1
DETECTION OF MALICIOUS COMPUTER
CODE
TECHNICAL FIELD
This invention relates generally to improving the performance of malicious computer code detection methods, and more particularly to preemptively determining which computer files are free of malicious code.
BACKGROUND ART
During the brief history of computers, system administrators and users have been plagued by attacking agents such as viruses, worms, and Trojan Horses, which may be designed to disable host computer systems and propagate themselves to connected systems.
In recent years, two developments have increased the threat posed by these attacking agents. Firstly, increased dependence on computers to perform mission critical business tasks has increased the economic cost associated with system downtime. Secondly, increased interconnectivity among computers has made it possible for attacking agents to spread to a large number of systems in a matter of hours.
Attacking agents can infect a system by replacing the executable code stored in existing files. When the system attempts to execute the code stored in these files, it instead executes malicious code inserted by the attacking agent, allowing the attacking agent to gain control of the system. Virus scanning utilities, such as Norton Antivirus, produced by Symantec Corporation of Cupertino, Calif, allow a user to determine whether a file containing executable code has been infected with malicious code.
Traditionally, these utilities have been able to detect viruses by checking for suspicious sections of code in designated locations or looking for other easily detectable characteristics. These methods can be performed quickly, with little burden to system resources.
However, as attacking agents have become more sophisticated, scanning utilities have needed to perform even more complicated tests to detect the presence of malicious code. For example, special purpose code may have to examine large portions of a file or perform complicated emulation techniques to detect the presence of viruses.
These techniques must often be performed serially, and are extremely time and resource intensive. Optimizing these routines sufficiently to prevent them from becoming prohibitively time consuming when applied to a large number of files is becoming extremely difficult as attacking agents grow in number and complexity. What is needed is a way to improve the speed and reliability of detection techniques.
DISCLOSURE OF INVENTION
The present invention comprises methods, systems, and computer readable media for determining whether a computer file (210) has been infected with malicious code by an attacking agent. A scanning engine (205) determines whether executable files (210) contain malicious code. The scanning engine (205) includes detection modules (325) for detecting particular attacking agents and indicators of when particular attacking agents were first created. The scanning engine (205) determines when the file (210) was last changed by referring to a change log (225) or an inoculation database (215). The scanning engine (205) determines a critical date, the critical date indicating a date when the file is believed to have been free of infection by the attacking agent. The critical date may
2
be a date when the file (210) was last scanned for the presence of an attacking agent or the creation date of the attacking agent. If the scanning engine (205) determines that the date when the file (210) was last changed is earlier than the critical 5 date, the scanning engine (205) determines that the file (210) has not been infected by the attacking agent.
BRIEF DESCRIPTION OF THE DRAWINGS
10 These and other more detailed and specific objects and features of the present invention are more fully disclosed in the following specification, reference being had to the accompanying drawings, in which:
FIG. 1 is a high level block diagram illustrating a computer 15 system 100.
FIG. 2 is a block diagram illustrating a closer view of the memory 106 and the storage 108 of the computer system 100 of FIG. 1.
FIG. 3 is a block diagram illustrating a closer view of a 20 scanning engine 205.
FIG. 4 is a block diagram illustrating a closer view of a complex detection module 325.
FIG. 5 is a flow chart illustrating a method for detecting malicious code in a file in accordance with one embodiment 25 of the present invention.
DETAILED DESCRIPTION OF THE PREFERRED
EMBODIMENTS
30 The present invention provides for determining whether a computer file 210 contains malicious code by determining whether the file 210 has been changed since a critical date when the file is believed to have been free of infection by the attacking agent, such as a creation date for an attacking agent
35 or a date on which the file 210 was scanned for infection by the attacking agent.
As used herein, the term "malicious code" refers to any program, module, or piece of code that is loaded onto a system without the user's knowledge and/or against the user's
40 wishes. The term "attacking agent" refers to a program which inserts malicious code into a file 210 and includes Trojan Horse programs, worms, viruses, and other such insidious software. An attacking agent may include the ability to replicate itself and compromise other computer systems. As used
45 herein, the terms "infected" and "infect" refer to the process of inserting malicious code in a file.
FIG. 1 is a high level diagram illustrating a computer system 100. Illustrated are a processor 102 coupled to a bus 104. There may be more than one processor 102. Also
50 coupled to the bus 104 are a memory 106, a storage device 108, a keyboard 110, a graphics adapter 112, a pointing device 114, and a network adapter 116. A display 118 is coupled to the graphics adapter 112.
The storage device 108 may be any device capable of
55 holding large amounts of data, such as a hard drive, compact disk read-only memory (CD-ROM), DVD, or some other form of fixed or removable storage device.
The memory 106 holds instructions and data used by the processor 102. The pointing device 114 may be a mouse,
60 touch-sensitive display, or other type of pointing device and is used in combination with the keyboard 110 to input data into the computer system 100. The types ofhardware and software within the computer system 100 may vary.
FIG. 2 is a block diagram illustrating a closer view of the
65 memory 106 and the storage 108 of the computer system 100 of FIG. 1. The memory 106 includes a scanning engine 205 that detects the presence of malicious code in the computer
