DETECTION OF SPYWARE THREATS WITHIN VIRTUAL MACHINE

US 20070174915A1
Filed: 06/26/2006
Published: 07/26/2007
Est. Priority Date: 01/23/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting sources that are accessible over a network and which install spyware or other undesired content, comprising the steps of:

(a) producing a virtual machine on a computing device and installing an operating system on the virtual machine to create a virtual machine environment useful for testing a potential source accessible on the network, which may at least attempt to install spyware on the computing device of a user;

(b) automatically loading a potential source available on the network, within the virtual machine environment; and

(c) determining if the potential source has at least attempted to install spyware in the virtual machine environment.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system analyzes content accessed at a network site to determine whether it is malicious. The system employs a tool able to identify spyware that is piggy-backed on executable files (such as software downloads) and is able to detect “drive-by download” attacks that install software on the victim'"'"'s computer when a page is rendered by a browser program. The tool uses a virtual machine (VM) to sandbox and analyze potentially malicious content. By installing and running executable files within a clean VM environment, commercial anti-spyware tools can be employed to determine whether a specific executable contains piggy-backed spyware. By visiting a Web page with an unmodified browser inside a clean VM environment, predefined “triggers,” such as the installation of a new library, or the creation of a new process, can be used to determine whether the page mounts a drive-by download attack.

505 Citations

49 Claims

1. A method for detecting sources that are accessible over a network and which install spyware or other undesired content, comprising the steps of:
- (a) producing a virtual machine on a computing device and installing an operating system on the virtual machine to create a virtual machine environment useful for testing a potential source accessible on the network, which may at least attempt to install spyware on the computing device of a user;
  
  (b) automatically loading a potential source available on the network, within the virtual machine environment; and
  
  (c) determining if the potential source has at least attempted to install spyware in the virtual machine environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the potential sources include a Web page component that is capable of being rendered by a browser program, and wherein the step of loading the potential source within the virtual machine environment comprises the steps of:
    - (a) executing a browser program within the virtual machine environment;
      
      (b) requesting the page that may comprise one of the potential sources from a remote site on the network using the browser program;
      
      (c) loading the page into the browser program so that it is rendered;
      
      (d) detecting any of a plurality of predefined triggers that are fired as a result of the page being loaded into the browser program and rendered; and
      
      (e) if any of the plurality of predefined triggers is detected, determining that the page is at least attempting to perform a drive-by attack in the virtual machine environment.
  - 3. The method of claim 2, wherein if any of the plurality of predefined triggers is detected, further comprising the step of executing anti-spyware software within the virtual machine environment to perform a spyware scan of the virtual machine environment to test for a definitive indication that spyware has been installed in the virtual machine environment.
  - 4. The method of claim 1, wherein the potential sources include an executable file, and wherein the step of loading the potential source within the virtual machine environment comprises the steps of:
    - (a) installing the executable file within the virtual machine environment; and
      
      (b) analyzing the virtual machine environment after the executable file is installed, to determine if installation of the executable file has caused any attack to be made within the virtual machine environment, the attack comprising executable code that is installed by a piggy-backed software module included with the executable file.
  - 5. The method of claim 4, wherein the step of installing the executable file comprises the step of employing heuristics to emulate a user navigating and making selections in an installation process carried out by the executable file, when the executable file is executed within the virtual machine environment.
  - 6. The method of claim 4, wherein the step of analyzing the virtual machine environment comprises the steps of:
    - (a) installing and executing an anti-spyware software program within the virtual machine environment; and
      
      (b) employing the anti-spyware software program to analyze the virtual machine environment using predefined criteria, to determine whether installation of the executable file has caused any spyware to be installed within the virtual machine environment.
  - 7. The method of claim 1, further comprising the step of automatically searching the network to find potential sources that attempt to attack a computing device of a user.
  - 8. The method of claim 7, wherein the step of searching the network comprises the step of employing a crawler program to access a plurality of sites on the network.
  - 9. The method of claim 8, wherein the crawler program successively follows links on pages on a site, to access other pages and other sites over the network.
  - 10. The method of claim 1, further comprising the step of retaining data identifying each potential source that was found to have at least attempted an attack within the virtual machine environment.
  - 11. A machine readable memory medium having machine instructions stored thereon for carrying out the steps of claim 1.

