Selective virtualization for security threat detection

US 10,417,031 B2
Filed: 03/25/2016
Issued: 09/17/2019
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method comprising:

configuring a virtual machine running within a platform with a first virtualization logic;

monitoring, by the first virtualization logic, for a first plurality of requests that are initiated during processing of an object within the virtual machine, each of the first plurality of requests is associated with an activity to be performed in connection with one or more resources; and

selectively virtualizing, by the first virtualization logic, resources associated with a second plurality of requests that are initiated during the processing of the object within the virtual machine, wherein the second plurality of requests being lesser in number than the first plurality of requests and the selectively virtualizing of the resources comprisesintercepting a first request of the second plurality of requests,redirecting the first request of the second plurality of requests, the redirecting of the first request comprises generating a modified first request by changing a resource associated with the first request and subsequently passing the modified first request to system code for processing, andreceiving virtualized data in response to passing the modified first request to the system code.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Selective virtualization of resources is provided, where the resources may be intercepted and services or the resources may be intercepted and redirected. Virtualization logic monitors for a first plurality of requests that are initiated during processing of an object within the virtual machine. Each of the first plurality of requests, such as system calls for example, is associated with an activity to be performed in connection with one or more resources. The virtualization logic selectively virtualizes resources associated with a second plurality of requests that are initiated during the processing of the object within the virtual machine, where the second plurality of requests is lesser in number than the first plurality of requests.

Citations

48 Claims

1. A computerized method comprising:
- configuring a virtual machine running within a platform with a first virtualization logic;
  
  monitoring, by the first virtualization logic, for a first plurality of requests that are initiated during processing of an object within the virtual machine, each of the first plurality of requests is associated with an activity to be performed in connection with one or more resources; and
  
  selectively virtualizing, by the first virtualization logic, resources associated with a second plurality of requests that are initiated during the processing of the object within the virtual machine, wherein the second plurality of requests being lesser in number than the first plurality of requests and the selectively virtualizing of the resources comprisesintercepting a first request of the second plurality of requests,redirecting the first request of the second plurality of requests, the redirecting of the first request comprises generating a modified first request by changing a resource associated with the first request and subsequently passing the modified first request to system code for processing, andreceiving virtualized data in response to passing the modified first request to the system code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 39, 40, 41)
- - 2. The computerized method of claim 1, wherein the configuring of the virtual machine further comprises providing the first virtualization logic with access to configuration data, the configuration data comprises one or more interception points that are used for intercepting at least the first request of the second plurality of requests.
  - 3. The computerized method of claim 2, wherein the one or more interception points comprise an Application Programming Interface (API) hook.
  - 4. The computerized method of claim 2, wherein the configuration data further comprises at least one usage pattern that specifies a particular resource for virtualization and activities for conducting the virtualization, the particular resource corresponding to the first request that is part of the second plurality of requests.
  - 5. The computerized method of claim 1, wherein the selectively virtualizing of the resources associated with at least the first request of the second plurality of requests further comprisesservicing, by the first virtualization logic, a virtualized resource associated with a second request of the first plurality of requests by returning virtualized data to a process or a thread operating within the virtual machine that initiated the second request.
  - 6. The computerized method of claim 5, wherein the virtualized data associated with the second request comprises a handle.
  - 7. The computerized method of claim 5, wherein the resource associated with the first request is accessible via a path to a first address in a virtual memory of the platform and a resource associated with the modified first request comprises an alternative path to a second address in the virtual memory of the platform, the second address in the virtual memory being different from the first address in the virtual memory.
  - 8. The computerized method of claim 1, wherein the second plurality of requests is a subset of the first plurality of requests.
  - 9. The computerized method of claim 8, wherein the first virtualization logic is implemented in a user mode of the virtual machine.
  - 10. The computerized method of claim 8 further comprising:
    - obfuscating, by the first virtualization logic, the virtualized resources associated with the first request of the second plurality of requests by removing a portion of the virtualized data prior to returning the virtualized data to a process or a thread operating within the virtual machine that initiated the first request.
  - 11. The computerized method of claim 9 further comprising:
    - configuring the virtual machine running within the platform with a second virtualization logic that is implemented within a kernel mode of the virtual machine; and
      
