “Win 32 operating systems”). APIs form a layer of software that defines a set of services offered by an operating system to an executable. An executable written for Win 32 APIs, for example, will run on all Win 32 operating systems. These systems are often targets of malware designers because their popularity offers a better opportunity for widespread dissemination of malware. For example, macro viruses specifically target Win 32 operating systems by embedding themselves in files created with applications that support macro languages. Applications that support macro languages available to run on the Win 32 operating systems include Microsoft Word™ and Microsoft Excel™.
In light of the above-identified problems, it would be beneficial to computer users, both in terms of computer security and in terms of cost-effectiveness, to have anti-virus software that proactively protects a computer against rewritten, or reorganized, malware designed for operating systems that make API calls. The present invention is directed to providing such software.