12. A system for detecting sources that are accessible over a network and which at least attempt an attack, where the attack can include installing spyware or other undesired content, comprising:
- (a) a computing device having a memory, and a processor coupled to the memory for executing machine instructions that are stored therein; and
  
  (b) an interface coupling the computing device in communication with the network, wherein the machine instructions cause the processor to automatically carry out a plurality of functions using the interface to communicate over the network, including;
  
  (i) creating a virtual machine environment in which to test potential sources found on the network to determine if they at least attempt an attack, the machine instructions also causing the processor to install a clean operating system within the virtual machine environment;
  
  (ii) automatically loading a potential source accessed over the network into the virtual machine environment for testing; and
  
  (iii) determining if the potential source has at least attempted an attack in the virtual machine environment.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, wherein the machine instructions stored in the memory further cause the processor to:
    - (a) execute a browser program in the virtual machine environment;
      
      (b) from a remote site, automatically download a page having a component that is capable of being rendered as part of the page by a browser program, wherein the component may comprise a potential source that may at least attempt an attack in the virtual machine environment, the page being loaded into and rendered in the browser program;
      
      (c) detecting any of a plurality of predefined triggers that are fired as a result of the page being loaded into the browser program and rendered; and
      
      (d) if any of the plurality of predefined triggers is detected, determining that the page is at least attempting a drive-by attack in the virtual machine environment.
  - 14. The system of claim 13, wherein if any of the plurality of predefined triggers is detected, the machine instructions further cause the processor to execute anti-spyware software within the virtual machine environment to perform a spyware scan of the virtual machine environment and test for a definitive indication that spyware has been installed in the virtual machine environment during an attack.
  - 15. The system of claim 12, wherein a potential source that may at least attempt to install spyware comprises an executable file, so that the machine language instructions cause the processor to:
    - (a) install the executable file within the virtual machine environment; and
      
      (b) analyze the virtual machine environment after the executable file is installed to determine if installation of the executable file has caused any drive-by attack to be made in the virtual machine environment by the executable file.
  - 16. The system of claim 14, wherein to install the executable file, the machine language instructions cause the processor to employ heuristics to emulate a user navigating and making selections in an installation process carried out by the executable file, when the executable file is executed within the virtual machine environment.
  - 17. The system of claim 14, wherein to analyze the virtual machine environment, the machine language instructions cause the processor to:
    - (a) install and execute an anti-spyware software program within the virtual machine environment; and
      
      (b) employ the anti-spyware software program to analyze the virtual machine environment using predefined criteria, to determine whether installation of the executable file has caused any spyware to also be installed within the virtual machine environment, wherein installation of spyware comprises an attack.
  - 18. The system of claim 12, wherein execution of the machine instructions define a crawler program and further cause the processor to employ the crawler program to access a plurality of sites on the network to search the network for potential sources of an attack.
  - 19. The system of claim 18, wherein execution of the machine instructions further cause the processor to employ the crawler program to successively follow links on pages on a site, to access other pages and other sites on the network.
  - 20. The system of claim 12, wherein execution of the machine instructions further cause the processor to retain data in the memory that identify each potential source that was found to have at least attempted an attack in the virtual machine environment.

21. A method for detecting a potential source that may at least attempt an attack on a user'"'"'s computing device if downloaded from a site, the potential source being detected in real-time and on-the-fly, in response to a user attempting to access the potential source at the site over a network, the method comprising the steps of:
- (a) producing a virtual machine on a computing device that is also coupled to the site, to create a virtual machine environment that is configured for testing whether a potential source may attempt an attack after the user accesses the Web site with the browser program of the user;
  
  (b) detecting that the user has initiated downloading the potential source from the site and into the browser program of the user, and in response, automatically loading the potential source in the virtual machine environment before enabling a browser program of the user to fully access the potential source;
  
  (c) determining if the potential source has at least attempted an attack in the virtual machine environment; and
  
  (d) if the potential source has attempted an attack in the virtual machine environment, prohibiting the browser program of the user from fully accessing the potential source.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 22. The method of claim 21, further comprising the step of enabling installation of a module in the browser program of the user, the module being configured to prohibit the browser program of the user from fully accessing the potential source, if the potential source has attempted an attack in the virtual machine environment.
  - 23. The method of claim 21, wherein the user initiates downloading of a page into the browser program of the user, and wherein the page includes a component that is capable of being rendered by a browser program and which may at least attempt an attack, further comprising the steps of:
    - (a) executing a browser program within the virtual machine environment;
      
      (b) loading the page into the browser program executed within the virtual machine environment so that the page is rendered in said browser program;
      
