Method and apparatus for detecting malicious code in the form of a trojan horse in an information handling system

US 20040054917A1
Filed: 08/30/2002
Published: 03/18/2004
Est. Priority Date: 08/30/2002
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious code on an information handling system, comprising:

executing malicious code detection code (MCDC) on the information handling system, the MCDC including detection routines;

applying the detection routines to executable code under investigation running on the information handling system during the execution of the MCDC, the detection routines being configured to associate weights to respective code under investigation in response to detections of a valid program or malicious code as a function of respective detection routines; and

determining whether code under investigation is a valid program or malicious code as a function of the weights associated by the detection routines.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting malicious code on an information handling system includes executing malicious code detection code (MCDC) on the information handling system. The malicious code detection code includes detection routines. The detection routines are applied to executable code under investigation running on the information handling system during the execution of the MCDC. The detection routines associate weights to respective executable code under investigation in response to detections of a valid program or malicious code as a function of respective detection routines. Lastly, executable code under investigation is determined a valid program or malicious code as a function of the weights associated by the detection routines. Computer-readable media and an information handling system are also disclosed.

155 Citations

50 Claims

1. A method for detecting malicious code on an information handling system, comprising:
- executing malicious code detection code (MCDC) on the information handling system, the MCDC including detection routines;
  
  applying the detection routines to executable code under investigation running on the information handling system during the execution of the MCDC, the detection routines being configured to associate weights to respective code under investigation in response to detections of a valid program or malicious code as a function of respective detection routines; and
  
  determining whether code under investigation is a valid program or malicious code as a function of the weights associated by the detection routines.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the malicious code comprises a Trojan horse.
  - 3. The method of claim 1, wherein the detection routines include valid program detection routines and malicious code detection routines.
  - 4. The method of claim 1, wherein the information handling system includes an operating system, further comprising:
    - configuring the detection routines to gather information about the executable code under investigation by at least one selected from the group consisting of examining each code or program itself and searching for information about each respective code or program in the operating system.
  - 5. The method of claim 1, wherein determining whether the code under investigation is a valid program or malicious code includes scoring the execution of the detection routines as a function of the weights.
  - 6. The method of claim 5, wherein scoring includes configuring a scoring algorithm to identify code under investigation as malicious code in response to at least one of a valid score and a malicious code score.

7. A method for detecting malicious code in the form of a Trojan horse on an information handling system having an operating system, comprising:
- executing malicious code detection code (MCDC) on the information handling system, the MCDC including detection routines configured to gather information about executable code under investigation running on the information handling system during execution of the MCDC, the detection routines including at least one selected from the group consisting of a) examining each code or program itself and b) searching for information about each code or program in the operating system, the detection routines further consisting of valid program detection routines and malicious code detection routines;
  
  applying the detection routines to the executable code under investigation running on the information handling system, the detection routines further configured to associate weights to respective code under investigation in response to detections of a valid program or malicious code as a function of a respective detection routine; and
  
  determining whether code under investigation is a valid program or malicious code as a function of the weights associated by the detection routines, wherein determining whether the code under investigation is a valid program or malicious code includes scoring an execution of the detection routines as a function of the weights, and wherein scoring includes configuring a scoring algorithm to identify code under investigation as malicious code in response to at least one of a valid score and a malicious code score.

8. A method for detecting malicious code on a information handling system, comprising:
- executing detection routines, the detection routines configured to examine at least one selected from the group consisting of characteristics and behaviors of executable code under investigation running on the computer system;
  
  assigning weights as a function of the examined characteristics and behaviors, the assigned weights indicative of a valid program or malicious code as a function of respective detection routines; and
  
