METHOD, SYSTEM AND PROGRAM PRODUCT FOR OPTIMIZING EMULATION OF A SUSPECTED MALWARE

US 20090077544A1
Filed: 09/14/2007
Published: 03/19/2009
Est. Priority Date: 09/14/2007
Status: Active Grant

First Claim

Patent Images

1. A method for optimizing emulation of a suspected malware, said method comprising the steps of:

identifying, using a tool configured to optimize emulation, whether a current instruction in a suspected malware being emulated in a virtual environment signifies a long loop;

if said current instruction identified signifies said long loop, generating a first output value for said long loop;

ascertaining whether said first output value generated matches a respective first output value corresponding to one or more established long loop entries stored in a storage;

if said one or more established long loop entries having said respective first output value matching said first output value generated are ascertained, calculating a second output value for said long loop;

inspecting said one or more established long loop entries ascertained to find an established long loop entry of said one or more established long loop entries ascertained having a respective second output value matching said second output value calculated; and

if said entry matching said second output value calculated is found in said inspecting step, updating one or more states of an emulation engine emulating said suspected malware in said virtual environment, wherein said updating step results in skipping execution of said long loop of said suspected malware for optimizing emulation of said suspected malware in said virtual environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and program product for optimizing emulation of a suspected malware. The method includes identifying, using an emulation optimizer tool, whether an instruction in a suspected malware being emulated by an emulation engine in a virtual environment signifies a long loop and, if so, generating a first hash for the loop. Further, the method includes ascertaining whether the first hash generated matches any long loop entries in a storage and, if so calculating a second hash for the long loop. Furthermore, the method includes inspecting any long loop entries ascertained to find an entry having a respective second hash matching the second hash calculated. If an entry matching the second hash calculated is found, the method further includes updating one or more states of the emulation engine, such that, execution of the long loop of the suspected malware is skipped, which optimizes emulation of the suspected malware.

47 Citations

View as Search Results

20 Claims

1. A method for optimizing emulation of a suspected malware, said method comprising the steps of:
- identifying, using a tool configured to optimize emulation, whether a current instruction in a suspected malware being emulated in a virtual environment signifies a long loop;
  
  if said current instruction identified signifies said long loop, generating a first output value for said long loop;
  
  ascertaining whether said first output value generated matches a respective first output value corresponding to one or more established long loop entries stored in a storage;
  
  if said one or more established long loop entries having said respective first output value matching said first output value generated are ascertained, calculating a second output value for said long loop;
  
  inspecting said one or more established long loop entries ascertained to find an established long loop entry of said one or more established long loop entries ascertained having a respective second output value matching said second output value calculated; and
  
  if said entry matching said second output value calculated is found in said inspecting step, updating one or more states of an emulation engine emulating said suspected malware in said virtual environment, wherein said updating step results in skipping execution of said long loop of said suspected malware for optimizing emulation of said suspected malware in said virtual environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, wherein said identifying step further comprises the steps of:
    - determining if said current instruction is a control transfer instruction for transferring control to another instruction; and
      
      if said current instruction is determined to be said control transfer instruction, verifying whether said another instruction and said current instruction forms a loop.
  - 3. The method according to claim 2, wherein said verifying step further comprises the step of:
    - checking whether a pre-specified condition is met for identifying said loop as said long loop;
      
      wherein said pre-specified condition comprises at least one of;
      
      number of iterations in said loop, number of times said loop is executed and time it takes to execute said loop.
  - 4. The method according to claim 3, wherein said ascertaining step further comprises the steps of:
    - providing said storage containing said one or more established long loop entries;
      
      generating said first output value for said long loop based on contents of said long loop and based on a length computed for said long loop; and
      
      comparing said first output value generated with said respective first output value corresponding to said one or more established long loop entries.
  - 5. The method according to claim 4, wherein said ascertaining step further comprises the step of:
    - if said one or more established long loop entries having said respective first output value matching said first output value generated are not ascertained, executing said current instruction, using said emulation engine.
  - 6. The method according to claim 5, wherein said inspecting step further comprises the step of:
    - comparing said second output value calculated with a respective second output value corresponding to said one or more established long loop entries having said respective first output value.
  - 7. The method according to claim 6, wherein said first output value comprises a first hash value computed using a first hash function, said first hash value comprising a 32-bit hash value;
    - and wherein said second output value comprises a second hash value computed using a second hash function, said second hash value for said long loop being based on said contents of said long loop and based on said length computed for said long loop.

