System and method for locating malware
First Claim
Patent Images
1. A method for identify Web sites that may include malware, the method comprising:
- receiving an initial URL associated with a Web site;
downloading content associated with the initial URL, the content including HTML, a script program, and code related to a button-click event that executes a function;
searching the HTML in the downloaded content for an embedded URL;
identifying a non-obfuscated URL in the script program;
identifying an obfuscated URL in the script program;
executing the function corresponding to the button-click event;
receiving a new URL as a result of executing the function;
adding the embedded URL, the non-obfuscated URL and the new URL to a URL database; and
adding a high-priority indicator to the URL database, the high-priority indicator corresponding to the obfuscated URL.
9 Assignments
0 Petitions
Accused Products
Abstract
A system and method for managing malware is described. One embodiment is designed to receive an initial URL associated with a Web site; download content from that Web site; identify any obfuscation techniques used to hide malware or pointers to malware; interpret those obfuscation techniques; identify a new URL as a result of interpreting the obfuscation techniques; and add the new URL to a URL database.
-
Citations
13 Claims
-
1. A method for identify Web sites that may include malware, the method comprising:
-
receiving an initial URL associated with a Web site;
downloading content associated with the initial URL, the content including HTML, a script program, and code related to a button-click event that executes a function;
searching the HTML in the downloaded content for an embedded URL;
identifying a non-obfuscated URL in the script program;
identifying an obfuscated URL in the script program;
executing the function corresponding to the button-click event;
receiving a new URL as a result of executing the function;
adding the embedded URL, the non-obfuscated URL and the new URL to a URL database; and
adding a high-priority indicator to the URL database, the high-priority indicator corresponding to the obfuscated URL. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for identify malware, the method comprising:
-
receiving an initial URL associated with a Web site;
downloading content associated with the initial URL, the content including a script program;
identifying obfuscation techniques in the script program;
interpreting the obfuscation techniques;
identifying a new URL as a result of interpreting the obfuscation techniques;
adding the new URL to a URL database; and
adding a high-priority indicator to the URL database, the high-priority indicator corresponding to the new URL and the high-priority indicator indicating that the new URL is likely to be associated with malware. - View Dependent Claims (7, 8)
-
-
9. A method for identify malware, the method comprising:
-
downloading content associated with an initial URL, the content including an object and an embedded URL;
extracting the embedded URL from the content;
adding the extracted URL to a URL database;
determine whether the object can be verified through text searching; and
responsive to the object not being verifiable through text searching, passing the object to an active browser. - View Dependent Claims (10, 11, 12)
-
-
13. A method for identify Web sites that may include malware, the method comprising:
-
receiving an initial URL associated with a Web site;
downloading content associated with the initial URL, the content including code related to a button-click event that executes a function;
searching the code for an embedded URL;
executing the function corresponding to the button-click event;
receiving a new URL as a result of executing the function;
adding the new URL to a URL database.
-
Specification