  determining whether executable code under investigation is malicious code as a function of the weights assigned by the detection routines.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 9. The method of claim 8, wherein the detection routines include valid program detection routines and malicious code detection routines.
  - 10. The method of claim 8, wherein the valid program detection routines are configured to determine whether the executable code under investigation exhibits at least one or more characteristics and behaviors associated with a valid program;
    - and wherein the malicious code detection routines are configured to determine whether he executable code under investigation exhibits at least one or more characteristics and behaviors associated with malicious code.
  - 11. The method of claim 8, wherein determining whether the executable code under investigation is malicious code includes scoring the execution of the detection routines as a function of the weights.
  - 12. The method of claim 11, wherein scoring includes using of a scoring algorithm configured to identify executable code as malicious code in response to at least one of a valid score and a malicious code score.
  - 13. The method of claim 12, wherein the scoring algorithm determines a valid program by a summation of weights of the valid program detection routines being greater than a valid program weight threshold, and a malicious code by a summation of weights of the malicious code detection routine having a summed value greater than a malicious code weight threshold.
  - 14. The method of claim 13, wherein the scoring algorithm further determines an anomalous program by the summation of weights of the valid program detection routines and the summation of weights of the malicious code detection routines both having sums greater than respective thresholds, or less than the respective thresholds.
  - 15. The method of claim 8, further comprising:
    - operatively coupling the detection routines to an operating system kernel of the information handling system via application programming interfaces (APIs).
  - 16. The method of claim 8, wherein the detection routines are further configured to access process behavior data of executable code under investigation running on the information handling system.
  - 17. The method of claim 8, wherein the characteristics and behaviors include at least one selected from the group consisting of logging keystrokes, saving a display screen view, uploading files, downloading files, running programs, and controlling the display screen.
  - 18. The method of claim 8, wherein the detection routines access information about the executable code under investigation running on the information handling system from an operating system of the information handling system via Application Programming Interfaces (APIs), and the detection routines further gather information from executable code or a program itself by examining a binary image of the executable code or program, the characteristics and behavior of the executable code or program, and any other related code or programs used by the executable code under investigation.
  - 19. The method of claim 8, further comprising:
    - delivering malicious code detection code (MCDC) containing the detection routines to the information handling system in a small compact code module via one selected from the group consisting of a computer network, Internet, intranet, extranet, modem line, and prepackaged computer readable storage media.
  - 20. The method of claim 8, wherein execution of the MCDC occurs in response to one selected from the group consisting of a random initiation, an event driven initiation, and a periodic initiation.

21. A computer program stored on computer-readable media for detecting malicious code in the form of a Trojan horse on an information handling system having an operating system, the computer program including instructions processable by the information handing system for causing the information handling system to:
- execute malicious code detection code (MCDC) on the information handling system, the MCDC including detection routines configured to gather information about executable code under investigation running on the computer during execution of the MCDC, the detection routines including at least one selected from the group consisting of a) examining each executable code or program itself and b) searching for information about each respective executable code or program in the operating system, the detection routines consisting of at least one of valid program detection routines and malicious code detection routines;
  
  apply the detection routines to the executable code under investigation running on the information handling system, the detection routines being further configured to associate weights to respective code under investigation in response to detections of a valid program or malicious code as a function of a respective detection routine; and
  
  determine whether code under investigation is a valid program or malicious code as a function of the weights associated by the detection routines, wherein determining whether the code under investigation is a valid program or malicious code includes scoring an execution of the detection routines as a function of the weights, wherein scoring includes configuring a scoring algorithm to identify code under investigation as malicious code in response to at least one of a valid score and a malicious code score.

22. A computer program stored on computer-readable media for detecting malicious code on an information handling system, the computer program including instructions processable by the information handling system for causing the information handling system to:
- execute detection routines, the detection routines configured to examine at least one selected from the group consisting of characteristics and behaviors of executable code under investigation running on the computer system;
  
  assign weights as a function of the examined characteristics and behaviors, the assigned weights indicative of a valid program or malicious code as a function of respective detection routines; and
  