      selectively virtualizing, by the second virtualization logic, resources associated with a third plurality of requests that are initiated during the processing of the object within the virtual machine, where the third plurality of requests being lesser in number than the first plurality of requests and different from the second plurality of requests.
  - 12. The computerized method of claim 11, wherein the second virtualization logic is responsible for selectively conducting virtualization to the resources associated with the third plurality of requests that are handled in the kernel mode of the virtual machine, the third plurality of requests being a subset of the first plurality of requests.
  - 13. The computerized method of claim 12, wherein at least one request of the third plurality of requests includes either (i) a request directed to file management, including opening a file or closing a file, or (ii) a request directed to registry key management, including obtaining a registry key value.
  - 14. The computerized method of claim 12, wherein the third plurality of requests includes one or more requests directed to network management, including establishing a network connection.
  - 15. The computerized method of claim 1, wherein the virtualizing of the resources associated with the second plurality of requests includes transparently modifying access to at least one or more of the resources by one or one processes operating within the virtual machine.
  - 16. The computerized method of claim 1, wherein the selectively virtualizing of the resources associated with at least the first request of the second plurality of requests further comprisesobfuscating at least a portion of the virtualized data prior to returning the virtualized data to a process or thread operating within the virtual machine that initiated the first request.
  - 17. The computerized method of claim 16, wherein the obfuscating includes performance of at least one of (i) preventing a display of certain information directed to a resource of the one or more resources, (ii) altering certain information associated with the resource so that it appears to be present in a platform represented by the virtual machine, or (iii) renaming the resource.
  - 18. The computerized method of claim 1, wherein the selectively virtualizing of the resources associated with the second plurality of requests being a subset of the first plurality of requests further comprisesredirecting a second request of the second plurality of requests by subsequently passing the second request to the system code for processing;
    - receiving data in response to passing the second request to the system code; and
      
      servicing, by the first virtualization logic, a virtualized resource associated with the second request of the second plurality of requests by returning virtualized data in lieu of the received data to a process or a thread operating within the virtual machine that initiated the second request.
  - 39. The computerized method of claim 1, wherein the system code is logic within the virtual machine that is configured to access the resources.
  - 40. The computerized method of claim 39, wherein the logic corresponds to a portion of an operating system of the virtual machine configured to access the resources.
  - 41. The computerized method of claim 1, wherein the second plurality of requests are initiated during the processing of the object within the virtual machine to obfuscate a presence of a particular process or processes.

19. A computerized method for configuring a virtual machine to selectively conduct virtualization of one or more resources during analysis of an object for malware, the computerized method comprising:
- configuring the virtual machine running within a platform with a first virtualization logic that is configured with access to a first configuration data, the first configuration data comprises (i) information that is used by the first virtualization logic to identify and subsequently intercept at least a first request that, when processed, performs an activity on a first resource, and (ii) one or more usage patterns including information to determine whether to perform virtualization of the first resource associated with the first request and information associated with one or more activities that are to be performed in connection with the first resource during the virtualization operation;
  
  responsive to detecting an update to the first configuration data, modifying the first configuration data to alter at least one of (i) the information that is used by the first virtualization logic to identify and subsequently intercept at least the first request, (ii) one or more usage patterns including the information to determine whether to perform the virtualization of the first resource, and the information associated with the one or more activities that are to be performed in connection with the first resource associated with the first request during the virtualization operation, or (iii) obfuscation data used by the first virtualization logic to obfuscate the presence of the first resource or an entire set of resources;
  
