DETECTION OF SPYWARE THREATS WITHIN VIRTUAL MACHINE
First Claim
1. A method for detecting sources that are accessible over a network and which install spyware or other undesired content, comprising the steps of:
- (a) producing a virtual machine on a computing device and installing an operating system on the virtual machine to create a virtual machine environment useful for testing a potential source accessible on the network, which may at least attempt to install spyware on the computing device of a user;
(b) automatically loading a potential source available on the network, within the virtual machine environment; and
(c) determining if the potential source has at least attempted to install spyware in the virtual machine environment.
5 Assignments
0 Petitions
Accused Products
Abstract
A system analyzes content accessed at a network site to determine whether it is malicious. The system employs a tool able to identify spyware that is piggy-backed on executable files (such as software downloads) and is able to detect “drive-by download” attacks that install software on the victim'"'"'s computer when a page is rendered by a browser program. The tool uses a virtual machine (VM) to sandbox and analyze potentially malicious content. By installing and running executable files within a clean VM environment, commercial anti-spyware tools can be employed to determine whether a specific executable contains piggy-backed spyware. By visiting a Web page with an unmodified browser inside a clean VM environment, predefined “triggers,” such as the installation of a new library, or the creation of a new process, can be used to determine whether the page mounts a drive-by download attack.
505 Citations
49 Claims
-
1. A method for detecting sources that are accessible over a network and which install spyware or other undesired content, comprising the steps of:
-
(a) producing a virtual machine on a computing device and installing an operating system on the virtual machine to create a virtual machine environment useful for testing a potential source accessible on the network, which may at least attempt to install spyware on the computing device of a user;
(b) automatically loading a potential source available on the network, within the virtual machine environment; and
(c) determining if the potential source has at least attempted to install spyware in the virtual machine environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for detecting sources that are accessible over a network and which at least attempt an attack, where the attack can include installing spyware or other undesired content, comprising:
-
(a) a computing device having a memory, and a processor coupled to the memory for executing machine instructions that are stored therein; and
(b) an interface coupling the computing device in communication with the network, wherein the machine instructions cause the processor to automatically carry out a plurality of functions using the interface to communicate over the network, including;
(i) creating a virtual machine environment in which to test potential sources found on the network to determine if they at least attempt an attack, the machine instructions also causing the processor to install a clean operating system within the virtual machine environment;
(ii) automatically loading a potential source accessed over the network into the virtual machine environment for testing; and
(iii) determining if the potential source has at least attempted an attack in the virtual machine environment. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method for detecting a potential source that may at least attempt an attack on a user'"'"'s computing device if downloaded from a site, the potential source being detected in real-time and on-the-fly, in response to a user attempting to access the potential source at the site over a network, the method comprising the steps of:
-
(a) producing a virtual machine on a computing device that is also coupled to the site, to create a virtual machine environment that is configured for testing whether a potential source may attempt an attack after the user accesses the Web site with the browser program of the user;
(b) detecting that the user has initiated downloading the potential source from the site and into the browser program of the user, and in response, automatically loading the potential source in the virtual machine environment before enabling a browser program of the user to fully access the potential source;
(c) determining if the potential source has at least attempted an attack in the virtual machine environment; and
(d) if the potential source has attempted an attack in the virtual machine environment, prohibiting the browser program of the user from fully accessing the potential source. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A system for detecting a potential source of an attack by a Web page component in real-time and on-the-fly, where the potential source is downloadable from a site, the system acting in response to a user attempting to access the potential source at the site over a network, comprising:
-
(a) a client computing device running a user environment;
(b) a network interface that couples to the site over the network;
(c) a memory in which machine instructions are stored; and
(d) a processor, which is coupled to the network interface, and the memory, the processor executing the machine instructions stored in the memory to carry out a plurality of functions, including;
(i) producing a virtual machine, the virtual machine running an operating system to provide a virtual machine environment that is separate from the user environment;
(ii) in response to the user attempting to access a potential source of an attack from within the user environment, downloading the potential source into the virtual machine environment for testing of the potential source on-the-fly, wherein the testing must be completed before full access of the potential source is allowed to complete in the user environment; and
(iii) if the potential source is found to have at least attempted an attack within the virtual machine environment, precluding completion of the full access of the potential source within the user environment. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
-
Specification