Systems and methods for malware detection and scanning

US 10,021,129 B2
Filed: 05/11/2016
Issued: 07/10/2018
Est. Priority Date: 12/30/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method operating in a computing system for malware scanning and detection, the method comprising:

launching, in a computing device of the computing system, a controller virtual machine;

launching, in the computing device, a plurality of honeypot virtual machines (HPVMs), each HPVM including an internet browser;

selecting, by the controller virtual machine, a subset of the plurality of HPVMs to access one or more web pages based on rate-limiting criteria associated with the one or more web pages;

transmitting, by the controller virtual machine, instructions to the subset of the plurality of HPVMs to access one or more web pages;

requesting, the subset of the plurality of HPVMs, data from one or more web pages; and

performing analysis on the one or more web pages using one or more analysis tools, wherein performing analysis on the one or more web pages includes;

performing monitoring and recording of system application programming interface (API) calls,creating software objects associated with the one or more web pages,performing antivirus scanning of the software objects,de-obfuscating JavaScript associated with the software objects, andcorrelating data associated with the performed analysis to determine if the one or more web pages includes a malicious web page.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for malware scanning and detection in a computing system. In one exemplary embodiment, the method includes launching, in a computing device of the computing system, a virtual machine, and launching, in the virtual machine of the computing device, an internet browser. The method also includes requesting, by the internet browser, data from a web page, and performing, using one or more analysis tools, analysis on the web page. In the method, performing analysis on the web page includes performing monitoring and recording of system application programming interface (API) calls, and creating software objects associated with the web page. The method also includes performing antivirus scanning of the software objects, de-obfuscating JavaScript associated with the software objects, and correlating data associated with the performed analysis to determine if the web page is a malicious web page.

29 Citations

23 Claims

1. A computer-implemented method operating in a computing system for malware scanning and detection, the method comprising:
- launching, in a computing device of the computing system, a controller virtual machine;
  
  launching, in the computing device, a plurality of honeypot virtual machines (HPVMs), each HPVM including an internet browser;
  
  selecting, by the controller virtual machine, a subset of the plurality of HPVMs to access one or more web pages based on rate-limiting criteria associated with the one or more web pages;
  
  transmitting, by the controller virtual machine, instructions to the subset of the plurality of HPVMs to access one or more web pages;
  
  requesting, the subset of the plurality of HPVMs, data from one or more web pages; and
  
  performing analysis on the one or more web pages using one or more analysis tools, wherein performing analysis on the one or more web pages includes;
  
  performing monitoring and recording of system application programming interface (API) calls,creating software objects associated with the one or more web pages,performing antivirus scanning of the software objects,de-obfuscating JavaScript associated with the software objects, andcorrelating data associated with the performed analysis to determine if the one or more web pages includes a malicious web page.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, wherein the one or more web pages is concurrently requested via the subset of the plurality of HPVMs.
  - 3. The computer-implemented method of claim 1, wherein performing analysis on the one or more web pages further includes processing packet capture (pcap) files.
  - 4. The computer-implemented method of claim 1, wherein performing analysis on the one or more web pages further includes emulating a document object model (DOM) tree corresponding to the software objects.
  - 5. The computer-implemented method of claim 1, wherein performing analysis on the one or more web pages further includes comparing at least one of uniform resource identifier (URI) data, universal resource locator (URL) data, or uniform resource number (URN) data associated with the one or more web pages against one or more lists.
  - 6. The computer-implemented method of claim 1, wherein performing analysis on the one or more web pages further includes reviewing raw network traffic between two systems to identify potential malware.
  - 7. The computer-implemented method of claim 6, wherein the potential malware includes one or more of obfuscated executable code and potential cross-site scripting attacks.
  - 8. The computer-implemented method of claim 1, wherein performing analysis on the one or more web pages further includes matching a pattern of the one or more web pages with one or more other patterns known to be indicative of malware.
  - 9. The computer-implemented method of claim 1, further comprising, identifying, via the plurality of HPVMs, that the one or more web pages are associated with a malicious campaign that spans multiple web pages across multiple domains.
  - 10. The computer-implemented method of claim 1, wherein a first HPVM included in the plurality of HPVMs operates with at least one of an internet browser and an operating system that is known to be vulnerable.
  - 11. The computer-implemented method of claim 1, wherein the rate-limiting criteria specifies a maximum number of HPVMs that can concurrently access the one or more web pages.

