System and method for detecting time-bomb malware
First Claim
1. A system adapted with one or more processors and a non-transitory storage medium communicatively coupled to the one or more processors that are configured to instantiate a virtual machine that is adapted to receive content and process the received content, the system comprising:
- analysis logic configured to monitor one or more events representing operations within the virtual machine to delay further processing of the received content and adjust an operating parameter or parameters each associated with a corresponding event of the one or more events, the operating parameter or parameters track any combination of (i) a number of Sleep request messages initiated during processing of the received content by the virtual machine, or (ii) a cumulative Sleep time requested during processing of the received content by the virtual machine, or (iii) a number of calls initiated during processing of the received content by the virtual machine;
comparison logic to compare the operating parameter or parameters to a threshold associated with the corresponding event, wherein the received content is classified as including delay-activated malware upon detecting that a value of the operating parameter or parameters exceed the threshold associated with the corresponding event; and
a reporting module that, in response to classifying the received content as including delay-activated malware, issues an alert message for transmission from the system.
6 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a system comprises one or more counters; comparison logic; and one or more hardware processors communicatively coupled to the one or more counters and the comparison logic. The one or more hardware processors are configured to instantiate one or more virtual machines that are adapted to analyze received content, where the one or more virtual machines are configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period.
478 Citations
32 Claims
-
1. A system adapted with one or more processors and a non-transitory storage medium communicatively coupled to the one or more processors that are configured to instantiate a virtual machine that is adapted to receive content and process the received content, the system comprising:
-
analysis logic configured to monitor one or more events representing operations within the virtual machine to delay further processing of the received content and adjust an operating parameter or parameters each associated with a corresponding event of the one or more events, the operating parameter or parameters track any combination of (i) a number of Sleep request messages initiated during processing of the received content by the virtual machine, or (ii) a cumulative Sleep time requested during processing of the received content by the virtual machine, or (iii) a number of calls initiated during processing of the received content by the virtual machine; comparison logic to compare the operating parameter or parameters to a threshold associated with the corresponding event, wherein the received content is classified as including delay-activated malware upon detecting that a value of the operating parameter or parameters exceed the threshold associated with the corresponding event; and a reporting module that, in response to classifying the received content as including delay-activated malware, issues an alert message for transmission from the system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 31)
-
-
15. A method for detecting time-bomb malware, comprising:
-
instantiating one or more virtual machines that are adapted to receive content and process the received content for a period of time; monitoring for a presence of repeated calls produced during processing of the received content within the one or more virtual machines, the repeated calls to delay further processing of the received content; altering a duration of the delay that is caused by the repeated calls exceeding a prescribed threshold to accelerate operations by the received content to be conducted during the period of time; classifying the received content as including delay-activated malware upon detecting that the repeated calls exceeds the prescribed threshold; and responsive to classifying the received content as including delay-activated malware, issuing an alert message indicating a presence of the delay-activated malware. - View Dependent Claims (16, 17, 18, 32)
-
-
19. A non-transitory storage medium including software that, when executed by one or more processors, cause the software to perform operations comprising:
-
monitoring for a presence of repeated calls produced during processing of content within a sandboxed environment, the repeated calls to delay further processing of the received content; altering a duration of the delay that is caused by the repeated calls exceeding a prescribed threshold to accelerate operations by the received content to be conducted during the period of time; classifying the received content as including delay-activated malware upon detecting that the repeated calls exceeds the prescribed threshold; and responsive to classifying the received content as including delay-activated malware, issuing an alert message indicating a presence of the delay-activated malware. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification