Intrusion prevention and remedy system

US 10,084,813 B2
Filed: 06/24/2014
Issued: 09/25/2018
Est. Priority Date: 06/24/2014
Status: Active Grant

First Claim

Patent Images

1. A computerized method, comprising:

intercepting an incoming message from a remote source directed to an endpoint device, the incoming message is in response to a callback message sent from malware operating on the endpoint device;

overwriting a first portion of information within the incoming message with a second portion of information including a neutralized version of at least a portion of the malware and the second portion of information includes at least (a) a callback identifier including an address of a destination device operating as a Command and Control (CnC) server or (b) a callback time used by the malware to determine when to attempt a subsequent communication with the destination device; and

forwarding the incoming message including the second portion of the information to the endpoint device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a computerized method is directed to neutralizing callback malware. This method involves intercepting an incoming message from a remote source directed to a compromised endpoint device. Next, a first portion of information within the incoming message is substituted with a second portion of information. The second portion of information is designed to mitigate operability of the callback malware. Thereafter, the modified incoming message, which includes the second portion of the information, is returned to the compromised endpoint device.

644 Citations

26 Claims

1. A computerized method, comprising:
- intercepting an incoming message from a remote source directed to an endpoint device, the incoming message is in response to a callback message sent from malware operating on the endpoint device;
  
  overwriting a first portion of information within the incoming message with a second portion of information including a neutralized version of at least a portion of the malware and the second portion of information includes at least (a) a callback identifier including an address of a destination device operating as a Command and Control (CnC) server or (b) a callback time used by the malware to determine when to attempt a subsequent communication with the destination device; and
  
  forwarding the incoming message including the second portion of the information to the endpoint device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computerized method of claim 1, wherein prior to intercepting the incoming message, the method further comprises;
    - determining whether a portion of the incoming message matches a callback signature, the callback signature generated in response to a prior detection of the malware within an object associated with monitored network traffic.
  - 3. The computerized method of claim 2, wherein the prior detection of the malware comprises detecting one or more anomalous behaviors indicative of the malware during execution of a second object associated with the monitored network traffic and different from the object within a virtual machine, the malware attempting an outbound communications to the destination device operating as the CnC server in accordance with a single phase attack or a multi-phase attack.
  - 4. The computerized method of claim 1, wherein prior to intercepting the incoming message, the method further comprises:
    - determining whether a portion of the incoming message violates at least one callback rule, the callback rule being generated in response to a prior detection of the malware within an object associated with monitored network traffic.
  - 5. The computerized method of claim 1, wherein prior to the overwriting of the first portion of information with the second portion of information including the neutralized version, the method further comprises accessing a data store based on the identified malware and determining whether the data store includes the neutralized version.
  - 6. The computerized method of claim 1, wherein the malware becomes inoperable upon modifying the portion of the malware with the neutralized version of at least the portion of the malware.
  - 7. The computerized method of claim 1, wherein the identifier of the destination device comprises a callback phone number of the destination device.
  - 8. The computerized method of claim 1, wherein the overwriting of the first portion of information with the second portion of informationcauses a reset of a callback time being used by the malware to determine when to attempt the subsequent communication with the CnC server.
  - 9. The computerized method of claim 1, wherein the overwriting of the first portion of information with the second portion of information further comprises:
    - determining whether the incoming message is a command from the CnC server causing the compromised endpoint device to evade detection.
  - 10. The computerized method of claim 1, wherein the overwriting of the first portion of information with the second portion of information further comprises:
    - determining whether the incoming message is a code update from the CnC server causing the compromised endpoint device to attempt to exfiltrate sensitive information.
  - 11. The computerized method of claim 1, wherein the forwarding of the incoming message comprises:
    - modifying at least the portion of the malware with the second portion of the information being information that, when processed, mitigates operability of the malware.
  - 12. The computerized method of claim 1, wherein the forwarding of the incoming message comprises:
    - modifying at least the portion of the malware with the second portion of the information being information that, when processed, causes the malware to become inoperable.
  - 13. The computerized method of claim 1, wherein the intercepting of the incoming message, the overwriting of the first portion of information, and forwarding of the incoming message are conducted by an intrusion protection system (IPS) logic.
  - 14. The computerized method of claim 2, wherein upon determining whether the portion of the incoming message matches the callback signature by logic within an intrusion protection system, a first grouping of logic within the intrusion protection system becomes inactive and a second grouping of logic within the intrusion protection system becomes active, the second grouping of logic performs functionality of intercepting the incoming message, overwriting the first portion of information, and forwarding of the incoming message.
  - 15. The computerized method of claim 14, wherein the second grouping of logic includes a malware protocol decoder logic being accessible to a data store.
  - 16. The computerized method of claim 1, wherein the address of the destination device includes an Internet Protocol (IP) address of the destination device.

