Detecting suspicious embedded malicious content in benign file formats

US 20080010538A1
Filed: 06/27/2006
Published: 01/10/2008
Est. Priority Date: 06/27/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method for detecting malicious code comprising:

disassembling a data file, wherein the data file is a benign type of data file, wherein the disassembling includes searching said data file for one or more encodings corresponding to executable code; and

designating the data file as suspicious in response to detecting one or more encodings corresponding to executable code in the data file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for detecting suspicious embedded malicious content in benign file formats is disclosed. The method involves loading a benign data file type and performing a sectional disassembly to detect if the file contains any encodings that are machine code instructions that, when executed by a microprocessor, would result in a transfer of process control. The method may be implemented in two stages: in a first stage to detect the presence of any encodings representing logical instructions; and in a second stage to analyze the maliciousness of the detected encodings. In addition to protecting computer systems from a specific exploit, the method may be used for certifying a file clean of malicious code, or for detecting vulnerabilities targeted at application programs.

Citations

20 Claims

1. A method for detecting malicious code comprising:
- disassembling a data file, wherein the data file is a benign type of data file, wherein the disassembling includes searching said data file for one or more encodings corresponding to executable code; and
  
  designating the data file as suspicious in response to detecting one or more encodings corresponding to executable code in the data file.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - making a determination whether the one or more encodings corresponding to executable code would result in a transfer of process control when executed; and
      
      designating the data file as malicious in response to said determination being positive.
  - 3. The method of claim 1, wherein the benign type of data file includes any one of:
    - JPEG files;
      
      WMF files;
      
      HTML files;
      
      text files;
      
      audio data files;
      
      image data files;
      
      video data files; and
      
      any type of data file whose format does not specify the inclusion of executable code.
  - 4. The method of claim 2, wherein the one or more encodings corresponding to executable code include machine code instructions for causing a microprocessor to perform any one of:
    - load a variable;
      
      jump to a register;
      
      jump to a location in memory;
      
      jump to an instruction;
      
      generate an interrupt;
      
      call a procedure;
      
      switch to a different task; and
      
      invoke any operating system API procedure.
  - 5. The method of claim 1, wherein the one or more encodings corresponding to executable code includes one or more operational codes of a microprocessor.
  - 6. The method of claim 5, wherein the operational codes include operands associated with operational codes of a microprocessor.
  - 7. The method of claim 2, wherein the one or more encodings corresponding to executable code include one or more machine code instructions detected by matching one or more entries in a reference table of machine code instructions.

8. An information handling system comprising:
- a memory;
  
  a first processor; and
  
  computer-readable code stored on said memory and processable by said first processor for implementing detection of malicious code, said computer-readable code including instructions for causing said first processor to;
  
  disassemble a data file, wherein the data file is a benign type of data file, wherein the disassembling includes searching said data file for one or more encodings corresponding to executable code; and
  
  designate the data file as suspicious in response to detecting one or more encodings corresponding to executable code in the data file.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8, further includes instructions for causing said first processor to:
    - make a determination whether the one or more encodings corresponding to executable code would result in a transfer of process control when executed; and
      
      designate the data file as malicious in response to said determination being positive.
  - 10. The system of claim 8, wherein the benign type of data file includes any one of:
    - JPEG files;
      
      WMF files;
      
      HTML files;
      
      text files;
      
      audio data files;
      
      image data files;
      
      video data files; and
      
      any data file whose format does not specify the inclusion of executable code.
  - 11. The system of claim 8, wherein the one or more encodings corresponding to executable code include machine code instructions for causing a second microprocessor to perform any one of:
    - load a variable;
      
      jump to a register;
      
      jump to a location in memory;
      
      jump to an instruction;
      
      generate an interrupt;
      
      call a procedure;
      
      switch to a different task; and
      
      invoke any operating system API procedure.
  - 12. The system of claim 8, wherein the one or more encodings corresponding to executable code include one or more operational codes of a second microprocessor.
  - 13. The system of claim 12, wherein said first processor and said second microprocessor are the same processor.
  - 14. The system of claim 9, wherein the one or more encodings corresponding to executable code include one or more machine code instructions detected by matching one or more entries in a reference table of machine code instructions.
  - 15. The system of claim 8, wherein said first processor is implemented as an embedded controller in a network device, wherein the data file is disassembled from a stream of network packets representing the data file in transit.

16. A computer readable medium for implementing a method for detecting malicious code, including program instructions executable to:
- disassemble a data file, wherein the data file is a benign type of data file, wherein the disassembling includes searching said data file for one or more encodings corresponding to executable code; and
  
  designate the data file as suspicious in response to detecting one or more encodings corresponding to executable code in the data file.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer readable medium of claim 16, further including program instructions executable to:
    - make a determination whether the one or more encodings corresponding to executable code would result in a transfer of process control when executed; and
      
      designate the data file as malicious in response to said determination being positive.
  - 18. The computer readable medium of claim 16, wherein the benign type of data file includes any one of:
    - JPEG files;
      
      WMF files;
      
      HTML files;
      
      text files;
      
      audio data files;
      
      image data files;
      
      video data files; and
      
      any data file whose format does not specify the inclusion of executable code.
  - 19. The computer readable medium of claim 17, wherein the one or more encodings corresponding to executable code include machine code instructions for causing a microprocessor to perform any one of:
    - load a variable;
      
      jump to a register;
      
      jump to a location in memory;
      
      jump to an instruction;
      
      generate an interrupt;
      
      call a procedure;
      
      switch to a different task; and
      
      invoke any operating system API procedure.
  - 20. The computer readable medium of claim 17, wherein the one or more encodings corresponding to executable code include one or more machine code instructions detected by matching one or more entries in a reference table of machine code instructions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Satish, Sourabh, Hernacki, Brian

Application Number

US11/475,664
Publication Number

US 20080010538A1
Time in Patent Office

Days
Field of Search
US Class Current

714/38
CPC Class Codes

G06F 21/562 Static detection

G06F 21/563 by source code analysis

Detecting suspicious embedded malicious content in benign file formats

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting suspicious embedded malicious content in benign file formats

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links