System and method for detecting malicious code in address space of a process

US 10,242,186 B2
Filed: 06/15/2016
Issued: 03/26/2019
Est. Priority Date: 06/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detection of malware on a computer, the method comprising:

detecting a first process executed on the computer in association with an application;

intercepting at least one function call made by the first process to a second process, wherein the at least one function call made by the first process is configured to execute code from an address space associated with the second process;

determining one or more attributes associated with the at least one function call;

determining whether to perform malware analysis of the code associated with the at least one function call in the address space associated with the second process based on application of one or more heuristic rules to the one or more attributes, wherein the one or more heuristic rules indicate that the code is to be analyzed when one of;

the first process is writing data containing a header into the second process, the first process started from a predetermined directory, or the second process is a trusted system process;

upon determining to perform malware analysis of the code, determining whether the code in the address space is malicious and determining system functions that are executed by the code by comparing addresses of functions called by the code and addresses of functions loaded in the address space associated with the second process; and

generating one or more application control rules that prevent calling the system functions by the first process in the address space of the second process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are system and method for detecting malicious code in address space of a process. An exemplary method comprises: detecting a first process executed on the computer in association with an application; intercepting at least one function call made by the first process to a second process; determining one or more attributes associated with the at least one function call; determining whether to perform malware analysis of code associated with the at least one function call in an address space associated with the second process based on application of one or more rules to the one or more attributes; and upon determining to perform malware analysis of the code, determining whether the code in the address space is malicious.

34 Citations

View as Search Results

20 Claims

1. A method for detection of malware on a computer, the method comprising:
- detecting a first process executed on the computer in association with an application;
  
  intercepting at least one function call made by the first process to a second process, wherein the at least one function call made by the first process is configured to execute code from an address space associated with the second process;
  
  determining one or more attributes associated with the at least one function call;
  
  determining whether to perform malware analysis of the code associated with the at least one function call in the address space associated with the second process based on application of one or more heuristic rules to the one or more attributes, wherein the one or more heuristic rules indicate that the code is to be analyzed when one of;
  
  the first process is writing data containing a header into the second process, the first process started from a predetermined directory, or the second process is a trusted system process;
  
  upon determining to perform malware analysis of the code, determining whether the code in the address space is malicious and determining system functions that are executed by the code by comparing addresses of functions called by the code and addresses of functions loaded in the address space associated with the second process; and
  
  generating one or more application control rules that prevent calling the system functions by the first process in the address space of the second process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - collecting information associated with the application,wherein the determination whether to perform the malware analysis is further based on the collected information associated with the application.
  - 3. The method of claim 2, wherein the collected information includes at least one of information about unique users of the application, a time since a first-known execution of the application, a name of the application, or a location of the application within a storage device communicatively coupled with computer.
  - 4. The method of claim 1, wherein determining one or more attributes associated with the at least one function call includes one or more of:
    - determining an identifier of the second process;
      
      determining a size of a memory block written to the address space associated with the second process;
      
      determining presence of a header of an executable file in the memory block;
      
      determining whether the second process is a trusted process;
      
      ordetermining whether the at least one function call transfers control over executable code of the second process in a memory area dedicated to dynamic link libraries.
  - 5. The method of claim 1, further comprising:
    - upon determining that the code is malicious, designating the application as untrusted.
  - 6. The method of claim 1, further comprising:
    - upon determining that the code is malicious, determining a uniform resource identifier (URI) associated with the code and generating an antivirus record that includes at least a portion of the determined URI.
  - 7. The method of claim 1, wherein the one or more heuristic rules further comprises one or more of:
    - the first process queues an asynchronous process with arguments referring to the second process, andthe first process is injecting data into the second process,wherein the first process and the second process share a process name, wherein a number of unique users starting the application that generated the first process does not exceed a predetermined threshold value, wherein the time elapsed from when the application started to when the first process started does not exceed a predetermined threshold time.
  - 8. The method of claim 7, wherein the predetermined threshold value is approximately fifty, and the predetermined threshold time is approximately one day.

