System, apparatus and method for classifying a file as malicious using static scanning

US 10,192,052 B1
Filed: 09/30/2013
Issued: 01/29/2019
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a non-transitory computer-readable medium to store information; and

a processor communicatively coupled to the non-transitory computer-readable medium, the processor for processing the stored information to;

(i) prior to deconstructing a file, performing a first static scan to determine if content within the file has a prescribed level of correlation with one or more malware identifiers;

(ii) when the content does not have at least the predefined level of correlation with the one or more malware identifiers, deconstruct the file to gain access to an object within the file, and thereafter, perform a second static scan to analyze the object to determine whether the object is suspected of including malware and classify the file with a score indicating a likelihood that the file includes malware when the object is suspected of including malware, and(iii) when the object remains inaccessible for purposes of performing the second static scan following deconstruction of the file, emulate processing of the object and perform a third static scan on both (1) information provided to the object during emulation and (2) information produced by the object during emulation.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a computerized method comprises conducting a first static scan on content within a file. Thereafter, if the first static scan did not result in the file being classified as malicious, the file is deconstructed to gain access to one or more objects within the file. A second static scan associated with the one or more objects is performed to determine whether the one or more objects are suspected of including malware. The file may then be classified as malicious based on results of the second static scan.

488 Citations

23 Claims

1. A system comprising:
- a non-transitory computer-readable medium to store information; and
  
  a processor communicatively coupled to the non-transitory computer-readable medium, the processor for processing the stored information to;
  
  (i) prior to deconstructing a file, performing a first static scan to determine if content within the file has a prescribed level of correlation with one or more malware identifiers;
  
  (ii) when the content does not have at least the predefined level of correlation with the one or more malware identifiers, deconstruct the file to gain access to an object within the file, and thereafter, perform a second static scan to analyze the object to determine whether the object is suspected of including malware and classify the file with a score indicating a likelihood that the file includes malware when the object is suspected of including malware, and(iii) when the object remains inaccessible for purposes of performing the second static scan following deconstruction of the file, emulate processing of the object and perform a third static scan on both (1) information provided to the object during emulation and (2) information produced by the object during emulation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1, wherein the processor deconstructing the file comprises decompressing the file to gain access to the object and the second static scan comprises comparing content within the object to one or more malware identifiers.
  - 3. The system of claim 1, wherein the processor deconstructing the file comprises disassembling the file by converting executable code associated with the object into a readable format and the second static scan comprises comparing the readable format to one or more malware identifiers.
  - 4. The system of claim 3, wherein the executable code comprises object code and the readable format comprises one of assembly language and JavaScript®
    - code.
  - 5. The system of claim 1, wherein the processor deconstructing the file comprises decompiling the file in order to gain access to the object and the second static scan comprises comparing content within the object to one or more malware identifiers.
  - 6. The system of claim 5, wherein the one or more malware identifiers include at least one of a pattern associated with an exploit, a name of a vulnerable function that are known to be susceptible to exploits, and a malicious pattern that denotes malicious replication of data.
  - 7. The system of claim 1, wherein the processor emulates processing of the object by intercepting Application Programming Interface (API) messages initiated by the object and controlling values returned to the object.
  - 8. The system of claim 1, wherein the processor further processes information associated with one or more virtual machines that are configured to conduct subsequent virtual execution of the object and analyze whether any anomalous behavior is detected during the virtual execution of the object after conducting at least one of the first static scan, the second static scan and the third static scan.
  - 9. The system of claim 1, wherein the processor performing the second static scan by comparing content associated with the object of the deconstructed file with one or more malware identifiers, the one or more malware identifiers including at least one of a pattern associated with an exploit, a name of a vulnerable function that are known to be susceptible to exploits, and a malicious pattern that denotes malicious replication of data.
  - 10. The system of claim 1, wherein the processor performing the third static scan when the object associated with the deconstructed file is inaccessible after conducting the second static scan.
  - 11. The system of claim 1, wherein:
    - the non-transitory computer-readable medium to store the information including malware check logic and emulation logic; and
      
      the processor to execute (i) the emulation logic to emulate processing of the object, being a portion of a file under analysis, by an emulated first version of an application, and (ii) the malware check logic to (a) conduct the third static scan on information associated with the emulated processing of the object and (b) classify the file with a score indicating a likelihood that the file includes malware if the object is suspected of including malware,wherein the processor further repeating the emulated processing of the object in accordance with an emulated second version of the application for conducting a subsequent static scan to determine a second score indicating a second likelihood that the file includes malware.
  - 12. The system of claim 11, wherein prior to executing the emulation logic, the processor executing deconstruction logic to deconstruct the file to gain access to the object within the file, and thereafter, execute the malware check logic to conduct the second static scan analysis of the object to determine whether the object is suspected of including malware and classify the file as malicious if the object is suspected of including malware.
  - 13. The system of claim 11, wherein the processor repeats the emulated processing when the third static scan conducted by the processor failed to classify the file as malicious.
  - 14. The system of claim 11, wherein the information associated with the emulated processing comprises at least one of hooked Application Programming Interface (API) calls and an output from the emulation logic.
  - 15. The system of claim 1, wherein the processor deconstructing the file comprises de-obfuscating the file by conducting at least one of decoding content with the file, decrypting content within the file, unpacking content within the file, and removing any protection mechanisms for the file.
  - 16. The system of claim 1, wherein the processor deconstructing the file comprises decompiling the file by conveying at least one of (1) an executable code being the object into one of a pseudo code and a native code, (2) a Flash code being the object into action script code, and (3) an JAVA®
    - Archive “
      
      JAR”
      
      file being the object into one or more JAVA®
      
      files.
  - 17. The system of claim 1, wherein the processing of the stored information is performed using cloud computing services, wherein the cloud computing services may include one or more of a public network or a private network.
  - 18. The system of claim 17, wherein malware identification is transmitted between the system and a second malware content detection system according to a subscription basis.

19. A computerized method comprising:
- storing, in a non-transitory computer-readable medium, information including a file being a collection of data;
  
  prior to deconstructing the file, performing a first static scan to determine if content within the file has a prescribed level of correlation with one or more malware identifiers;
  
  deconstructing the file to gain access to an object within the file;
  
  performing a second static scan to analyze the object to determine whether the object is suspected of including malware and classify the file with a score indicating a likelihood that the file includes malware if the object is suspected of including malware; and
  
  when the object remains inaccessible for purposes of performing the second static scan following deconstruction of the file, emulating processing of the object and performing a third static scan on both (1) information provided to the object during emulation and (2) information produced by the object during emulation.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The method of claim 19, wherein the deconstructing of the file comprises decompressing the file to gain access to the object and the second static scan comprises comparing content within the object to one or more malware identifiers.
  - 21. The method of claim 19, wherein the deconstructing of the file comprises disassembling the file by converting executable code associated with the object into a readable format and the second static scan comprises comparing the readable format to one or more malware identifiers.
  - 22. The method of claim 19, wherein emulation of the processing of the object is performed using cloud computing services, wherein the cloud computing services may include one or more of a public network or a private network.
  - 23. The method of claim 22, wherein malware identification is transmitted between the system and a second malware content detection system according to a subscription basis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Singh, Abhishek, Lin, Yichong, Mukherjee, Angshuman, Bu, Zheng
Primary Examiner(s)
Dinh, Minh
Assistant Examiner(s)
Gao, Shu C

Application Number

US14/042,505
Time in Patent Office

1,947 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

System, apparatus and method for classifying a file as malicious using static scanning

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

488 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System, apparatus and method for classifying a file as malicious using static scanning

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

488 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links