      (c) detecting any of a plurality predefined triggers that are fired as a result of the page being loaded into and rendered in the browser program executed within the virtual machine environment, wherein the plurality of triggers are indicative that the page may be at least attempting an attack; and
      
      (d) if any of the plurality of predefined triggers is detected, determining that the page is at least attempting to perform a drive-by attack in the virtual machine environment.
  - 24. The method of claim 23, wherein the page is downloaded into a sandbox that is not immediately accessible by the browser program of the user, while being also downloaded into the browser program executed within the virtual machine environment, the page downloaded into the sandbox not being transferred and enabled to be rendered for display in the browser program of the user unless none of the plurality of predefined triggers is detected in the virtual machine environment.
  - 25. The method of claim 23, wherein the virtual machine environment is installed on a centralized computing device accessible by a plurality of client computing devices over a network, further comprising the step of employing the centralized computing device as a proxy for connecting each client computing device to selected sites over the network.
  - 26. The method of claim 25, further comprising the step of storing data for safe sources that have previously been downloaded and determined not to have attempted an attack, so that when the browser program of the user is subsequently used to initiate a download of one of the safe sources, the safe source is transferred to the browser program of the user from the stored data for use therein without checking the safe source again to determine if it attempts an attack.
  - 27. The method of claim 26, further comprising the steps of:
    - (a) hashing each safe source that was found not to have attempted an attack;
      
      (b) storing a hash value for the safe source with the data for the safe source;
      
      (c) when the user subsequently initiates access of a site to again download a potential source with the browser program of the user, and if the potential source generally corresponds to one of the safe sources for which the data are stored, hashing the potential source to produce a hash value for the potential source;
      
      (d) comparing the hash value stored with the data for the safe source with the hash value for the potential source;
      
      (e) providing the safe source to the browser program of the user for use therein if the hash value of the potential source matches the hash value of the safe source; and
      
      otherwise, (f) testing the potential source in the virtual machine environment to determine if the potential source at least attempts an attack in the virtual machine environment before enabling the browser program of the user to fully access the potential source.
  - 28. The method of claim 23, wherein if any of the plurality of predefined triggers is detected, further comprising the step of executing an anti-spyware program within the virtual machine environment for confirming whether the Web page is a potential source of spyware.
  - 29. The method of claim 21, wherein the user initiates downloading of an executable file from the Web site with the browser program of the user, wherein the executable file may be a potential source if it includes a piggy-backed module that may at least attempt an attack when the executable file is executed.
  - 30. The method of claim 29, further comprising the steps of (a) installing the executable file in the virtual machine environment;
    - and (b) analyzing the virtual machine environment after the executable file is installed within the virtual machine environment, to determine if installation of the executable file has caused an attack in the virtual machine environment.
  - 31. The method of claim 30, wherein the step of prohibiting the browser program of the user from completing access of the potential source comprises the step of preventing the browser program of the user from completing downloading of the executable file from the Web site.
  - 32. The method of claim 30, wherein the step of installing the executable file within the virtual machine environment comprises the step of employing heuristics to emulate a user navigating and making selections in an installation process carried out by the executable file, when the executable file is executed within the virtual machine environment.
  - 33. The method of claim 30, wherein the step of analyzing the virtual machine environment comprises the steps of:
    - (a) installing and executing an anti-spyware software program within the virtual machine environment; and
      
      (b) employing the anti-spyware software program to analyze the virtual machine environment using predefined criteria, to determine whether installation of the executable file has caused any spyware to also be installed within the virtual machine environment.
  - 34. The method of claim 21, further comprising the step of retaining data identifying each potential source that was found to have at least attempted an attack in the virtual machine environment.
  - 35. The method of claim 21, wherein the potential source includes a plurality of components, further comprising the step of enabling successive components to be downloaded for access by the browser program of the user after each component has been determined not to have attempted an attack in the virtual machine environment, so that access of the plurality of components by the browser program of the user is staged to occur as quickly as the component has been found to be safe for use by the browser program of the user.
  - 36. A machine readable memory medium having machine instructions stored thereon for carrying out the steps of claim 21.

