Systems and methods of processing data associated with detection and/or handling of malware

US 10,204,224 B2
Filed: 12/09/2015
Issued: 02/12/2019
Est. Priority Date: 04/08/2010
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer-readable medium comprising instructions to produce a malware repair tool, wherein the instructions, when executed by at least one processor, are to:

generate repair information to be used for repairing an operating system environment infected by malware, wherein the repair information is generated based on hidden logic path information retrieved from code that has a latent infection by the malware and has not been executed by the operating system environment infected by the malware, and wherein the repair information is to be generated, at least in part, by resolving handles into searchable names, and creating one or more signatures for one or more files that are dropped based on a verification routine;

integrate the repair information into a repair executable program;

prepare a boot image in a non-infected operating system environment;

prepare a supporting executable program to access an infected file system;

generate a batch process by integrating the repair executable program with the boot image; and

create the malware repair tool by packaging at least the batch process and the supporting executable program, wherein the malware repair tool is configured to reverse the latent infection by the malware.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates to malware and, more particularly, towards systems and methods of processing information associated with detecting and handling malware. According to certain illustrative implementations, methods of processing malware are disclosed. Moreover, such methods may include one or more of unpacking and/or decrypting malware samples, dynamically analyzing the samples, disassembling and/or reverse engineering the samples, performing static analysis of the samples, determining latent logic execution path information regarding the samples, classifying the samples, and/or providing intelligent report information regarding the samples.

41 Citations

View as Search Results

25 Claims

1. At least one non-transitory computer-readable medium comprising instructions to produce a malware repair tool, wherein the instructions, when executed by at least one processor, are to:
- generate repair information to be used for repairing an operating system environment infected by malware, wherein the repair information is generated based on hidden logic path information retrieved from code that has a latent infection by the malware and has not been executed by the operating system environment infected by the malware, and wherein the repair information is to be generated, at least in part, by resolving handles into searchable names, and creating one or more signatures for one or more files that are dropped based on a verification routine;
  
  integrate the repair information into a repair executable program;
  
  prepare a boot image in a non-infected operating system environment;
  
  prepare a supporting executable program to access an infected file system;
  
  generate a batch process by integrating the repair executable program with the boot image; and
  
  create the malware repair tool by packaging at least the batch process and the supporting executable program, wherein the malware repair tool is configured to reverse the latent infection by the malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The at least one non-transitory computer-readable medium of claim 1, wherein the malware repair tool includes parameters.
  - 3. The at least one non-transitory computer-readable medium of claim 1, wherein the malware repair tool is produced as a function of:
    - detail behavior logs created from a dynamic analysis; and
      
      detail latent code behavior logs created from a static analysis.
  - 4. The at least one non-transitory computer-readable medium of claim 3, wherein the detail latent code behavior logs include the hidden logic path information.
  - 5. The at least one non-transitory computer-readable medium of claim 3, wherein the detail behavior logs include all infected processes and infected threads.
  - 6. The at least one non-transitory computer-readable medium of claim 1, wherein the searchable names include at least one of a file name, a process name, a registry name or a value.
  - 7. The at least one non-transitory computer-readable medium of claim 1, wherein the repair executable program embeds the malware repair tool and one or more configurations.
  - 8. The at least one non-transitory computer-readable medium of claim 1, wherein the supporting executable program is to access the infected file system without activating the operating system environment infected by the malware.
  - 9. The at least one non-transitory computer-readable medium of claim 1, wherein the instructions, when executed by the at least one processor, are to:
    - build a repair runtime log mechanism, wherein the repair runtime log mechanism is packaged in the malware repair tool.
  - 10. The at least one non-transitory computer-readable medium of claim 1, wherein the instructions, when executed by the at least one processor, are to:
    - build a repair tools database to contain a respective repair tool for each item of identified malware; and
      
      configure the repair tools database to be searchable by a malware signature.
  - 11. The at least one non-transitory computer-readable medium of claim 1, wherein the batch process is to run automatically on a computer after the computer is booted.
  - 12. The at least one non-transitory computer-readable medium of claim 1, wherein the instructions, when executed by the at least one processor, are to:
    - create a remote transmission engine to push the malware repair tool to a remote endpoint.
  - 13. The at least one non-transitory computer-readable medium of claim 1, wherein the non-infected operating system environment is a different type than the operating system environment infected by the malware.