  providing a second virtualization logic configured with access to a second configuration data, the second configuration data comprises (i) information that is used by the second virtualization logic to identify and subsequently intercept at least a second request that, when processed, performs an activity on a second resource, and (ii) the one or more usage patterns including information to determine whether to perform virtualization of the second resource associated with the second request and information associated with one or more activities that are to be performed in connection with the second resource during the virtualization operation; and
  
  responsive to detecting an update to the second configuration data, modifying the second configuration data to alter at least one of (i) the information that is used by the second virtualization logic to identify and subsequently intercept at least the second request, (ii) one or more usage patterns including the information to determine whether to perform the virtualization operation, and the information associated with one or more activities that are to be performed in connection with the second resource, or (iii) obfuscation data used by the second virtualization logic to obfuscate the presence of the second resource or an entire set of resources.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The computerized method of claim 19, wherein the first virtualization logic is deployed within a user mode of the virtual machine.
  - 21. The computerized method of claim 20, wherein the second virtualization logic is deployed within a kernel mode of the virtual machine.
  - 22. The computerized method of claim 21, wherein the information associated with the one or more activities that are performed in connection with the second resource includes altering a file path.
  - 23. The computerized method of claim 22, wherein the information associated with the one or more activities that are performed in connection with the first resource includes altering a handle for the first resource.

24. A non-transitory computer readable medium that stores virtualization logic operating within a virtual machine that, when executed by one or more processors, performs operations comprising:
- receiving, by the virtualization logic, a request from a process running on the virtual machine, the request is associated with a first resource;
  
  analyzing, by the virtualization logic, contents of the request to determine whether the first resource identified in the request is to be virtualized; and
  
  in response to determining by the virtualization logic that the first resource is to be virtualized, selecting one of a plurality of virtualization schemes conducted to the first resource, the plurality of virtualization schemes comprises (1) servicing the request by returning virtualized data to a portion of the process that initiated the request where the request is one of a first subset of a plurality of requests and (2) redirecting the request to a second resource that is different from the first resource, wherein the redirecting of the request is (i) for a first type of request being one of a second subset of the plurality of request that is associated with a particular activity that is independent of kernel involvement and (ii) directed to system code.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 34, 42, 43, 44)
- - 25. The non-transitory computer readable medium of claim 24, wherein the virtualized data associated with the request being one of the first subset of the plurality of requests comprises a handle.
  - 26. The non-transitory computer readable medium of claim 24, wherein the request being one of the second subset of the plurality of requests comprises a path to a first address in a virtual memory of the platform and the modified request comprises an alternative path to a second address in the virtual memory of the platform, the second address in the virtual memory being different from the first address in the virtual memory.
  - 27. The non-transitory computer readable medium of claim 24, wherein the virtualization logic is implemented in a user mode of the virtual machine.
  - 28. The non-transitory computer readable medium of claim 24, wherein the virtualization logic is implemented in a kernel mode of the virtual machine.
  - 29. The non-transitory computer readable medium of claim 24, wherein the second resource corresponds to the system code.
  - 30. The non-transitory computer readable medium of claim 24, wherein the redirecting of the request to the second resource comprises obfuscating at least a portion of the virtualized data prior to returning the virtualized data to the portion of the process that initiated the request.
  - 34. The non-transitory computer readable medium of claim 24, wherein the redirecting of the request to the second resource comprisesgenerating a modified request by changing a resource associated with the request to the second resource;
    - receiving virtualized data in response to providing the modified request to the second resource for processing; and
      
      returning the virtualized data to the portion of the process that initiated the request.
  - 42. The non-transitory computer readable medium of claim 24, wherein the system code is logic within the virtual machine that is configured to access at least the second resource.
  - 43. The non-transitory computer readable medium of claim 42, wherein the logic corresponds to a portion of an operating system of the virtual machine configured to access at least the second resource.
  - 44. The non-transitory computer readable medium of claim 24, wherein the particular activity is independent of kernel involvement when the particular activity is handled by the virtualization logic of the virtual machine operating in a user mode with less privileged access resources than the kernel of the virtual machine.