37. A system for detecting a potential source of an attack by a Web page component in real-time and on-the-fly, where the potential source is downloadable from a site, the system acting in response to a user attempting to access the potential source at the site over a network, comprising:
- (a) a client computing device running a user environment;
  
  (b) a network interface that couples to the site over the network;
  
  (c) a memory in which machine instructions are stored; and
  
  (d) a processor, which is coupled to the network interface, and the memory, the processor executing the machine instructions stored in the memory to carry out a plurality of functions, including;
  
  (i) producing a virtual machine, the virtual machine running an operating system to provide a virtual machine environment that is separate from the user environment;
  
  (ii) in response to the user attempting to access a potential source of an attack from within the user environment, downloading the potential source into the virtual machine environment for testing of the potential source on-the-fly, wherein the testing must be completed before full access of the potential source is allowed to complete in the user environment; and
  
  (iii) if the potential source is found to have at least attempted an attack within the virtual machine environment, precluding completion of the full access of the potential source within the user environment.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 38. The system of claim 37, wherein the potential source of attack comprises a Web page, the machine language instructions further causing the processor to detect firing of any of a plurality of triggers that are predefined, represent events, and are employed for enabling a determination of whether the potential source is at least attempting an attack within the virtual machine environment.
  - 39. The system of claim 38, wherein the plurality of predefined triggers include at least two of:
    - (a) launching of a new process within the virtual machine environment;
      
      (b) creating a new file;
      
      (c) modifying an existing file; and
      
      (d) modifying a registry of the operating system within the virtual machine environment.
  - 40. The system of claim 38, wherein if any of the plurality of triggers has been fired, the machine language instructions further cause the processor to run an anti-spyware scan in the virtual machine environment, as a definitive test for spyware that has been installed by the prospective source, and enabling completion of the full access of the prospective source of spyware within the user environment only if the anti-spyware scan fails to detect spyware in the virtual machine environment.
  - 41. The system of claim 37, wherein while the potential source of an attack is being tested in the virtual machine environment, the machine instructions further cause the processor to enable download of the potential source into the user environment, but not access thereof, to reduce a delay before access of the potential source within the user environment can be enabled.
  - 42. The system of claim 37, wherein the potential source includes an executable file that may carry out an attack when the executable file is executed, the machine instructions causing the processor to download and execute the executable file within the virtual machine environment, so that any attempt to carry out an attack in the virtual machine environment can be detected, causing execution of the executable file in the user environment to be precluded.
  - 43. The system of claim 42, wherein the machine instructions further cause the processor to employ heuristics that simulate interaction and input of a user during an installation process, when automatically installing the executable file in the virtual machine environment.
  - 44. The system of claim 42, wherein the machine instructions further cause the processor to run an anti-spyware scan in the virtual machine environment, as a definitive test for spyware that has been installed by the prospective source, and to execution of the executable file within the user environment only if the anti-spyware scan fails to detect spyware in the virtual machine environment.
  - 45. The system of claim 37, wherein the processor and memory are installed on a proxy computing device that links the client computing device to the site, the virtual machine environment being disposed on the proxy computing device, which controls access of the potential source by the user environment.
  - 46. The system of claim 45, wherein the proxy computing device stores data concerning potential sources of an attack that were previously tested and found to be safe by virtue of not attempting an attack, so that an attempt to access a potential source that has previously been tested and found not to have at least attempted an attack within the virtual machine environment will cause the processor to enable immediate access of the data corresponding to the potential source, by the user environment.
  - 47. The system of claim 46, wherein the proxy computing device stores a hash value for each potential source that was previously tested and found to be safe, and wherein the machine instructions further cause the processor to determine if the potential source that a user is attempting to access at a site on the network is unchanged from the corresponding potential source that was previously tested and found safe, by comparing hash values of the potential source being accessed by the user with that of the corresponding potential source found safe.
  - 48. The system of claim 37, wherein the potential source includes a plurality of components, execution of the machine instructions further causing the processor to enable transmission of each component to the client computing device in a staged fashion, after the component has been tested by the processor and found not to have attempted any attack within the virtual machine environment, so that tested components of the potential source are successively available for use in the user environment as soon as each component is tested and found safe for use therein.
  - 49. The system of claim 37, wherein the user environment is running a browser program for accessing the Web site, further comprising a software module that is adapted to install within the browser program running in the user environment, the software module being controlled in response to the testing of the potential source of spyware being carried out in the virtual machine environment and being capable of precluding the browser program running in the user environment from completing access of the potential source, if the testing indicates that the potential source may have at least attempted an attack within the virtual machine environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
University of Washington
Original Assignee
University of Washington
Inventors
Gribble, Steven, Levy, Henry, Moshchuk, Alexander, Bragin, Tanya

Granted Patent

US 8,196,205 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

DETECTION OF SPYWARE THREATS WITHIN VIRTUAL MACHINE

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

505 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTION OF SPYWARE THREATS WITHIN VIRTUAL MACHINE

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

505 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links