Methods and systems for detection of forged computer files

US 20070056035A1
Filed: 08/11/2006
Published: 03/08/2007
Est. Priority Date: 08/16/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method of determining whether a suspect file is malicious, comprising the operations of:

parsing the suspect file to determine if the suspect file purports to be a system file, the suspect file being a purported system file when the suspect file includes at least one characteristic attribute of a system file;

performing at least one of a heuristic and signature analysis on the purported system file to determine if one or more attributes of the purported system file are consistent with the known attributes of a system file; and

handling the purported system as a malicious file if the purported system file has at least one attribute that is determined not to be consistent with the attributes of a system file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with one or more embodiments of the present invention, a method of determining whether a suspect file is malicious includes the operations parsing the suspect file to determine if the suspect file purports to be a system file, performing at least one of a heuristic and signature analysis on the purported system file to determine if one or more attributes of the purported system file are consistent with the known attributes of a system file, and handling the purported system as a malicious file if the purported system file has at least one attribute that is determined not to be consistent with the attributes of a system file. The suspect file is a purported system file when the suspect file includes at least one characteristic attribute of a system file.

81 Citations

View as Search Results

20 Claims

1. A method of determining whether a suspect file is malicious, comprising the operations of:
- parsing the suspect file to determine if the suspect file purports to be a system file, the suspect file being a purported system file when the suspect file includes at least one characteristic attribute of a system file;
  
  performing at least one of a heuristic and signature analysis on the purported system file to determine if one or more attributes of the purported system file are consistent with the known attributes of a system file; and
  
  handling the purported system as a malicious file if the purported system file has at least one attribute that is determined not to be consistent with the attributes of a system file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the process of heuristic analysis includes performing investigative analysis on the suspect against known attributes of the file type.
  - 3. The method of claim 1, wherein the process of heuristic and/or signature analysis is programmable.
  - 4. The method of claim 1, wherein the computer file is one of a replacement file, duplicate file, or extraneous file falsely purporting to be a system file.
  - 5. The method of claim 1, wherein the process of heuristic analysis involves at least one of static analysis and dynamic analysis.
  - 6. The method of claim 5, wherein static analysis includes analyzing the suspect file without executing the file.
  - 7. The method of claim 5, wherein dynamic analysis includes utilizing the suspect file in a virtualized system.
  - 8. The method of claim 7, wherein the virtualized system includes one of hooking directly into the file and virtually emulating the computer system.
  - 9. The method of claim 1, wherein handling the purported system as a malicious file comprises at least one of:
    - quarantining the malicious file; and
      
      deleting the malicious file.

10. A computer readable medium on which is stored a computer program for executing the following instructions:
- parsing a suspect file to determine if the suspect file purports to be a system file, the suspect file being a purported system file when the suspect file includes at least one characteristic attribute of a system file;
  
  performing at least one of a heuristic and signature analysis on the purported system file to determine if one or more attributes of the purported system file are consistent with the known attributes of a system file; and
  
  handling the purported system as a malicious file if the purported system file has at least one attribute that is determined not to be consistent with the attributes of a system file.

11. A malware resistant computer system, comprising:
- a processing unit;
  
  a removable media interface configured to provide access to a received removable media element;
  
  a memory unit; and
  
  a computer file system, wherein the processing unit executes a series of operations to detect malware in at least one of the memory unit and the computer file system, the operations comprising;
  
  parsing a suspect file to determine if the suspect file purports to be a system file, the suspect file being a purported system file when the suspect file includes at least one characteristic attribute of a system file;
  
  performing at least one of a heuristic and signature analysis on the purported system file to determine if one or more attributes of the purported system file are consistent with the known attributes of a system file; and
  
  handling the purported system as a malicious file if the purported system file has at least one attribute that is determined not to be consistent with the attributes of a system file.

12. A method, comprising:
- receiving a suspect file;
  
  examining the suspect file to determine if the file purports to be a system file;
  
  examining the attributes of the purported system file to determine if the attributes are consistent with a system file; and
  
  declaring the purported file to be a forgery when the attributes are not consistent with the attributes of a system file.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The method of claim 12, further comprising:
    - declaring the purported file to be a legitimate system file when the attributes are consistent with the attributes of a system file.
  - 14. The method of claim 12, wherein the operation of examining the suspect file to determine if the file purports to be a system file further comprises:
    - examining the suspect file name root; and
      
      comparing the suspect file name root to a database of system file name roots.
  - 15. The method of claim 12, wherein the operation of examining the suspect file to determine if the file purports to be a system file further comprises:
    - examining the suspect file name extension; and
      
      comparing the suspect file name extension to a database of system file name extensions.
  - 16. The method of claim 12, wherein the operation of examining the attributes of the purported system file to determine if the attributes are consistent with a system file further comprises:
    - examining the suspect file content to determine the presence of executable code; and
      
      examining the function of that executable code; and
      
      comparing the function of the executable code with the expected function based on at least one of a determined system file type, a determined system file originator, and a determined system file scope.
  - 17. The method of claim 12, wherein the operation of examining the suspect file to determine if the file purports to be a system file further comprises:
    - examining the suspect file content to determine the presence of at least one of an operating system vendor identifier, an operating system version identifier, a system file name identical to a known good system file name, a system file icon identical to a known good system file icon, a functionality within the suspect file that is not exposed until runtime including the capability of one of decompressing and creating a secondary file with system file attributes, a functionality to create a system driver file that uses system file attributes within the definition of that driver, and any functionality reserved solely for a system file.
  - 18. The method of claim 12, wherein the operation of examining the attributes of the purported system file to determine if the attributes are consistent with a system file further comprises:
    - examining the attributes of the purported system file to determine at least one of a predetermined version characteristic, a time period characteristic, a predetermined syntax within known good version information, a predetermined behavioral characteristic conforming to known good behavioral parameters, one of corresponding file deletion and creation capabilities, one of packing and encrypting methods corresponding to predetermined vendor methods, file icons corresponding to purported vendor icons, congruent vendor compiler characteristics, one of the presence of and absence of corresponding language character sets, and the presence of extraneous characters that are not congruent with a predetermined vendor product, and file permissions congruent with predetermined vendor file permissions.
  - 19. The method of claim 12, wherein the suspect file resides on one of a removable media element, a memory unit having at least one of a random access memory and a read only memory, and a computer file system.
  - 20. The method of claim 19, wherein the suspect file is accessed over a communications network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
EEYE Digital Security
Original Assignee
EEYE Digital Security
Inventors
Copley, Drew

Application Number

US11/503,099
Publication Number

US 20070056035A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/562 Static detection

G06F 21/566 Dynamic detection, i.e. det...

Methods and systems for detection of forged computer files

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

81 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for detection of forged computer files

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links