Technical Field
Embodiments described herein generally relate to detecting and/or neutralizing malicious code or other security threats on computer systems.
Description of Related Art
Modern cyber attackers employ a variety of attack patterns, ultimately aimed at running the attacker's code on the target machine without being noticed. The traditional attack pattern requires an executable file that arrives at the target machine through email, through a download from a website, from a neighboring local host, or from some sort of removable media. When the malicious file gets executed, it spawns a full-fledged process of its own. Subsequently, the malicious process may inject some form of code into the memory-space of another running process.
Newer attack patterns are based on vulnerabilities found in various useful programs, such as ADOBE® ACROBAT®. In the case of ADOBE® ACROBAT®, the malicious code (or “payload”) is embedded within a portable data file (PDF) document. The PDF document also contains a chunk of malformed data, designed to exploit the given vulnerability. This chunk is crafted to cause some kind of overflow or similar exception when the file is being read by the vulnerable program. When the program or the operating system seeks to recover, it returns, instead, to a tiny piece of machine code (or primary shellcode) supplied by the malformed data chunk. This primary shellcode takes control of the running program (i.e., the process), completing the so-called “exploit” of the given vulnerability. Subsequently, the primary shellcode loads whatever payload (special-purpose malicious code) is available, into the context of the running process.
In a so-called ‘remote’ attack, the vulnerable program is associated with some network port, either as a server or as a client. The exploit happens when the vulnerable program tries to process a chunk of malformed input, essentially in the same manner as described above. In this case, when the primary shellcode takes control of the running process, it may choose to download secondary shellcode or payload from the network. In both the local and the remote vulnerability-based attacks, the malicious code running within the originally breached process may proceed by injecting code into the running processes of other programs.
Traditional malware-detection tools, such as signature-based antivirus products, are ineffective against such attacks due to the fact these attacks take form in memory, thereby resulting in no visible signature for the malicious file. Conventional runtime activity monitoring, based on the behavioral patterns of such attacks, fail to defend against attacks due to the fact that such attacks morph themselves and change their behavior, thereby making it difficult to define strict rules that lead to the identification of malicious behavior. Accordingly, conventional runtime activity monitoring has some major drawbacks, including: (a) it may miss a new, unknown pattern; (b) detection may occur too late for the monitoring program to take an effective preventive action; and (c) the required computational resources may affect the system's performance. In general, these tools rely on some prior knowledge of an attack pattern or a vulnerability, and will miss so-called “zero-day” attacks (new forms of attack, which exploit unknown vulnerabilities in the target software), whether the attack is remote or local.
Protective techniques such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) are used in modern computerized systems to prevent malicious-code attacks. However, recent sophisticated attacks, such as attacks that are able to deduce the location of desired functionality based on relative addressing, have demonstrated the limitations of ASLR and DEP.