Electronic message analysis for malware detection

US 10,027,690 B2
Filed: 06/22/2015
Issued: 07/17/2018
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for detecting malicious network content by a malware detection system including a hardware processor and a memory, comprising:

receiving, by the malware detection system, an electronic email message;

analyzing, by the malware detection system, the electronic email message to detect a uniform resource locator (URL) within message content of the electronic email message;

determining whether the detected URL within the message content is suspicious;

in response to a determination that the detected URL is suspicious, processing the suspicious URL detected within the message content of the electronic email message, wherein the processing of the suspicious URL comprises analyzing, within a virtual environment, one or more behaviors in response to a request for content associated with the suspicious URL; and

identifying the suspicious URL detected within the message content of the electronic email message as malicious based on results of the analyzing of the suspicious URL in the virtual environment.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.

Citations

43 Claims

1. A computer implemented method for detecting malicious network content by a malware detection system including a hardware processor and a memory, comprising:
- receiving, by the malware detection system, an electronic email message;
  
  analyzing, by the malware detection system, the electronic email message to detect a uniform resource locator (URL) within message content of the electronic email message;
  
  determining whether the detected URL within the message content is suspicious;
  
  in response to a determination that the detected URL is suspicious, processing the suspicious URL detected within the message content of the electronic email message, wherein the processing of the suspicious URL comprises analyzing, within a virtual environment, one or more behaviors in response to a request for content associated with the suspicious URL; and
  
  identifying the suspicious URL detected within the message content of the electronic email message as malicious based on results of the analyzing of the suspicious URL in the virtual environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the determining whether the detected URL within the message content is suspicious, processing the suspicious URL and identifying the suspicious URL detected within the message content of the electronic email message as malicious is performed by the malware detection system.
  - 3. The method of claim 1, wherein the determining whether the detected URL within the message content is suspicious, processing the suspicious URL and identifying the suspicious URL detected within the message content of the electronic email message as malicious is performed by a web malware detection system different than the malware detection system.
  - 4. The method of claim 3, further comprising:
    - configuring a virtual environment component within a virtual environment to provide a real application configured to process suspicious network content comprising web content corresponding to the suspicious URL, the virtual environment configured within the web malware detection system;
      
      processing the suspicious network content using the virtual environment component within the virtual environment; and
      
      identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component.
  - 5. The method of claim 4, where the suspicious network content includes a file attached to an electronic message, the virtual environment component including an application configured to process the file.
  - 6. The method of claim 1, further comprising:
    - comparing the detected URL to a first list of URLs that are either all associated with malware or all known to be not associated with malware; and
      
      identifying the detected URL as suspicious if the detected URL is not in the first list of URLs.
  - 7. The method of claim 6, further comprising:
    - transmitting one or more malicious URLs to a remote device that is configured to receive the one or more malicious URLs and consolidate stored malicious URLs; and
      
      receiving an updated list of URLs associated with the malicious URLs.
  - 8. The method of claim 6, further comprising:
    - transmitting one or more detected URLs from the malware detection system to the web malware detection system; and
      
      raising a priority associated with examining one or more of the detected URLs received from a network by the web malware detection system, the priority raised based on the received one or more detected URLs.
  - 9. The method of claim 8, further comprising:
    - dynamically adjusting a priority for processing URLs detected within an email based on a load of the web malware detection system.
  - 10. The method of claim 1, further comprising monitoring changes to the virtual environment of the malware detection system, the suspicious URL detected within the message content of the electronic email message identified as malicious based on detected improper changes to the virtual environment.
  - 11. The method of claim 1, wherein the virtual environment includes logic that simulates a computing device intended to receive the message content, processes the suspicious URL, and analyzes the one or more behaviors occurring in response to the request for the content associated with the suspicious URL.
  - 12. The method of claim 11, wherein the URL is identified as malicious if the one or more behaviors in response to the request for the content associated with the suspicious URL, being a click operation on the URL performed during processing of the suspicious URL within the virtual environment, causes an undesirable behavior to occur.
  - 13. The method of claim 12, wherein the undesirable behavior comprises an unexpected behavior that includes an attempt to change an operating system setting or a configuration setting within the virtual environment.
  - 14. The method of claim 12, wherein the undesirable behavior comprises an unexpected behavior that includes an attempt to execute an executable file within the virtual environment.
  - 15. The method of claim 1, wherein the virtual environment includes one or more virtual components, being software that collectively (i) simulates a computing device configured to process the suspicious URL and (ii) analyzes the one or more behaviors occurring in response to the request for the content associated with the suspicious URL.
  - 16. The method of claim 15, wherein the one or more behaviors comprise an unexpected behavior that includes an attempt to change an operating system setting or a configuration setting within the virtual environment.
  - 17. The method of claim 15, wherein the one or more behaviors comprise an unexpected behavior that includes an attempt to execute an executable file within the virtual environment.

18. A system for detecting malicious network content, comprising:
- an electronic message malware detection system to (i) receive an electronic email message, (ii) analyze the electronic email message to detect a uniform resource locator (URL) address within message content of the electronic email message, and (iii) determine whether the detected URL within the message content is suspicious;
  