  determine whether executable code under investigation is malicious code as a function of the assigned weights.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 23. The computer program of claim 22, wherein the detection routines include valid program detection routines and malicious code detection routines.
  - 24. The computer program of claim 22, wherein the valid program detection routines are configured to determine whether the executable code under investigation exhibits at least one or more characteristics and behaviors associated with a valid program;
    - and wherein the malicious code detection routines are configured to determine whether the executable code under investigation exhibits at least one or more characteristics and behaviors associated with malicious code.
  - 25. The computer program of claim 22, wherein determining whether the executable code under investigation is malicious code includes scoring the execution of the detection routines as a function of the weights.
  - 26. The computer program of claim 25, wherein scoring includes using of a scoring algorithm configured to identify executable code as malicious code in response to at least one of a valid score and a malicious code score.
  - 27. The computer program of claim 26, wherein the scoring algorithm determines a valid program by a summation of weights of the valid program detection routines being greater than a valid program weight threshold, and a malicious code by a summation of weights of the malicious code detection routine having a summed value greater than a malicious code weight threshold.
  - 28. The computer program of claim 27, wherein the scoring algorithm further determines an anomalous executable code under investigation by the summation of weights of the valid program detection routines and the summation of weights of the malicious code detection routines both having sums greater than respective thresholds, or less than the respective thresholds.
  - 29. The computer program of claim 22, further comprising instructions processable by the information handling system for causing the information handling system to:
    - operatively couple the detection routines to an operating system kernel of the information handling system via application programming interfaces (APIs).
  - 30. The computer program of claim 22, wherein the detection routines are further configured to access process behavior data of executable code under investigation running on the information handling system.
  - 31. The computer program of claim 22, wherein the characteristics and behaviors include at least one selected from the group consisting of logging keystrokes, saving a display screen view, uploading files, downloading files, running programs, and controlling the display screen.
  - 32. The computer program of claim 22, wherein the detection routines access information about the executable code under investigation running on the information handling system from an operating system of the information handling system via Application Programming Interfaces (APIs), and the detection routines further gather information from executable code or a program itself by examining a binary image of the executable code or program, the characteristics and behavior of the executable code or program, and any other related code or programs used by the executable code under investigation.
  - 33. The computer program of claim 22, comprising instructions processable by the information handling system for further causing the information handling system to:
    - deliver malicious code detection code (MCDC) containing detection routines to the information handling system in a small compact code module via one selected from the group consisting of a computer network, Internet, intranet, extranet, modem line, and prepackaged computer readable storage media.
  - 34. The computer program of claim 22, wherein execution of the MCDC occurs in response to one selected from the group consisting of a random initiation, an event driven initiation, and a periodic initiation.

35. An information handling system comprising:
- a memory;
  
  a processor;
  
  an operating system; and
  
  computer-readable code stored on said memory and processable by said processor for detecting malicious code in the form of a Trojan horse, said computer-readable code including instructions for causing the processor to execute malicious code detection code (MCDC) on the information handling system, the MCDC including detection routines configured to gather information about executable code under investigation running on the information handling system during execution of the MCDC, the detection routines including at least one selected from the group consisting of a) examining each executable code or program itself and b) searching for information about each executable code or program in said operating system, the detection routines further consisting of valid program detection routines and malicious code detection routines, apply the detection routines to the executable code under investigation running on the information handling system, the detection routines further configured to assign weights to respective executable code under investigation in response to detections of a valid program or malicious code as a function of a respective detection routine, and determine whether executable code under investigation is a valid program or malicious code as a function of the weights associated by the detection routines, wherein determining whether the code under investigation is a valid program or malicious code includes scoring an execution of the detection routines as a function of the weights, and wherein scoring further includes configuring a scoring algorithm to identify executable code under investigation as malicious code in response to at least one of a valid score and a malicious code score.

