Malware and exploit campaign detection system and method
First Claim
1. A malware and exploit campaign detection system, comprising:
- a plurality of computer systems;
a capture stack that is configured to issue a uniform resource locator to each computer system to download a piece of malicious code;
a replay stack that is configured to test the piece of malicious code in a live environment and generate data about the replay of the piece of malicious code;
a proxy stack that is configured to perform testing of the piece of malicious code without accessing the uniform resource locator, wherein the testing includes a formulation of remote parameters of an original malicious website, pulling and reassembling the archive of the original malicious website, unpacking the archive, and launching a fully-functional copy of the original malicious website; and
a master hypervisor controller that controls the capture stack, the replay stack and the proxy stack.
4 Assignments
0 Petitions
Accused Products
Abstract
A malware and exploit campaign detection system and method are provided that cannot be detected by the malware or exploit campaign. The system may provide threat feed data to the vendors that produce in-line network security and end point protection (anti virus) technologies. The system may also be used as a testing platform for 3rd party products. Due to the massive footprint of the system'"'"'s cloud infrastructure and disparate network connections and geo-location obfuscation techniques, NSS can locate and monitor malware across the globe and provide detailed threat analysis for each specific region, as they often support and host different malware/cybercrime campaigns.
98 Citations
14 Claims
-
1. A malware and exploit campaign detection system, comprising:
-
a plurality of computer systems; a capture stack that is configured to issue a uniform resource locator to each computer system to download a piece of malicious code; a replay stack that is configured to test the piece of malicious code in a live environment and generate data about the replay of the piece of malicious code; a proxy stack that is configured to perform testing of the piece of malicious code without accessing the uniform resource locator, wherein the testing includes a formulation of remote parameters of an original malicious website, pulling and reassembling the archive of the original malicious website, unpacking the archive, and launching a fully-functional copy of the original malicious website; and a master hypervisor controller that controls the capture stack, the replay stack and the proxy stack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A malware and exploit campaign detection method, method comprising:
-
providing a plurality of computer systems; executing a capturing process, wherein the capturing process issues a uniform resource locator to each computer system to download a piece of malicious code; executing a replay process, wherein the replay process tests the piece of malicious code in a live environment and generates data about the replay process of the piece of malicious code; executing a proxying process, the proxying process performs testing of the piece of malicious code without accessing the uniform resource locator, wherein the proxying process includes a formulation of remote parameters of an original malicious website, pulling and reassembling the archive of the original malicious website, unpacking the archive, and launching a fully-functional copy of the original malicious website; and controlling, using a master hypervisor controller, the capture process, the replay process and the proxy process. - View Dependent Claims (11, 12, 13, 14)
-
Specification