Detecting suspicious embedded malicious content in benign file formats
First Claim
1. A method for detecting malicious code comprising:
- disassembling a data file, wherein the data file is a benign type of data file, wherein the disassembling includes searching said data file for one or more encodings corresponding to executable code; and
designating the data file as suspicious in response to detecting one or more encodings corresponding to executable code in the data file.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for detecting suspicious embedded malicious content in benign file formats is disclosed. The method involves loading a benign data file type and performing a sectional disassembly to detect if the file contains any encodings that are machine code instructions that, when executed by a microprocessor, would result in a transfer of process control. The method may be implemented in two stages: in a first stage to detect the presence of any encodings representing logical instructions; and in a second stage to analyze the maliciousness of the detected encodings. In addition to protecting computer systems from a specific exploit, the method may be used for certifying a file clean of malicious code, or for detecting vulnerabilities targeted at application programs.
-
Citations
20 Claims
-
1. A method for detecting malicious code comprising:
-
disassembling a data file, wherein the data file is a benign type of data file, wherein the disassembling includes searching said data file for one or more encodings corresponding to executable code; and designating the data file as suspicious in response to detecting one or more encodings corresponding to executable code in the data file. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An information handling system comprising:
-
a memory; a first processor; and computer-readable code stored on said memory and processable by said first processor for implementing detection of malicious code, said computer-readable code including instructions for causing said first processor to; disassemble a data file, wherein the data file is a benign type of data file, wherein the disassembling includes searching said data file for one or more encodings corresponding to executable code; and designate the data file as suspicious in response to detecting one or more encodings corresponding to executable code in the data file. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer readable medium for implementing a method for detecting malicious code, including program instructions executable to:
-
disassemble a data file, wherein the data file is a benign type of data file, wherein the disassembling includes searching said data file for one or more encodings corresponding to executable code; and designate the data file as suspicious in response to detecting one or more encodings corresponding to executable code in the data file. - View Dependent Claims (17, 18, 19, 20)
-
Specification