System and method for detecting time-bomb malware

US 10,083,302 B1
Filed: 12/29/2016
Issued: 09/25/2018
Est. Priority Date: 06/24/2013
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more counters;

comparison logic; and

one or more hardware processors communicatively coupled to the one or more counters and the comparison logic, the one or more hardware processors being configured, using a virtual machine (VM) image selected based on metadata associated with received content, to instantiate one or more virtual machines for analysis of the received-content, the one or more virtual machines being configured to utilize the one or more counters to monitor a delay caused by one or more events conducted during processing of the received content and utilize the comparison logic to identify the received content as including malware if the delay exceeds a first time period.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a system comprises one or more counters; comparison logic; and one or more hardware processors communicatively coupled to the one or more counters and the comparison logic. The one or more hardware processors are configured to instantiate one or more virtual machines that are adapted to analyze received content, where the one or more virtual machines are configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period.

Citations

20 Claims

1. A system comprising:
- one or more counters;
  
  comparison logic; and
  
  one or more hardware processors communicatively coupled to the one or more counters and the comparison logic, the one or more hardware processors being configured, using a virtual machine (VM) image selected based on metadata associated with received content, to instantiate one or more virtual machines for analysis of the received-content, the one or more virtual machines being configured to utilize the one or more counters to monitor a delay caused by one or more events conducted during processing of the received content and utilize the comparison logic to identify the received content as including malware if the delay exceeds a first time period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the one or more virtual machines being configured to utilize the one or more counters in monitoring time intervals for Sleep request messages initiated during processing of the received content and identifying the received content as including malware if, based on a determination by the comparison logic, a combined delay for the Sleep request messages exceeds the first time period.
  - 3. The system of claim 1, wherein the one or more virtual machines being configured to utilize the one or more counters in monitoring time intervals for Sleep request messages initiated during processing of the received content and identifying the received content as including malware if, based on a determination by the comparison logic, one of the time intervals exceeds the first time period.
  - 4. The system of claim 1, wherein the one or more virtual machines being configured to further monitor the one or more events being a number of function calls initiated during processing of the received content and identifying the received content as including malware if the number of function calls exceeds a threshold value.
  - 5. The system of claim 1, wherein the one or more virtual machines being configured to further monitor the one or more events by determining if, during processing of the received content, an instruction pointer is repeatedly directed to a specific address or address range and identifying the received content as including malware if the instruction pointer is repeatedly directed to the specific address or address range.
  - 6. The system of claim 1, wherein the first time period has a duration that is dynamically set.
  - 7. The system of claim 1, wherein the one or more virtual machines being configured to maintain and monitor values of time intervals for Sleep calls per call site, initiated during processing of the received content and identifying the received content as including malware if, based on a determination by the comparison logic, one of the time intervals exceeds a predetermined time period.
  - 8. The system of claim 1, wherein the one or more virtual machines being configured to maintain and monitor values of the one or more counters being call counters for certain functions per call site, initiated during processing of the received content, and identifying the received content as including malware if, based on a determination by the comparison logic, one of the call counters exceeds the a predetermined count threshold.
  - 9. The system of claim 1 further comprising a reporting module being configured to differentiate call sites based on module names and assign weights accordingly and identifying the received content as including malware if a higher count is associated with a call site residing in the received content under analysis.
  - 10. The system of claim 1 further comprising a heuristic engine being configured to identify delay hotspots and identifying the received content as including malware if one of a plurality of time intervals associated with the delay exceeds a predetermined time period.
  - 11. The system of claim 1, wherein the comparison logic includes one or more comparators.

12. A system for detecting time-bomb malware, comprising:
- one or more processors;
  
  a memory communicatively coupled to the one or more processors and including one or more virtual machine images, whereinthe one or more processors, using a virtual machine image selected based on metadata associated with received content, to instantiate one or more virtual machines adapted to analyze the received content and determine if the received content includes time-bomb malware by monitoring at least one of (i) a number of events that delay processing of the received content and (ii) an amount of delay caused by the events and correspondingly determining that the received content includes malware if at least one of (a) the number of events exceeds a first threshold and (b) the amount of delay caused by the events exceeds a second threshold.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, wherein the one or more virtual machines being configured to monitor time intervals for one type of event being one or more Sleep request messages initiated during processing of the received content and identifying the received content as including malware if a total delay requested by the one or more Sleep request messages exceeds the second threshold being a first predetermined time period.
  - 14. The system of claim 12, wherein the one or more virtual machines being configured to monitor time intervals for one type of event being one or more Sleep request messages initiated during processing of the received content and identifying the received content as including malware if one of the time intervals exceeds a first predetermined time period.
  - 15. The system of claim 12, wherein the one or more virtual machines being configured to further monitor the number of events being a number of function calls initiated during processing of the received content and identifying the received content as including malware if the number of function calls exceeds the first threshold.
  - 16. The system of claim 12, wherein the one or more virtual machines being configured to further monitor an event by determining if, during processing of the received content, an instruction pointer is repeatedly directed to a specific address or address range and identifying the received content as including malware if the instruction pointer is repeatedly directed to the specific address or address range.
  - 17. The system of claim 12, wherein the second threshold has a duration that is dynamically set.
  - 18. The system of claim 12, wherein the one or more virtual machines being configured to maintain and monitor time intervals for Sleep calls per call site, initiated during processing of the received content and identifying the received content as including malware if one of the time intervals exceeds a predetermined time period.
  - 19. The system of claim 12 further comprising a reporting module being configured to differentiate call sites based on module names and assign weights accordingly and identifying the received content.

20. A system comprising:
- one or more counters;
  
  one or more comparators coupled to the one or more counters; and
  
  one or more hardware processors communicatively coupled to the one or more counters and the one or more comparators, the one or more hardware processors being configured, using a virtual machine (VM) image selected based on metadata associated with received content, to instantiate one or more virtual machines that, utilizing the one or more counters and the one or more comparators, are adapted to analyze received content, the one or more virtual machines being configured to (i) monitor a delay caused by at least one of (a) repetitive Sleep request messages or (b) Application Programming Interface (API) function calls that is conducted during processing of the received content and (ii) identify the received content as including malware if the delay exceed a first time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Paithane, Sushant, Vincent, Michael, Vashisht, Sai, Kindlund, Darien
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
GUNDRY, STEPHEN T

Application Number

US15/394,681
Time in Patent Office

635 Days
Field of Search
US Class Current
CPC Class Codes

B01D 61/06   Energy recovery

C02F 1/44   by dialysis, osmosis or rev...

C02F 1/52   by flocculation or precipit...

C02F 1/66   by neutralisation; pH adjus...

C02F 1/76   with halogens or compounds ...

C02F 2103/08   Seawater, e.g. for desalina...

C02F 2303/10   Energy recovery

C02F 2303/18   Removal of treatment agents...

C02F 2303/185   The treatment agent being h...

C02F 3/1273   Submerged membrane bioreactors

C02F 5/08   Treatment of water with com...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Y02W 10/10   Biological treatment of wat...

Y02W 10/30   Wastewater or sewage treatm...

System and method for detecting time-bomb malware

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting time-bomb malware

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links