31. A platform comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more processors, the memory comprises one or more virtual machines that are configured to process an object under analysis, a first virtual machine of the one or more virtual machines comprisesa first virtualization logic operating in a user mode, the first virtualization logic being configured to intercept a first request associated with a first subset of a plurality of activities that are handled by the first virtual machine, perform virtualization of a resource associated with the first request that produces virtualized data and return at least a portion of the virtualized data to a source that initiated the first request, anda second virtualization logic operating in a kernel mode, the second virtualization logic being configured to intercept a second request associated with a second subset of the plurality of activities that are handled by the first virtual machine and different from the first subset of the plurality of activities, perform virtualization of a resource associated with the second request that produces virtualized data, and return at least a portion of the virtualized data associated with the second request to a source that initiated the second request.
- View Dependent Claims (32, 33, 35, 36, 37, 38, 45, 46, 47, 48)
- - 32. The platform of claim 31, wherein the second virtualization logic, in response to detecting the second request associated with the second plurality of activities that are handled by the first virtual machine in kernel mode, the second virtualization logic determines whether to conduct virtualization of the resource associated with the second request.
  - 33. The platform of claim 31 further comprising a first logic that, when executed by the one or more hardware processors, detects whether an update to the configuration data is available to the platform.
  - 35. The platform of claim 31, wherein the first virtualization logic is configured to perform virtualization of the resource associated with the first request that produces virtualized data and return at least the portion of the virtualized data to the source that initiated the first request by obfuscating at least a portion of the virtualized data prior to returning the virtualized data to the source.
  - 36. The platform of claim 31, wherein the first virtualization logic is configured to intercept the first request associated with the first subset of the plurality of activities that are handled by the first virtual machine and service the first request by returning virtualized data to a portion of a process or threat that initiated an activity associated with the first request.
  - 37. The platform of claim 36, wherein the first virtualization logic is configured to intercept a second request associated with the first subset of the plurality of activities that are handled by the first virtual machine, perform virtualization of a resource associated with the second request that produces virtualized data, and return at least a portion of the virtualized data to a source that initiated the second request by at least (i) generating a modified second request from the second request by changing the resource associated with the second request and subsequently passing the modified second request to system code for processing, (ii) receiving the virtualized data in response to providing the modified second request to the system code, and (iii) returning at least the portion of the virtualized data to the source.
  - 38. The platform of claim 31, wherein the first virtualization logic is configured to intercept the first request associated with the first subset of the plurality of activities that are handled by the first virtual machine, perform virtualization of a resource associated with the first request that produces virtualized data, and return at least a portion of the virtualized data to a source that initiated the first request by at least (i) generating a modified first request from the first request by changing the resource associated with the first request and subsequently passing the modified first request to system code for processing, (ii) receiving the virtualized data in response to providing the modified first request to the system code, and (iii) returning at least the portion of the virtualized data to the source.
  - 45. The platform of claim 31, wherein the first subset of the plurality of activities being lesser in number than the plurality of activities and the second subset of the plurality of activities being lesser in number than the plurality of activities.
  - 46. The platform of claim 45, wherein the first virtualization logic operating in the user mode being an operating mode with lesser privileges than the kernel mode.
  - 47. The platform of claim 37, wherein the system code is logic within the first virtual machine that is configured to access at least the resource based on the modified second request.
  - 48. The platform of claim 47, wherein the logic corresponds to a portion of an operating system of the first virtual machine configured to access at least the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Paithane, Sushant, Vincent, Michael
Primary Examiner(s)
Kamran, Mehran

Application Number

US15/081,775
Publication Number

US 20160335110A1
Time in Patent Office

1,271 Days
Field of Search

718 1
US Class Current
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

H04L 63/145   the attack involving the pr...

Selective virtualization for security threat detection

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

Selective virtualization for security threat detection

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links