System and method for detecting time-bomb malware

US 10,335,738 B1
Filed: 09/24/2018
Issued: 07/02/2019
Est. Priority Date: 06/24/2013
Status: Active Grant

First Claim

Patent Images

1. A system adapted with one or more processors and a non-transitory storage medium communicatively coupled to the one or more processors that are configured to instantiate a virtual machine that is adapted to receive content and process the received content, the system comprising:

analysis logic configured to monitor one or more events representing operations within the virtual machine to delay further processing of the received content and adjust an operating parameter or parameters each associated with a corresponding event of the one or more events, the operating parameter or parameters track any combination of (i) a number of Sleep request messages initiated during processing of the received content by the virtual machine, or (ii) a cumulative Sleep time requested during processing of the received content by the virtual machine, or (iii) a number of calls initiated during processing of the received content by the virtual machine;

comparison logic to compare the operating parameter or parameters to a threshold associated with the corresponding event, wherein the received content is classified as including delay-activated malware upon detecting that a value of the operating parameter or parameters exceed the threshold associated with the corresponding event; and

a reporting module that, in response to classifying the received content as including delay-activated malware, issues an alert message for transmission from the system.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a system comprises one or more counters; comparison logic; and one or more hardware processors communicatively coupled to the one or more counters and the comparison logic. The one or more hardware processors are configured to instantiate one or more virtual machines that are adapted to analyze received content, where the one or more virtual machines are configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period.

478 Citations

32 Claims

1. A system adapted with one or more processors and a non-transitory storage medium communicatively coupled to the one or more processors that are configured to instantiate a virtual machine that is adapted to receive content and process the received content, the system comprising:
- analysis logic configured to monitor one or more events representing operations within the virtual machine to delay further processing of the received content and adjust an operating parameter or parameters each associated with a corresponding event of the one or more events, the operating parameter or parameters track any combination of (i) a number of Sleep request messages initiated during processing of the received content by the virtual machine, or (ii) a cumulative Sleep time requested during processing of the received content by the virtual machine, or (iii) a number of calls initiated during processing of the received content by the virtual machine;
  
  comparison logic to compare the operating parameter or parameters to a threshold associated with the corresponding event, wherein the received content is classified as including delay-activated malware upon detecting that a value of the operating parameter or parameters exceed the threshold associated with the corresponding event; and
  