17. A computerized method comprising:
- scanning memory of an endpoint device;
  
  performing virtual analysis on information obtained from the scanned memory to (1) determine whether the information is malware and (2) generate callback check information corresponding to the malware;
  
  in response to a malicious callback session being detected based on the callback check information,intercepting an incoming message directed to the endpoint device, the incoming message being a response to a callback message from the endpoint device,substituting a first portion of information within the incoming message with a second portion of information, the second portion of information includes a code update that, when transmitted to the endpoint device, is configured to overwrite at least a portion of the malware at the endpoint device to mitigate operability of the malware by disrupting subsequent communication between the malware and a Command and Control (CnC) server, andproviding the incoming message including the second portion of the information to the endpoint device,wherein the substituting of the first portion of information within the incoming message with the second portion of information comprises overwriting the first portion of information with the second portion of information changing either (i) a callback identifier including at least an address of the CnC server to preclude the subsequent communication to the CnC server or (ii) a callback time used by the malware to determine when to attempt the subsequent communication with the CnC server.
- View Dependent Claims (18)
- - 18. The computerized method of claim 17, wherein the address of the destination device includes an Internet Protocol (IP) address of the destination device.

19. A system comprising:
- one or more hardware processors; and
  
  a non-transitory storage medium comprises;
  
  interface logic to receive an incoming message from a remote source directed to an endpoint device in response to the endpoint device being previously detected as including a malware by detecting a callback message being sent from the endpoint device and the incoming message is in response to the callback message; and
  
  a first analysis engine in communication with the interface logic, the first analysis engine to (i) intercept the incoming message, (ii) overwrite a first portion of information within the incoming message with a second portion of information including a neutralized version of at least a portion of the malware where the second portion of information includes at least (a) a callback identifier including an address of a destination device operating as a Command and Control (CnC) server or (b) a callback time used by the malware to determine when to attempt a subsequent communication with the destination device, and (iii) provide the incoming message including the second portion of the information to the endpoint device.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The system of claim 19, wherein the first analysis engine is logic within an intrusion prevention system (IPS) device.
  - 21. The system of claim 19, wherein the first analysis engine intercepts the incoming message by extracting one or more objects from the incoming message and determining whether the one or more object matches callback check information corresponding to the malware.
  - 22. The system of claim 21, further comprising a second analysis engine, prior to receipt of the incoming message by the system, detecting one or more anomalous behaviors indicative of the malware during virtual execution of an object associated with network traffic within a virtual machine and generates the callback check information based on detection of the malware.
  - 23. The system of claim 19, wherein the first analysis engine, prior to overwriting of the first portion of information with the second portion of information including the neutralized version including code to overwrite at least part of the malware, further accesses a data store based on the identified malware and determines whether the data store includes the neutralized version.
  - 24. The system of claim 19, wherein the first analysis engine returns the neutralized version of at least the portion of the malware to the endpoint device to modify the malware and cause the malware to become inoperable.
  - 25. The system of claim 19, wherein the first analysis engine to overwrite the first portion of information with the second portion of the information that, when the second portion of the information of the incoming message is installed on the endpoint device, resets a callback time used by the malware to determine when to attempt the subsequent communication with the CnC server.
  - 26. The system of claim 19, wherein the address of the destination device includes an Internet Protocol (IP) address of the destination device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Eyada, Hatem
Primary Examiner(s)
Smithers, Matthew
Assistant Examiner(s)
Wade, Shaqueal D

Application Number

US14/313,934
Publication Number

US 20150372980A1
Time in Patent Office

1,554 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/57   Certifying or maintaining t...

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Intrusion prevention and remedy system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

644 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion prevention and remedy system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

644 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links