Method and system for analyzing data for potential malware

US 20060075494A1
Filed: 03/14/2005
Published: 04/06/2006
Est. Priority Date: 10/01/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for generating a definition for malware, the method comprising:

receiving a URL corresponding to a Web site that includes content;

downloading at least a portion of the content from the Web site, determining the likelihood that the downloaded content includes malware;

responsive to the determined likelihood surpassing a threshold value, passing at least a portion of the potential malware to an active browser, the active browser having a known configuration;

operating the potential malware on the active browser;

recording changes to the known configuration of the active browser, wherein the changes are caused by operating the potential malware;

determining whether the recorded changes to the known configuration are indicative of malware; and

responsive to determining that the recorded changes are indicative of malware, generating a definition for the potential malware.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for generating a definition for malware and/or detecting malware. is described. One exemplary embodiment includes a downloader for downloading a portion of a Web site; a parser for parsing the downloaded portion of the Web site; a statistical analysis engine for determining if the downloaded portions of the Web site should be evaluated by the active browser; an active browser for identifying changes to the known configuration of the active browser, wherein the changes are caused by the downloaded portion of the Web site; and a definition module for generating a definition for the potential malware based on the changes to the known configuration.

340 Citations

22 Claims

1. A method for generating a definition for malware, the method comprising:
- receiving a URL corresponding to a Web site that includes content;
  
  downloading at least a portion of the content from the Web site, determining the likelihood that the downloaded content includes malware;
  
  responsive to the determined likelihood surpassing a threshold value, passing at least a portion of the potential malware to an active browser, the active browser having a known configuration;
  
  operating the potential malware on the active browser;
  
  recording changes to the known configuration of the active browser, wherein the changes are caused by operating the potential malware;
  
  determining whether the recorded changes to the known configuration are indicative of malware; and
  
  responsive to determining that the recorded changes are indicative of malware, generating a definition for the potential malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - parsing the downloaded content to identify known malware or a known malware indicator.
  - 3. The method of claim 2, wherein parsing the downloaded content comprises:
    - identifying an obfuscated URL in the downloaded content.
  - 4. The method of claim 3, wherein identifying an obfuscated URL in the downloaded content comprises:
    - identifying a URL encoded in ASCII.
  - 5. The method of claim 3, wherein identifying an obfuscated URL in the downloaded content comprises:
    - identifying a URL encoded in hexadecimal.
  - 6. The method of claim 2, wherein parsing the downloaded content to identify the potential malware comprises:
    - parsing script included in the content.
  - 7. The method of claim 6, wherein parsing the downloaded content to identify the potential malware comprises:
    - parsing the script to identify an obfuscated URL.
  - 8. The method of claim 1, wherein determining the likelihood that the downloaded content includes malware comprises:
    - applying a statistical analysis to the downloaded content.
  - 9. The method of claim 8, wherein the downloaded content includes HTML and format instructions and wherein applying the statistical analysis comprises:
    - evaluating the HTML and the format instructions using the statistical analysis.
  - 10. The method of claim 1, wherein determining the likelihood that the downloaded content includes malware comprises:
    - applying a Bayesian analysis to the downloaded content.
  - 11. The method of claim 1, wherein determining the likelihood that the downloaded content includes malware comprises:
    - applying a scoring analysis to the downloaded content.
  - 12. The method of claim 11, further comprising:
    - updating the scoring analysis responsive to determining that the recorded changes to the known configuration are indicative of malware.
  - 13. The method of claim 12, further comprising:
    - updating the scoring analysis responsive to determining that the recorded changes to the known configuration are not indicative of malware.

14. A system for generating a definition for malware, the system comprising:
- a downloader for downloading a portion of a Web site, a parser for parsing the downloaded portion of the Web site;
  
  a statistical analysis engine for determining if the downloaded portions of the Web site should be evaluated by the active browser;
  
  an active browser for identifying changes to the known configuration of the active browser, wherein the changes are caused by the downloaded portion of the Web site; and
  
  a definition module for generating a definition for the potential malware based on the changes to the known configuration.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The system of claim 14, wherein the parser comprises an HTML parser.
  - 16. The system of claim 14, wherein the parser comprises a script parser.
  - 17. The system of claim 16, wherein the script parser comprises:
    - a JavaScript parser.
  - 18. The system of claim 14, wherein the parser comprises a form parser.
  - 19. The system of claim 14, wherein the active browser comprises:
    - a plurality of shield modules.
  - 20. The method of claim 14, wherein determining the likelihood that the downloaded content includes malware comprises:
    - a content-scoring filter.
  - 21. The method of claim 14, wherein determining the likelihood that the downloaded content includes malware comprises:
    - a self-learning content-scoring filter.
  - 22. The method of claim 14, wherein determining the likelihood that the downloaded content includes malware comprises:
    - a Bayesian scoring filter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Webroot Software Incorporated (Open Text Corporation)
Original Assignee
Webroot Software Incorporated (Open Text Corporation)
Inventors
Bertman, Justin R., Boney, Matthew L.

Application Number

US11/079,417
Publication Number

US 20060075494A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/145   the attack involving the pr...

H04L 67/02   based on web technology, e....

Method and system for analyzing data for potential malware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

340 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Method and system for analyzing data for potential malware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

340 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others