  a reporting module that, in response to classifying the received content as including delay-activated malware, issues an alert message for transmission from the system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 31)
- - 2. The system of claim 1, wherein the comparison logic including one or more comparators.
  - 3. The system of claim 1, wherein the analysis logic comprises a sleep analysis logic that includes one or more counters, the sleep analysis logic, when executed by the one or more processors, monitors the number of Sleep request messages that are being repeated, each of the repeated Sleep request messages includes a parameter that indicates an amount of time requested for the corresponding Sleep request message.
  - 4. The system of claim 3 further comprising time adjustment logic that is configured to operate in concert with the sleep analysis logic to compute a shortened Sleep time to accelerate malicious activities as detected by the comparison logic and the analysis logic to monitor the accelerated malicious activities as the one or more events.
  - 5. The system of claim 1, wherein the analysis logic includes call analysis logic that includes one or more counters, the call analysis logic, when executed by the one or more processors, monitors for a presence of the repeated calls including Application Programming Interface (API) calls by accessing at least a counter of the one or more counters that maintains a count of a particular type of API call of the API calls initiated during processing of the received content within the virtual machine and alters a duration of a delay caused by the repeated calls by a shortened call response wait time for at least each of the particular type of API calls.
  - 6. The system of claim 1 further comprising instruction pointer analysis logic that determines, during processing of the received content, whether an instruction pointer is repeatedly directed to a specific address or address range, wherein the instruction pointer being repeatedly directed to the specific address or address range operates as a criterion in classifying the received content as including delay-activated malware.
  - 7. The system of claim 1 further comprising instruction pointer analysis logic that is configured to check, during processing of the content by the virtual machine, whether an instruction pointer has remained within an address range over a predetermined period of time, the detecting of the instruction pointer remaining within the address range over the predetermined period of time is a criterion for classifying the received content as including delay-activated malware.
  - 8. The system of claim 1, wherein the analysis logic configured to monitor one or more events and adjust the operating parameter or parameters that track (i) the number of Sleep request messages initiated during processing of the received content by the virtual machine, and (ii) the cumulative Sleep time requested during processing of the received content by the virtual machine.
  - 9. The system of claim 1, wherein the analysis logic corresponds to sleep analysis logic that monitors Sleep request messages and the system further comprises time adjustment logic that, when executed by the one or more processors, alters a duration of a delay caused by repeating Sleep request messages by shortening an amount of time allocated to each of the repeated Sleep request messages.
  - 10. The system of claim 1, whereinthe operating parameter or parameters further track at least one of (i) the number of Sleep request messages initiated during processing of the received content by the virtual machine, or (ii) the cumulative Sleep time requested during processing of the received content by the virtual machine, or (iii) the number of calls initiated during processing of the received content by the virtual machine, or (iv) a cumulative amount of time that called functions would need for execution,the comparison logic, when executed by the one or more processors, to compare (iv) the cumulative amount of time that the called functions would need for execution to a fourth threshold when the operating parameter or parameters is tracking the cumulative amount of time that the called functions would need for execution, andthe received content is classified as including delay-activated malware upon detecting that the cumulative amount of time that called functions would need for execution exceeds the fourth threshold.
  - 11. The system of claim 1, wherein the comparison logic including one or more comparators to compare the operating parameter or parameters to the threshold by performing a comparison of a count value associated with the number of Sleep request messages to a first threshold when the one or more events correspond to the number of Sleep request messages initiated during processing by the virtual machine, wherein the received content is classified as including delay-activated malware upon detecting that the count value associated with the number of Sleep request messages exceeds the first threshold when the one or more events correspond to the number of Sleep request messages.
  - 12. The system of claim 1, wherein the comparison logic including one or more comparators to compare the operating parameter or parameters to the threshold by performing a comparison of the cumulative Sleep time to a second threshold that is different than the first threshold when the one or more events correspond to the cumulative Sleep time, wherein the received content is classified as including delay-activated malware upon detecting that the cumulative Sleep time exceeds the second threshold when the one or more events correspond to the cumulative Sleep time.
  - 13. The system of claim 1, wherein the comparison logic including one or more comparators to compare the operating parameter or parameters to the threshold by performing a comparison of a count value associated with the number of calls to a third threshold different than the first threshold and the second threshold when the one or more events correspond to the number of calls initiated during processing by the virtual machine, wherein the received content is classified as including delay-activated malware upon detecting that the count value associated with the number of calls exceeds the third threshold.
  - 14. The system of claim 1, wherein the operating parameter or parameters track (i) the number of Sleep request messages initiated during processing of the received content by the virtual machine, (ii) the cumulative Sleep time requested during processing of the received content by the virtual machine, and (iii) the number of calls initiated during processing of the received content by the virtual machine.
  - 31. The system of claim 1, wherein at least the analysis logic and the reporting module correspond to software stored within the non-transitory storage medium and executed by the one or more processors.

15. A method for detecting time-bomb malware, comprising:
- instantiating one or more virtual machines that are adapted to receive content and process the received content for a period of time;
  
  monitoring for a presence of repeated calls produced during processing of the received content within the one or more virtual machines, the repeated calls to delay further processing of the received content;
  
  altering a duration of the delay that is caused by the repeated calls exceeding a prescribed threshold to accelerate operations by the received content to be conducted during the period of time;
  
  classifying the received content as including delay-activated malware upon detecting that the repeated calls exceeds the prescribed threshold; and
  
  responsive to classifying the received content as including delay-activated malware, issuing an alert message indicating a presence of the delay-activated malware.
- View Dependent Claims (16, 17, 18, 32)
- - 16. The method of claim 15, wherein the monitoring for the presence of the repeated calls includes monitoring for repeated calls and altering the duration of the delay by reducing a call response wait time for responding to each of the repeated calls.
  - 17. The method of claim 15, wherein:
    - the monitoring for the presence of the repeated calls includes monitoring for a plurality of Sleep request messages, each of the plurality of Sleep request messages includes a parameter that indicates an amount of time requested for a corresponding Sleep request message; and
      
      the altering of the duration of the delay includes decreasing the amount of time requested for the corresponding Sleep request message.
  - 18. The method of claim 15, wherein the monitoring for the presence of the repeated calls includes determining, during processing of the received content, whether an instruction pointer is repeatedly directed to a specific address or address range, the determining that the instruction pointer is repeatedly directed to the specific address or the address range operates as a criterion in classifying the received content as including delay-activated malware.
  - 32. The method of claim 15, wherein the repeated calls includes repeated Sleep calls.

