Malware detection using a digital certificate

US 10,642,976 B2
Filed: 06/27/2015
Issued: 05/05/2020
Est. Priority Date: 06/27/2015
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:

analyze data related to a digital certificate associated with a file to determine whether the data is proper or not proper, wherein the analysis of the data includes determining if the digital certificate has been grafted to the data by modifying a portable executable file header, determining the digital certificate is the same as another trusted digital certificate associated with different data, and determining if code signing for the digital certificate matches binary code for the digital certificate;

assign a reputation to the digital certificate, wherein the reputation includes an indication if the data related to the digital certificate is proper or not proper, and wherein the data related to the digital certificate is not proper if the digital certificate has been grafted to the data by modifying the portable executable header, if the digital certificate is the same as another trusted digital certificate associated with different data, or if code signing for the digital certificate does not match binary code for the digital certificate;

determine, based on the assigned reputation to the digital certificate including the indication that the data is proper, whether the digital certificate is trusted or untrusted, wherein the digital certificate is untrusted if the digital certificate is known to be associated with malware; and

classify, based on a determination that the digital certificate is trusted, the file as trusted.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Particular embodiments described herein provide for an electronic device that can be configured to analyze data related to a digital certificate and assign a reputation to the digital certificate, where the reputation includes an indication if the data is proper. The analysis of the data can include determining if code signing for the digital certificate matches binary code for the digital certificate, if the digital certificate has been grafted to the data by modifying a portable executable file header, or the digital certificate is the same as another trusted digital certificate associated with different data.

33 Citations

12 Claims

1. At least one non-transitory machine readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:
- analyze data related to a digital certificate associated with a file to determine whether the data is proper or not proper, wherein the analysis of the data includes determining if the digital certificate has been grafted to the data by modifying a portable executable file header, determining the digital certificate is the same as another trusted digital certificate associated with different data, and determining if code signing for the digital certificate matches binary code for the digital certificate;
  
  assign a reputation to the digital certificate, wherein the reputation includes an indication if the data related to the digital certificate is proper or not proper, and wherein the data related to the digital certificate is not proper if the digital certificate has been grafted to the data by modifying the portable executable header, if the digital certificate is the same as another trusted digital certificate associated with different data, or if code signing for the digital certificate does not match binary code for the digital certificate;
  
  determine, based on the assigned reputation to the digital certificate including the indication that the data is proper, whether the digital certificate is trusted or untrusted, wherein the digital certificate is untrusted if the digital certificate is known to be associated with malware; and
  
  classify, based on a determination that the digital certificate is trusted, the file as trusted.
- View Dependent Claims (2, 3)
- - 2. The at least one non-transitory machine readable medium of claim 1, wherein the digital certificate is improper if the digital certificate fails Authenticode validation or has an invalid Authenticode.
  - 3. The at least one non-transitory machine readable medium of claim 1, further comprising:
    - classifying a file that includes the digital certificate as untrusted based on the determination that the digital certificate is untrusted.

4. An apparatus comprising:
- memory; and
  
  a hardware processor configured to;
  
  identify a file stored in the memory that includes a digital certificate and data related to the digital certificate;
  
  analyze the data related to the digital certificate to determine whether the data is proper or not proper, wherein the analysis of the data includes determining if the digital certificate has been grafted to the data by modifying a portable executable file header, determining the digital certificate is the same as another trusted digital certificate associated with different data, and determining if code signing for the digital certificate matches binary code for the digital certificate;
  
  assign a reputation to the file, wherein the reputation includes an indication if the data related to the digital certificate is proper or not proper, and wherein the data related to the digital certificate is not proper if the digital certificate has been grafted to the data by modifying the portable executable header, if the digital certificate is the same as another trusted digital certificate associated with different data, or if code signing for the digital certificate does not match binary code for the digital certificate;
  
  determine, based on the assigned reputation to the file including the indication that the data is proper, whether the digital certificate is trusted, wherein the digital certificate is untrusted if the digital certificate is known to be associated with malware; and
  
  classify, based on a determination that the digital certificate is trusted, the file as trusted.
- View Dependent Claims (5, 6)
- - 5. The apparatus of claim 4, wherein the digital certificate is improper if the digital certificate fails Authenticode validation or has an invalid Authenticode.
  - 6. The apparatus of claim 4, wherein the file is classified as untrusted based on a determination that the digital certificate is untrusted.

7. A method comprising:
- analyzing data related to a digital certificate associated with a file to determine whether the data is proper or not proper, wherein the analysis of the data includes determining if the digital certificate has been grafted to the data by modifying a portable executable file header, determining the digital certificate is the same as another trusted digital certificate associated with different data, and determining if code signing for the digital certificate matches binary code for the digital certificate;
  
  assigning a reputation to the digital certificate, wherein the reputation includes an indication if the data related to the digital certificate is proper or not proper, and wherein the data related to the digital certificate is not proper if the digital certificate has been grafted to the data by modifying the portable executable header, if the digital certificate is the same as another trusted digital certificate associated with different data, or if code signing for the digital certificate does not match binary code for the digital certificate;
  
  determining, based on the assigned reputation to the digital certificate including the indication that the data is proper, whether the digital certificate is trusted or untrusted, wherein the digital certificate is untrusted if the digital certificate is known to be associated with malware; and
  
  classifying, based on a determination that the digital certificate is trusted, the file as trusted.
- View Dependent Claims (8, 9)
- - 8. The method of claim 7, wherein the digital certificate is improper if the digital certificate fails Authenticode validation or has an invalid Authenticode.
  - 9. The method of claim 7, further comprising:
    - classifying a file that includes the digital certificate as untrusted based on the determination that the digital certificate is untrusted.

10. A system for malware detection using a digital certificate, the system comprising:
- memory in an electronic device;
  
  a hardware processor in the electronic device, wherein the hardware processor is configured to execute a digital certificate validation module configured for;
  
  identifying data stored in the memory related to a digital certificate associated with a file;
  
  analyzing the data related to the digital certificate to determine whether the data is proper or not proper, wherein the analysis of the data includes determining if the digital certificate has been grafted to the data by modifying a portable executable file header, determining the digital certificate is the same as another trusted digital certificate associated with different data, and determining if code signing for the digital certificate matches binary code for the digital certificate;
  
  assigning a reputation to the digital certificate, wherein the reputation includes an indication if the data related to the digital certificate is proper or not proper, and wherein the data related to the digital certificate is not proper if the digital certificate has been grafted to the data by modifying the portable executable header, if the digital certificate is the same as another trusted digital certificate associated with different data, or if code signing for the digital certificate does not match binary code for the digital certificate;
  
  determining, based on the assigned reputation to the digital certificate including the indication that the data is proper, whether the digital certificate is trusted or untrusted, wherein the digital certificate is untrusted if the digital certificate is known to be associated with malware; and
  
  classifying, based on a determination that the digital certificate is trusted, the file as trusted.
- View Dependent Claims (11, 12)
- - 11. The system of claim 10, wherein the digital certificate is improper if the digital certificate fails Authenticode validation or has an invalid Authenticode.
  - 12. The system of claim 10, further comprising:
    - classifying a file that includes the digital certificate as untrusted based on the determination that the digital certificate is untrusted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Spurlock, Joel R., Venugopalan, Ramnath
Primary Examiner(s)
Simitoski, Michael

Application Number

US14/752,874
Publication Number

US 20160378983A1
Time in Patent Office

1,774 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/563 by source code analysis

G06F 21/567 using dedicated hardware

Malware detection using a digital certificate

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection using a digital certificate

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links