Heuristic detection of malicious computer code by page tracking

US 20040015712A1
Filed: 10/04/2002
Published: 01/22/2004
Est. Priority Date: 07/19/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious code in a host file, the method comprising the steps of:

emulating the host file in a virtual machine having a virtual memory;

tracking access of the virtual memory by the host file; and

detecting potential malicious code responsive to an access of the virtual memory within a non-normal address range.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To detect a computer virus in a host file (100), an emulating module (414) emulates the host file (100) in a virtual machine (422) having a virtual memory (426). While emulating the host file (100), the system (400) tracks the host file'"'"'s access of the virtual memory (426). Responsive to an access in a non-normal address range of the virtual memory (426) by the host file (100), a flag recording module (522) sets a flag. A virus reporting module (526) declares a potential virus based on whether the flag is set.

474 Citations

28 Claims

1. A computer-implemented method for detecting malicious code in a host file, the method comprising the steps of:
- emulating the host file in a virtual machine having a virtual memory;
  
  tracking access of the virtual memory by the host file; and
  
  detecting potential malicious code responsive to an access of the virtual memory within a non-normal address range.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein detecting the potential malicious code comprises the steps of:
    - setting a flag responsive to the access of the virtual memory within the non-normal address range; and
      
      declaring the potential malicious code based on the status of the flag.
  - 3. The method of claim 1, wherein emulating the host file comprises the steps of:
    - identifying a potential entry point for the malicious code in the host file; and
      
      emulating instructions in the host file around the entry point.
  - 4. The method of claim 1, wherein the non-normal address range is a section of a file other than a section containing executable code.
  - 5. The method of claim 1, wherein the non-normal address range is a header portion of a dynamically linked library.
  - 6. The method of claim 5, wherein the dynamically linked library is KERNEL32.DLL.
  - 7. The method of claim 1, wherein the access of the virtual memory is a read operation.
  - 8. The method of claim 1, wherein the host file is in the PE (portable executable) format.

9. A computer program product comprising a computer-readable medium containing computer program code for detecting malicious code in a host file, the computer program code comprising instructions for performing the steps of:
- emulating the host file in a virtual machine having a virtual memory;
  
  tracking access of the virtual memory by the host file; and
  
  detecting potential malicious code responsive to an access of the virtual memory within a non-normal address range.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer program product of claim 9, wherein detecting the potential malicious code comprises the steps of:
    - setting a flag responsive to the access of the virtual memory within the non-normal address range; and
      
      declaring the potential malicious code based on the status of the flag.
  - 11. The computer program product of claim 9, wherein emulating the host file comprises the steps of:
    - identifying a potential entry point for the malicious code in the host file; and
      
      emulating instructions in the host file around the entry point.
  - 12. The computer program product of claim 9, wherein the non-normal address range is a section of a file other than a section containing executable code.
  - 13. The computer program product of claim 9, wherein the non-normal address range is a header portion of a dynamically linked library.
  - 14. The computer program product of claim 13, wherein the dynamically linked library is KERNEL32.DLL.
  - 15. The computer program product of claim 9, wherein the access of the virtual memory is a read operation.
  - 16. The computer program product of claim 9, wherein the host file is in the PE (portable executable) format.

17. A computer program product comprising a computer-readable medium containing computer program code for detecting malicious code in a host file, the computer program code comprising:
- an emulating module for emulating the host file in a virtual machine having a virtual memory;
  
  a flag recording module adapted to set a flag responsive to an access of a non-normal address range of the virtual memory by the host file; and
  
  a virus reporting module adapted to declare potential malicious code based on whether the flag is set.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The computer program product of claim 17, further comprising:
    - a virus database module for storing at least one address range of the virtual memory defined as non-normal.
  - 19. The computer program product of claim 17, wherein the virus reporting module declares potential malicious code based on the flag in combination with additional heuristics.
  - 20. The computer program product of claim 17, wherein the non-normal address range is a section of a file other than a section containing executable code.
  - 21. The computer program product of claim 17, wherein the non-normal address range is a header portion of a dynamically linked library.
  - 22. The computer program product of claim 17, wherein the host file is in the PE (portable executable) format.

23. A virus detection system for detecting malicious code in a host file, the system comprising:
- an emulating module for emulating the host file in a virtual machine having a virtual memory;
  
  a flag recording module coupled to the emulating module, the flag recording module adapted to set a flag responsive to an access of a non-normal address range of the virtual memory by the host file; and
  
  a virus reporting module coupled to the flag recording module, the virus reporting module adapted to declare potential malicious code based on whether the flag is set.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. The virus detection system of claim 23, further comprising:
    - a virus database module coupled to the flag recording module, the virus database module storing one or more address ranges of the virtual memory defined as non-normal.
  - 25. The virus detection system of claim 23, wherein the virus reporting module declares potential malicious code based on the flag in combination with additional heuristics.
  - 26. The virus detection system of claim 23, wherein the non-normal address range is a section of a file other than a section containing executable code.
  - 27. The virus detection system of claim 23, wherein the non-normal address range is a header portion of a dynamically linked library.
  - 28. The virus detection system of claim 23, wherein the host file is in the PE (portable executable) format.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter

Granted Patent

US 7,418,729 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Heuristic detection of malicious computer code by page tracking

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

474 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Heuristic detection of malicious computer code by page tracking

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

474 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others