Detection of malware using an instrumented virtual machine environment
First Claim
1. A system, comprising:
- a processor configured to;
receive a candidate malware sample;
instantiate a first virtual machine in an instrumented virtual machine environment, wherein the first virtual machine is configured to support installation of two or more versions of a resource;
preload one or more system files that are used by a first version of the resource and/or a second version of the resource into a new resource system file location directory, or a combination thereof;
override an installer for the resource to redirect the installer to the new resource system file location directory;
install, via the installer, the first version of the resource on the first virtual machine and monitor the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource;
install, via the installer, the second version of the resource on the first virtual machine and monitor the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource; and
generate an output indicating that the candidate malware sample is malicious based on the monitoring of the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource and/or based on the monitoring of the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource; and
a memory coupled to the processor and configured to provide the processor with instructions.
0 Assignments
0 Petitions
Accused Products
Abstract
Various techniques for detection of malware using an instrumented virtual machine environment are disclosed. In some embodiments, detection of malware using an instrumented virtual machine environment includes instantiating a first virtual machine in the instrumented virtual machine environment, in which the first virtual machine is configured to support installation of two or more versions of a resource; installing a first version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the first version of the resource with a malware sample opened using the first version of the resource; and installing a second version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the second version of the resource with the malware sample opened using the second version of the resource.
-
Citations
21 Claims
-
1. A system, comprising:
-
a processor configured to; receive a candidate malware sample; instantiate a first virtual machine in an instrumented virtual machine environment, wherein the first virtual machine is configured to support installation of two or more versions of a resource; preload one or more system files that are used by a first version of the resource and/or a second version of the resource into a new resource system file location directory, or a combination thereof; override an installer for the resource to redirect the installer to the new resource system file location directory; install, via the installer, the first version of the resource on the first virtual machine and monitor the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource; install, via the installer, the second version of the resource on the first virtual machine and monitor the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource; and generate an output indicating that the candidate malware sample is malicious based on the monitoring of the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource and/or based on the monitoring of the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource; and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method, comprising:
-
receiving a candidate malware sample; instantiating a first virtual machine in an instrumented virtual machine environment, wherein the first virtual machine is configured to support installation of two or more versions of a resource; preloading one or more system files that are used by a first version of the resource and/or a second version of the resource into a new resource system file location directory, or a combination thereof; overriding an installer for the resource to redirect the installer to the new resource system file location directory; installing, via the installer, the first version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource; installing, via the installer, the second version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource; and generating an output indicating that the candidate malware sample is malicious based on the monitoring of the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource and/or based on the monitoring of the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product, the computer program product being embodied in a non-transitory, tangible computer readable storage medium and comprising computer instructions for:
-
receiving a candidate malware sample; instantiating a first virtual machine in an instrumented virtual machine environment, wherein the first virtual machine is configured to support installation of two or more versions of a resource; preloading one or more system files that are used by a first version of the resource and/or a second version of the resource into a new resource system file location directory, or a combination thereof; overriding an installer for the resource to redirect the installer to the new resource system file location directory; installing, via the installer, the first version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource; installing, via the installer, the second version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource; and generating an output indicating that the candidate malware sample is malicious based on the monitoring of the instrumented virtual machine environment while executing the first version of the resource with the candidate malware sample opened using the first version of the resource and/or based on the monitoring of the instrumented virtual machine environment while executing the second version of the resource with the candidate malware sample opened using the second version of the resource. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification