Method and system for analyzing data for potential malware
First Claim
1. A method for generating a definition for malware, the method comprising:
- receiving a URL corresponding to a Web site that includes content;
downloading at least a portion of the content from the Web site, determining the likelihood that the downloaded content includes malware;
responsive to the determined likelihood surpassing a threshold value, passing at least a portion of the potential malware to an active browser, the active browser having a known configuration;
operating the potential malware on the active browser;
recording changes to the known configuration of the active browser, wherein the changes are caused by operating the potential malware;
determining whether the recorded changes to the known configuration are indicative of malware; and
responsive to determining that the recorded changes are indicative of malware, generating a definition for the potential malware.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for generating a definition for malware and/or detecting malware. is described. One exemplary embodiment includes a downloader for downloading a portion of a Web site; a parser for parsing the downloaded portion of the Web site; a statistical analysis engine for determining if the downloaded portions of the Web site should be evaluated by the active browser; an active browser for identifying changes to the known configuration of the active browser, wherein the changes are caused by the downloaded portion of the Web site; and a definition module for generating a definition for the potential malware based on the changes to the known configuration.
340 Citations
22 Claims
-
1. A method for generating a definition for malware, the method comprising:
-
receiving a URL corresponding to a Web site that includes content;
downloading at least a portion of the content from the Web site, determining the likelihood that the downloaded content includes malware;
responsive to the determined likelihood surpassing a threshold value, passing at least a portion of the potential malware to an active browser, the active browser having a known configuration;
operating the potential malware on the active browser;
recording changes to the known configuration of the active browser, wherein the changes are caused by operating the potential malware;
determining whether the recorded changes to the known configuration are indicative of malware; and
responsive to determining that the recorded changes are indicative of malware, generating a definition for the potential malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for generating a definition for malware, the system comprising:
-
a downloader for downloading a portion of a Web site, a parser for parsing the downloaded portion of the Web site;
a statistical analysis engine for determining if the downloaded portions of the Web site should be evaluated by the active browser;
an active browser for identifying changes to the known configuration of the active browser, wherein the changes are caused by the downloaded portion of the Web site; and
a definition module for generating a definition for the potential malware based on the changes to the known configuration. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
Specification