36. An information handling system comprising:
- a memory;
  
  a processor;
  
  an operating system; and
  
  computer-readable code stored on said memory and processable by said processor for detecting malicious code on said information handling system, said computer-readable code including instructions for causing the processor to execute detection routines, the detection routines configured to examine at least one selected from the group consisting of characteristics and behaviors of programs running on said information handling system, assign weights as a function of the examined characteristics and behaviors, the assigned weights indicative of a valid program or malicious code as a function of respective detection routines, and determine whether executable code under investigation is malicious code as a function of the weights assigned by the detection routines.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 37. The information handling system of claim 36, wherein the detection routines include valid program detection routines and malicious code detection routines.
  - 38. The information handling system of claim 36, wherein the valid program detection routines are configured to determine whether the executable code under investigation exhibits at least one or more characteristics and behaviors associated with a valid program;
    - and wherein the malicious code detection routines are configured to determine whether the executable code under investigation exhibits at least one or more characteristics and behaviors associated with malicious code.
  - 39. The information handling system of claim 36, wherein determining whether the executable code under investigation is malicious code includes scoring the execution of the detection routines as a function of the weights.
  - 40. The information handling system of claim 39, wherein scoring includes using of a scoring algorithm configured to identify executable code as malicious code in response to a valid score and a malicious code score.
  - 41. The information handling system of claim 40, wherein the scoring algorithm determines a valid program by a summation of weights of the valid program detection routines being greater than a valid program weight threshold, and a malicious code by a summation of weights of the malicious code detection routine having a summed value greater than a malicious code weight threshold.
  - 42. The information handling system of claim 41, wherein the scoring algorithm further determines an anomalous executable code under investigation by the summation of weights of the valid program detection routines and the summation of weights of the malicious code detection routines both having sums greater than respective thresholds, or less than the respective thresholds.
  - 43. The information handling system of claim 36, wherein the characteristics and behaviors include at least one selected from the group consisting of logging keystrokes, saving a display screen view, uploading files, downloading files, running programs, and controlling the display screen.
  - 44. The information handling system of claim 36, wherein the detection routines access information about the executable code under investigation running on the information handling system from said operating system of the information handling system via Application Programming Interfaces (APIs), and the detection routines further gather information from executable code or a program itself by examining a binary image of the executable code or program, the characteristics and behavior of the executable code or program, and any other related code or programs used by the executable code under investigation.
  - 45. The information handling system of claim 36, wherein said computer-readable code further includes instructions for delivering the MCDC containing detection routines to said information handling system in a small compact code module via one selected from the group consisting of a computer network, Internet, intranet, extranet, modem line, and prepackaged computer readable storage media.
  - 46. The information handling system of claim 36, wherein execution of the MCDC occurs in response to one selected from the group consisting of a random initiation, an event driven initiation, and a periodic initiation.

47. A method for detecting malicious code on an information handling system, comprising:
- executing malicious code detection code (MCDC) on the information handling system, the MCDC including detection routines;
  
  applying the detection routines to code under investigation running on the information handling system during the execution of the MCDC, the detection routines being configured to associate weights to respective code under investigation in response to detections of malicious code as a function of respective detection routines; and
  
  determining whether code under investigation is malicious code as a function of the weights associated by the detection routines.
- View Dependent Claims (48, 49, 50)
- - 48. The method of claim 47, wherein the malicious code comprises a Trojan horse.
  - 49. The method of claim 47, wherein the information handling system includes an operating system, further comprising:
    - configuring the detection routines to gather information about the code under investigation by examining each code or program itself and by searching for information about each respective code or program in the operating system.
  - 50. The method of claim 47, wherein determining whether the code under investigation is malicious code includes scoring the execution of the detection routines as a function of the weights, further wherein scoring includes configuring a scoring algorithm to identify a code or program as malicious code in response to a malicious code score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
WholeSecurity, Inc. (Gen Digital Inc.)
Inventors
Alagna, Michael Tony, Obrecht, Mark, Payne, Andy

Granted Patent

US 7,748,039 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Method and apparatus for detecting malicious code in the form of a trojan horse in an information handling system

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

155 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting malicious code in the form of a trojan horse in an information handling system

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

155 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links