9. A system for detection of malware on a computer, the system comprising:
- a memory; and
  
  at least one processor coupled to the memory and configured to;
  
  detect a first process executed on the computer in association with an application;
  
  intercept at least one function call made by the first process to a second process, wherein the at least one function call made by the first process is configured to execute code from an address space associated with the second process;
  
  determine one or more attributes associated with the at least one function call;
  
  determine whether to perform malware analysis of the code associated with the at least one function call in the address space associated with the second process based on application of one or more heuristic rules to the one or more attributes, wherein the one or more heuristic rules indicate that the code is to be analyzed when one of;
  
  the first process is writing data containing a header into the second process, the first process started from a predetermined directory, or the second process is a trusted system process;
  
  upon determination to perform malware analysis of the code, determine whether the code in the address space is malicious and determine system functions that are executed by the code by comparing addresses of functions called by the code and addresses of functions loaded in the address space associated with the second process; and
  
  generate one or more application control rules that prevent calling the system functions by the first process in the address space of the second process.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, wherein the at least one processor is further configured to:
    - collect information associated with the application,wherein the determination whether to perform the malware analysis is further based on the collected information associated with the application.
  - 11. The system of claim 10, wherein the collected information includes at least one of information about unique users of the application, a time since a first-known execution of the application, a name of the application, or a location of the application within a storage device communicatively coupled with computer.
  - 12. The system of claim 9, wherein the at least one processor is configured to determine the one or more attributes associated with the at least one function call based on one or more of:
    - determining an identifier of the second process;
      
      determining a size of a memory block written to the address space associated with the second process;
      
      determining presence of a header of an executable file in the memory block;
      
      determining whether the second process is a trusted process;
      
      ordetermining whether the at least one function call transfers control over executable code of the second process in a memory area dedicated to dynamic link libraries.
  - 13. The system of claim 9, wherein the at least one processor is further configured to:
    - upon determination that the code is malicious, designate the application as untrusted.
  - 14. The system of claim 9, wherein the at least one processor is further configured to:
    - upon determination that the code is malicious, determine a uniform resource identifier (URI) associated with the code and generating an antivirus record that includes at least a portion of the determined URI.

15. A non-transitory, computer-readable medium storing computer-executable instructions for detection of malware on a computer, comprising instructions to:
- detect a first process executed on the computer in association with an application;
  
  intercept at least one function call made by the first process to a second process, wherein the at least one function call made by the first process is configured to execute code from an address space associated with the second process;
  
  determine one or more attributes associated with the at least one function call;
  
  determine whether to perform malware analysis of the code associated with the at least one function call in the address space associated with the second process based on application of one or more heuristic rules to the one or more attributes, wherein the one or more heuristic rules indicate that the code is to be analyzed when one of;
  
  the first process is writing data containing a header into the second process, the first process started from a predetermined directory, or the second process is a trusted system process;
  
  upon determination to perform malware analysis of the code, determine whether the code in the address space is malicious; and
  
  determining system functions that are executed by the code by comparing addresses of functions called by the code and addresses of functions loaded in the address space associated with the second process; and
  
  generating one or more application control rules that prevent calling the system functions by the first process in the address space of the second process.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable medium of claim 15, further comprising instructions to:
    - collect information associated with the application,wherein the determination whether to perform the malware analysis is further based on the collected information associated with the application.
  - 17. The computer-readable medium of claim 16, wherein the collected information includes at least one of information about unique users of the application, a time since a first-known execution of the application, a name of the application, or a location of the application within a storage device communicatively coupled with computer.
  - 18. The computer-readable medium of claim 15, wherein the instructions to determine the one or more attributes associated with the at least one function call include instructions to:
    - determine an identifier of the second process;
      
      determine a size of a memory block written to the address space associated with the second process;
      
      determine presence of a header of an executable file in the memory block;
      
      determine whether the second process is a trusted process;
      
      ordetermine whether the at least one function call transfers control over executable code of the second process in a memory area dedicated to dynamic link libraries.
  - 19. The computer-readable medium of claim 15, further comprising instructions to:
    - upon determination that the code is malicious, designate the application as untrusted.
  - 20. The computer-readable medium of claim 15, further comprising instructions to:
    - upon determination that the code is malicious, determine a uniform resource identifier (URI) associated with the code and generating an antivirus record that includes at least a portion of the determined URI.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Lab A.O. Kaspersky
Inventors
Pavlyushchik, Mikhail A., Monastyrsky, Alexey V., Nazarov, Denis A.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gyorfi, Thomas A

Application Number

US15/183,063
Publication Number

US 20170004309A1
Time in Patent Office

1,014 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 9/544   Buffers; Shared memory; Pipes

H04L 63/1416   Event detection, e.g. attac...

System and method for detecting malicious code in address space of a process

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting malicious code in address space of a process

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links