  a web malware detection system coupled with the electronic message malware detection system, the web malware detection system, in response to receipt of the suspicious URL, (i) processes the suspicious URL detected within the message content of the electronic email message, wherein processing of the suspicious URL comprises analyzing, within a virtual environment, one or more behaviors in response to a request for web content, and (ii) identifies the suspicious URL detected within the electronic email message content as malicious based on results of the analyzing of the suspicious URL detected within the electronic email message content in the virtual environment.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 19. The system of claim 18, wherein the electronic mission malware detection system to determine whether the detected URL is suspicious by comparing the detected URL to a first list of URLs that are either all associated with malware or all known to be not associated with malware, and identifying the detected URL as suspicious if the detected URL is not in the first list of URLs.
  - 20. The system of claim 18,wherein the web malware detection system comprises a virtual environment component within the virtual environment that provides a real application configured to process suspicious network content comprising the web content corresponding to the suspicious URL, the virtual environment configured within a network content processing system;
    - andwherein the web malware detection system is further configured to process the suspicious network content using the virtual environment component within the virtual environment, and to identify the suspicious network content as malicious network content based on a behavior of the virtual environment component.
  - 21. The system of claim 20, wherein the web malware detection system further monitors for changes to the virtual environment, the suspicious URL detected within the message content of the electronic email message is identified as malicious based on detected improper changes to the virtual environment.
  - 22. The system of claim 18, wherein the electronic message malware detection system includes a processor and a memory.
  - 23. The system of claim 18 further comprising an exchange server in communication with the electronic message malware detection system, the exchange server to transfer one or more electronic mail messages between the electronic message malware detection system and one or more client devices.
  - 24. The system of claim 18, wherein the virtual environment operating within the web malware detection system includes logic that simulates a computing device intended to receive the message content, processes the suspicious URL, and analyzes the one or more behaviors occurring in response to the request for the content associated with the suspicious URL.
  - 25. The system of claim 24, wherein the URL is identified as malicious if the one or more behaviors in response to the request for the content associated with the suspicious URL, being a click operation on the URL performed during processing of the suspicious URL within the virtual environment, causes an undesirable behavior to occur.
  - 26. The system of claim 25, wherein the undesirable behavior comprises (i) an unexpected behavior that includes an attempt to change an operating system setting or a configuration setting within the virtual environment or (ii) an unexpected behavior that includes an attempt to execute an executable file within the virtual environment.
  - 27. The system of claim 18, wherein the virtual environment includes one or more virtual components, being software that collectively (i) simulates a computing device configured to process the suspicious URL and (ii) analyzes the one or more behaviors occurring in response to the request for the web content.
  - 28. The system of claim 27, wherein the one or more behaviors comprise an unexpected behavior that includes either (i) an attempt to change an operating system setting or a configuration setting within the virtual environment, or (ii) an attempt to execute an executable file within the virtual environment.

29. A malware detection system comprising:
- a processor; and
  
  a memory communicatively coupled to the processor, the memory comprises software that, when executed by the processor, performs operations that comprise;
  
  analyzing content within an electronic message to detect a uniform resource locator (URL) within the content of the electronic message,determining whether the detected URL is suspicious,in response to determining that the detected URL is suspicious, analyzing, within a virtual environment, content received in response to a request initiated during processing of the suspicious URL, andidentifying the suspicious URL detected within the message content of the electronic email message as malicious based on one or more undesirable behaviors being detected within the virtual environment upon the request being initiated during processing of the URL.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 30. The malware detection system of claim 29, wherein the request includes a simulated selection of the URL.
  - 31. The malware detection system of claim 29, wherein the one or more undesirable behaviors being detected within the virtual environment includes an attempt to change an operating system setting or configuration.
  - 32. The malware detection system of claim 29, wherein the one or more undesirable behaviors being detected within the virtual environment includes an unauthorized attempt to execute a file.
  - 33. The malware detection system of claim 29, wherein the one or more undesirable behaviors being detected within the virtual environment includes an unauthorized attempt to install a file.
  - 34. The malware detection system of claim 29, wherein the determining whether the detected URL is suspicious comprisescomparing the detected URL to a first list of URLs that are either all associated with malware or all known to be not associated with malware;
    - andidentifying the detected URL as suspicious if the detected URL address is not in the first list of URLs.
  - 35. The malware detection system of claim 34, wherein the memory further includes software that, when processed by the processor, further performs operations comprising transmitting one or more malicious URLs to a remote device that is configured to receive the one or more malicious URLs, consolidating all malicious URLs including the one or more malicious URLs, and receiving an updated list of URLs associated with the malicious URLs.
  - 36. The malware detection system of claim 29, wherein the virtual environment includes logic that simulates a computing device intended to receive the message content, processes the suspicious URL, and analyzes the content received in response to the request initiated during processing of the suspicious URL.
  - 37. The malware detection system of claim 36, wherein the suspicious URL is identified as malicious if one or more behaviors included as at least part of the content in response to the request causes an undesirable behavior to occur.
  - 38. The malware detection system of claim 37, wherein the undesirable behavior comprises an unexpected behavior that includes an attempt to change an operating system setting or a configuration setting within the virtual environment.
  - 39. The malware detection system of claim 37, wherein the undesirable behavior comprises an unexpected behavior that includes an attempt to execute an executable file within the virtual environment.
  - 40. The malware detection system of claim 29, wherein the virtual environment includes one or more virtual components, being software that collectively (i) simulates a computing device configured to process the suspicious URL and (ii) analyzes the content received in response to the request initiated during processing of the suspicious URL.
  - 41. The malware detection system of claim 40, wherein the content received in response to the request includes information associated with one or more behaviors being monitored.
  - 42. The malware detection system of claim 41, wherein a behavior of the one or more behaviors includes an attempt to change an operating system setting or a configuration setting within the virtual environment.
  - 43. The malware detection system of claim 41, wherein a behavior of the one or more behaviors includes an attempt to execute an executable file within the virtual environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Aziz, Ashar, Uyeno, Henry, Manni, Jay, Sukhera, Amin, Staniford, Stuart
Primary Examiner(s)
Hoffman, Brandon S

Application Number

US14/745,903
Publication Number

US 20160127393A1
Time in Patent Office

1,121 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

H04L 51/212   using filtering or selectiv...

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/168   above the transport layer

Electronic message analysis for malware detection

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic message analysis for malware detection

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links