Detection of malware using an instrumented virtual machine environment

US 10,515,210 B2
Filed: 12/17/2018
Issued: 12/24/2019
Est. Priority Date: 07/14/2014
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

receive a candidate malware sample;

instantiate a first virtual machine in an instrumented virtual machine environment, wherein the first virtual machine is configured to support installation of two or more versions of a resource;

preload one or more system files that are used by a first version of the resource and/or a second version of the resource into a new resource system file location directory, or a combination thereof;

override an installer for the resource to redirect the installer to the new resource system file location directory;

install, via the installer, the first version of the resource on the first virtual machine and monitor the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource;

install, via the installer, the second version of the resource on the first virtual machine and monitor the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource; and

generate an output indicating that the candidate malware sample is malicious based on the monitoring of the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource and/or based on the monitoring of the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various techniques for detection of malware using an instrumented virtual machine environment are disclosed. In some embodiments, detection of malware using an instrumented virtual machine environment includes instantiating a first virtual machine in the instrumented virtual machine environment, in which the first virtual machine is configured to support installation of two or more versions of a resource; installing a first version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the first version of the resource with a malware sample opened using the first version of the resource; and installing a second version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the second version of the resource with the malware sample opened using the second version of the resource.

Citations

21 Claims

1. A system, comprising:
- a processor configured to;
  
  receive a candidate malware sample;
  
  instantiate a first virtual machine in an instrumented virtual machine environment, wherein the first virtual machine is configured to support installation of two or more versions of a resource;
  
  preload one or more system files that are used by a first version of the resource and/or a second version of the resource into a new resource system file location directory, or a combination thereof;
  
  override an installer for the resource to redirect the installer to the new resource system file location directory;
  
  install, via the installer, the first version of the resource on the first virtual machine and monitor the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource;
  
  install, via the installer, the second version of the resource on the first virtual machine and monitor the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource; and
  
  generate an output indicating that the candidate malware sample is malicious based on the monitoring of the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource and/or based on the monitoring of the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system recited in claim 1, wherein the resource includes an executable application, and wherein the candidate malware sample includes a file in a format that is compatible with the executable application.
  - 3. The system recited in claim 1, wherein the instrumented virtual machine environment is monitored while executing each version of the resource with the candidate malware sample opened using each version of the resource for at least a predetermined period of time or until malicious behavior is detected.
  - 4. The system recited in claim 1, wherein the second version of the resource is installed on the first virtual machine without having to re-instantiate the first virtual machine.
  - 5. The system recited in claim 1, wherein the processor is further configured to:
    - store a plurality of installed versions of the resource using dummy file names for one or more registry files and one or more executable files associated with the resource.
  - 6. The system recited in claim 1, wherein the processor is further configured to:
    - store a plurality of installed versions of the resource using dummy file names for one or more registry files and one or more executable files associated with the resource; and
      
      for each version of the resource to be executed, rename one or more of the dummy file names associated with the version of the resource being executed to a predetermined file name.
  - 7. The system recited in claim 1, wherein the system executes a cloud security service, and wherein the processor is further configured to:
    - receive the candidate malware sample at the cloud security service from a security device, wherein the instrumented virtual machine environment is monitored during execution of each version of the resource with the candidate malware sample opened using each version of the resource to determine whether the candidate malware sample indicates potentially malicious behavior.

8. A method, comprising:
- receiving a candidate malware sample;
  
  instantiating a first virtual machine in an instrumented virtual machine environment, wherein the first virtual machine is configured to support installation of two or more versions of a resource;
  
  preloading one or more system files that are used by a first version of the resource and/or a second version of the resource into a new resource system file location directory, or a combination thereof;
  
  overriding an installer for the resource to redirect the installer to the new resource system file location directory;
  
  installing, via the installer, the first version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource;
  
  installing, via the installer, the second version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource; and
  
  generating an output indicating that the candidate malware sample is malicious based on the monitoring of the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource and/or based on the monitoring of the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the resource includes an executable application, and wherein the candidate malware sample includes a file in a format that is compatible with the executable application.
  - 10. The method of claim 8, wherein the instrumented virtual machine environment is monitored while executing each version of the resource with the candidate malware sample opened using each version of the resource for at least a predetermined period of time or until malicious behavior is detected.
  - 11. The method of claim 8, wherein the second version of the resource is installed on the first virtual machine without having to re-instantiate the first virtual machine.
  - 12. The method of claim 8, further comprising:
    - storing a plurality of installed versions of the resource using dummy file names for one or more registry files and one or more executable files associated with the resource.
  - 13. The method of claim 8, further comprising:
    - storing a plurality of installed versions of the resource using dummy file names for one or more registry files and one or more executable files associated with the resource; and
      
      for each version of the resource to be executed, renaming one or more of the dummy file names associated with the version of the resource being executed to a predetermined file name.
  - 14. The method of claim 8, wherein the instrumented virtual machine environment is executed by a cloud security service, and further comprising:
    - receiving the candidate malware sample at the cloud security service from a security device, wherein the instrumented virtual machine environment is monitored during execution of each version of the resource with the candidate malware sample opened using each version of the resource to determine whether the candidate malware sample indicates potentially malicious behavior.

15. A computer program product, the computer program product being embodied in a non-transitory, tangible computer readable storage medium and comprising computer instructions for:
- receiving a candidate malware sample;
  
  instantiating a first virtual machine in an instrumented virtual machine environment, wherein the first virtual machine is configured to support installation of two or more versions of a resource;
  
  preloading one or more system files that are used by a first version of the resource and/or a second version of the resource into a new resource system file location directory, or a combination thereof;
  
  overriding an installer for the resource to redirect the installer to the new resource system file location directory;
  
  installing, via the installer, the first version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource;
  
  installing, via the installer, the second version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource; and
  
  generating an output indicating that the candidate malware sample is malicious based on the monitoring of the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource and/or based on the monitoring of the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product recited in claim 15, wherein the resource includes an executable application, and wherein the candidate malware sample includes a file in a format that is compatible with the executable application.
  - 17. The computer program product recited in claim 15, wherein the instrumented virtual machine environment is monitored while executing each version of the resource with the candidate malware sample opened using each version of the resource for at least a predetermined period of time or until malicious behavior is detected.
  - 18. The computer program product recited in claim 15, wherein the second version of the resource is installed on the first virtual machine without having to re-instantiate the first virtual machine.
  - 19. The computer program product recited in claim 15, further comprising computer instructions for:
    - storing a plurality of installed versions of the resource using dummy file names for one or more registry files and one or more executable files associated with the resource.
  - 20. The computer program product recited in claim 15, further comprising computer instructions for:
    - storing a plurality of installed versions of the resource using dummy file names for one or more registry files and one or more executable files associated with the resource; and
      
      for each version of the resource to be executed, renaming one or more of the dummy file names associated with the version of the resource being executed to a predetermined file name.
  - 21. The computer program product recited in claim 15, wherein the instrumented virtual machine environment is executed by a cloud security service, and further comprising computer instructions for:
    - receiving the candidate malware sample at the cloud security service from a security device, wherein the instrumented virtual machine environment is monitored during execution of each version of the resource with the candidate malware sample opened using each version of the resource to determine whether the candidate malware sample indicates potentially malicious behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Lu, ChienHua, Qu, Bo
Primary Examiner(s)
Le, Chau

Application Number

US16/222,982
Publication Number

US 20190138714A1
Time in Patent Office

372 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

G06F 2221/2123   Dummy operation

Detection of malware using an instrumented virtual machine environment

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of malware using an instrumented virtual machine environment

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links