19. A non-transitory storage medium including software that, when executed by one or more processors, cause the software to perform operations comprising:
- monitoring for a presence of repeated calls produced during processing of content within a sandboxed environment, the repeated calls to delay further processing of the received content;
  
  altering a duration of the delay that is caused by the repeated calls exceeding a prescribed threshold to accelerate operations by the received content to be conducted during the period of time;
  
  classifying the received content as including delay-activated malware upon detecting that the repeated calls exceeds the prescribed threshold; and
  
  responsive to classifying the received content as including delay-activated malware, issuing an alert message indicating a presence of the delay-activated malware.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 20. The non-transitory storage medium of claim 19, wherein the repeated calls include Application Programming Interface (API) calls.
  - 21. The non-transitory storage medium of claim 20, wherein the monitoring for the presence of the API calls performed by the software executed by the one or more processors comprises determining a count of a particular type of API call of the API calls initiated during processing of the received content within the sandboxed environment including a virtual machine.
  - 22. The non-transitory storage medium of claim 21, wherein the altering of the duration of the delay performed by the software executed by the one or more processors comprises shortening call response wait time for at least each of the particular type of API calls.
  - 23. The non-transitory storage medium of claim 19, wherein the repeated calls includes repeated Sleep calls.
  - 24. The non-transitory storage medium of claim 19, wherein the altering the duration of the delay performed by the software executed by the one or more processors comprises reducing a call response wait time for responding to each of the repeated calls.
  - 25. The non-transitory storage medium of claim 19, wherein the monitoring for the presence of the repeated calls performed by the software executed by the one or more processors comprises monitoring for a plurality of Sleep request messages, each of the plurality of Sleep request messages includes a parameter that indicates an amount of time requested for a corresponding Sleep request message.
  - 26. The non-transitory storage medium of claim 25, wherein the altering of the duration of the delay performed by the software executed by the one or more processors comprises decreasing the amount of time requested for the corresponding Sleep request message.
  - 27. The non-transitory storage medium of claim 19, wherein the monitoring for the presence of the repeated calls performed by the software executed by the one or more processors comprises determining, during processing of the received content, whether an instruction pointer is repeatedly directed to a specific address or address range, the determining that the instruction pointer is repeatedly directed to the specific address or the address range operates as a criterion in classifying the received content as including delay-activated malware.
  - 28. The non-transitory storage medium of claim 19, wherein the altering of the duration of the delay performed by the software executed by the one or more processors comprises adjusting one or more operating parameters associated with a number of the repeated calls produced.
  - 29. The non-transitory storage medium of claim 28, wherein the repeated calls correspond to Sleep request messages.
  - 30. The non-transitory storage medium of claim 19, wherein the altering of the duration of the delay performed by the software executed by the one or more processors comprises adjusting one or more operating parameters corresponding to a cumulative Sleep time requested during processing of the repeated calls by the sandboxed environment including a virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Paithane, Sushant, Vincent, Michael, Vashisht, Sai, Kindlund, Darien
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gundry, Stephen T

Application Number

US16/140,327
Time in Patent Office

281 Days
Field of Search
US Class Current
CPC Class Codes

B01D 61/06   Energy recovery

C02F 1/44   by dialysis, osmosis or rev...

C02F 1/52   by flocculation or precipit...

C02F 1/66   by neutralisation; pH adjus...

C02F 1/76   with halogens or compounds ...

C02F 2103/08   Seawater, e.g. for desalina...

C02F 2303/10   Energy recovery

C02F 2303/18   Removal of treatment agents...

C02F 2303/185   The treatment agent being h...

C02F 3/1273   Submerged membrane bioreactors

C02F 5/08   Treatment of water with com...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Y02W 10/10   Biological treatment of wat...

Y02W 10/30   Wastewater or sewage treatm...

System and method for detecting time-bomb malware

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

478 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting time-bomb malware

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

478 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links