12. A computing system for malware scanning and detection, the system comprising:
- a memory that includes a software component; and
  
  a processor that is coupled to the memory and, when executing the software component, is configured to;
  
  launch, in a computing device of the computing system, a controller virtual machine;
  
  launch, in the computing device, a plurality of honeypot virtual machines (HPVMs), each HPVM including an internet browser;
  
  select, by the controller virtual machine, a subset of the plurality of HPVMs to access one or more web pages based on rate-limiting criteria associated with the one or more web pages;
  
  transmit, by the controller virtual machine, instructions to the subset of the plurality of HPVMs to access one or more web pages;
  
  request, the subset of the plurality of HPVMs, data from one or more web pages; and
  
  perform analysis on the one or more web pages using one or more analysis tools, wherein performing analysis on the one or more web pages includes;
  
  performing monitoring and recording of system application programming interface (API) calls,creating software objects associated with the one or more web pages,performing antivirus scanning of the software objects,de-obfuscating JavaScript associated with the software objects, andcorrelating data associated with the performed analysis to determine if the one or more web pages includes a malicious web page.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The computing system of claim 12, wherein performing analysis on the one or more web pages further includes processing packet capture (pcap) files.
  - 14. The computing system of claim 12, wherein performing analysis on the one or more web pages further includes emulating a document object model (DOM) tree corresponding to the software objects.
  - 15. The computing system of claim 12, wherein performing analysis on the one or more web pages further includes comparing at least one of uniform resource identifier (URI) data, universal resource locator (URL) data, or uniform resource number (URN) data associated with the one or more web pages against one or more lists.
  - 16. The computing system of claim 12, wherein performing analysis on the one or more web pages further includes reviewing raw network traffic between two systems to identify potential malware.
  - 17. The computing system of claim 16, wherein the potential malware includes one or more of obfuscated executable code and potential cross-site scripting attacks.
  - 18. The computing system of claim 12, wherein performing analysis on the one or more web pages further includes matching a pattern of the one or more web pages with one or more other patterns known to be indicative of malware.

19. A non-transitory computer-readable storage medium including instructions that, when executed by a processor, cause the processor to scan and detect malware, by performing the steps of:
- launching, in a computing device of the computing system, a controller virtual machine;
  
  launching, in the computing device, a plurality of honeypot virtual machines (HPVMs), each HPVM including an internet browser;
  
  selecting, by the controller virtual machine, a subset of the plurality of HPVMs to access one or more web pages based on rate-limiting criteria associated with the one or more web pages;
  
  transmitting, by the controller virtual machine, instructions to the subset of the plurality of HPVMs to access one or more web pages;
  
  requesting, the subset of the plurality of HPVMs, data from one or more web pages; and
  
  performing analysis on the one or more web pages using one or more analysis tools, wherein performing analysis on the one or more web pages includes;
  
  performing monitoring and recording of system application programming interface (API) calls,creating software objects associated with the web page,performing antivirus scanning of the software objects,de-obfuscating JavaScript associated with the software objects, andcorrelating data associated with the performed analysis to determine if the web page is a malicious web page.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The non-transitory computer-readable storage medium of claim 19, wherein performing analysis on the web page further includes processing packet capture (pcap) files.
  - 21. The non-transitory computer-readable storage medium of claim 19, wherein performing analysis on the web page further includes emulating a document object model (DOM) tree corresponding to the software objects.
  - 22. The non-transitory computer-readable storage medium of claim 19, wherein performing analysis on the web page further includes comparing at least one of uniform resource identifier (URI) data, universal resource locator (URL) data, or uniform resource number (URN) data associated with the one or more web pages against one or more lists.
  - 23. The non-transitory computer-readable storage medium of claim 19, wherein performing analysis on the one or more web pages further includes reviewing raw network traffic between two systems to identify potential malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Thomas, Ralph, Lapilla, Michael, Tonn, Trevor, Sinclair, Gregory, Hartstein, Blake, Cote, Matthew
Primary Examiner(s)
Tran, Tri

Application Number

US15/151,855
Publication Number

US 20160337380A1
Time in Patent Office

790 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

Systems and methods for malware detection and scanning

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for malware detection and scanning

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links