14. An apparatus comprising:
- logic at least partially implemented in hardware, the logic to;
  
  generate repair information to be used for repairing an operating system environment infected by malware, wherein the repair information is generated based on hidden logic path information retrieved from code that has a latent infection by the malware and has not been executed by the operating system environment infected by the malware, and wherein the repair information is to be generated, at least in part, by resolving handles into searchable names, and creating one or more signatures for one or more files that are dropped based on a verification routine;
  
  integrate the repair information into a repair executable program;
  
  prepare a boot image in a non-infected operating system environment;
  
  prepare a supporting executable program to access an infected file system;
  
  generate a batch process by integrating the repair executable program with the boot image; and
  
  create a malware repair tool by packaging at least the batch process and the supporting executable program, wherein the malware repair tool is configured to reverse the latent infection by the malware.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The apparatus of claim 14, wherein the malware repair tool is produced as a function of:
    - detail behavior logs created from a dynamic analysis; and
      
      detail latent code behavior logs created from a static analysis.
  - 16. The apparatus of claim 15, wherein the detail latent code behavior logs include the hidden logic path information.
  - 17. The apparatus of claim 14, wherein the supporting executable program is to access the infected file system without activating the operating system environment infected by the malware.
  - 18. The apparatus of claim 14, wherein the logic is to:
    - build a repair tools database to contain a respective repair tool for each item of identified malware; and
      
      configure the repair tools database to be searchable by a malware signature.
  - 19. The apparatus of claim 14, wherein the batch process is to run automatically on a computer after the computer is booted.

20. A method comprising:
- generating repair information to be used for repairing an operating system environment infected by malware, wherein the repair information is generated based on hidden logic path information retrieved from code that has a latent infection by the malware and has not been executed by the operating system environment infected by the malware, and wherein the repair information is to be generated, at least in part, by resolving handles into searchable names, and creating one or more signatures for one or more files that are dropped based on a verification routine;
  
  integrating the repair information into a repair executable program;
  
  preparing a boot image in a non-infected operating system environment;
  
  preparing a supporting executable program to access an infected file system;
  
  generating a batch process by integrating the repair executable program with the boot image; and
  
  creating a malware repair tool by packaging at least the batch process and the supporting executable program, wherein the malware repair tool is configured to reverse the latent infection by the malware.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The method of claim 20, wherein the malware repair tool is produced as a function of:
    - detail behavior logs created from a dynamic analysis; and
      
      detail latent code behavior logs created from a static analysis.
  - 22. The method of claim 21, wherein the detail latent code behavior logs include the hidden logic path information.
  - 23. The method of claim 20, wherein the supporting executable program is to access the infected file system without activating the operating system environment infected by the malware.
  - 24. The method of claim 20, wherein the logic is to:
    - build a repair tools database to contain a respective repair tool for each item of identified malware; and
      
      configure the repair tools database to be searchable by a malware signature.
  - 25. The method of claim 20, wherein the batch process is to run automatically on a computer after the computer is booted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mcafee Ireland Holdings Limited (McAfee, LLC)
Original Assignee
Mcafee Ireland Holdings Limited (McAfee, LLC)
Inventors
Lu, Lixin
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Jackson, Jenise

Application Number

US14/964,250
Publication Number

US 20160196431A1
Time in Patent Office

1,161 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/561   Virus type analysis

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

G06F 2221/034   Test or assess a computer o...

Systems and methods of processing data associated with detection and/or handling of malware

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods of processing data associated with detection and/or handling of malware

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links