Abstract: A malware detection system that determines whether an executable code module is malware according to behaviors exhibited while executing is presented. The malware detection system determines the type of code module and executes the code module in a behavior evaluation module for evaluating code corresponding to the code module's type. Some behaviors exhibited by the code module, while executing in the behavior evaluation module, are recorded as the code module's behavior signature. After the code module has completed its execution, the code module's behavior signature is compared against known malware behavior signatures stored in a malware behavior signature store. A determination as to whether the code module is malware is based on the results of the comparison.

Abstract: A system and method for gathering exhibited behaviors of a .NET executable module in a secure manner is presented. In operation, a .NET behavior evaluation module presents a virtual .NET environment to a Microsoft Corporation .NET code module. The .NET behavior evaluation module implements a sufficient number of aspects of an actual Microsoft Corporation .NET environment that a .NET code module can execute. As the .NET code module executes, the .NET behavior evaluation module records some of the exhibited behaviors, i.e., .NET system supplied libraries/subroutines, that are associated with known malware. The recorded behaviors are placed in a behavior signature for an external determination as to whether the .NET code module is malware, i.e., an unwanted computer attack.

Abstract: A system and method for determining whether a packed executable is malware is presented. In operation, a malware evaluator intercepts incoming data directed to a computer. The malware evaluator evaluates the incoming data to determine whether the incoming data is a packed executable. If the incoming data is a packed executable, the malware evaluator passes the packed executable to an unpacking module. The unpacking module includes a set of unpacker modules for unpacking a packed executable of a particular type. The unpacking module selects an unpacker module according to the type of the packed executable, and executes the selected unpacker module. Executing the unpacker module generates an unpacked executable corresponding to the packed executable. The unpacked executable is returned to the malware evaluator where it is evaluated to determine whether the packed executable is malware.