8. A system for optimizing emulation of a program suspected of being malware, said system comprising:
- a host environment comprising a central processing unit (CPU), a storage device, a memory module having installed thereon code configured to optimize emulation of a program suspected of being malware;
  
  a guest environment running on said host environment, said guest environment comprising an anti-virus emulation engine running within said memory of said host environment, said anti-virus emulation engine being configured to emulate said program suspected of being malware within said guest environment, said anti-virus emulation engine further comprising;
  
  an emulation kernel configured to control one or more components of said guest environment and configured to communicate with said host environment;
  
  a virtual CPU configured to emulate instructions contained within said program suspected of being malware; and
  
  a virtual memory configured to store said program suspected of being malware;
  
  wherein said code is further configured to detect one or more long loops in said program suspected of being malware and to update states in said anti-virus emulation engine corresponding to said one or more long loops detected, wherein execution of said one or more long loops in said program suspected of being malware is skipped by said anti-virus emulation engine.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system according to claim 8, wherein said code is further configured to identify one or more loops in said program suspected of being malware and to identify said one or more loops as being said one or more long loops based on whether a pre-specified condition is met;
    - wherein said pre-specified condition comprises at least one of;
      
      number of iterations in a loop of said one or more loops, number of times said loop of said one or more loops is executed and time it takes to execute said loop of said one or more loops.
  - 10. The system according to claim 9, wherein said code is further configured to generate a first output value for a long loop of said one or more long loops identified based on contents of said long loop and based on a length computed for said long loop, said code being further configured to determine whether one or more entries corresponding to a plurality of known long loops stored in a storage device have an index value corresponding to said first output value generated.
  - 11. The system according to claim 10, wherein if said one or more entries are determined said code is further configured to calculate a second output value for said long loop and is further configured to find an entry that corresponds to said second output value calculated among said one or more entries determined to have said index value corresponding to said first output value generated.
  - 12. The system according to claim 11, wherein if said code finds said entry that corresponds to said second output value calculated, said code is further configured to execute a routine contained within said entry for skipping execution of said long loop in said program suspected of being malware;
    - and wherein if said code does not identify said one or more long loops in said program suspected of being malware, said emulation kernel is configured to instruct said virtual CPU to execute said instruction of said program suspected of being malware.
  - 13. The system according to claim 12, wherein said emulation kernel is further configured to instruct said virtual CPU to fetch and decode an instruction of said program suspected of being malware and is further configured to call said code for identifying said one or more long loops in said program suspected of being malware.
  - 14. The system according to claim 13, wherein said first output value comprises a first hash value computed using a first hash function, said first hash value comprising a 32-bit hash value;
    - and wherein said second output value comprises a second hash value computed using a second hash function, said second hash value for said long loop being based on said contents of said long loop and based on said length computed for said long loop.

15. A computer program product for optimizing emulation of a suspected malware, said computer program product comprising:
- a computer readable medium;
  
  first program instructions to identify whether a current instruction in a suspected malware being emulated in a virtual environment signifies a long loop based on whether a pre-specified condition is met, said first program instructions including instructions to generate, if said current instruction identified signifies said long loop, a first hash value for said long loop;
  
  second program instructions to ascertain whether said first hash value generated matches a respective first hash value corresponding to one or more established long loop entries stored in a storage, said second program instructions including instructions to calculate a second hash value for said long loop, if said one or more established long loop entries having said respective first hash value matches said first hash value generated, third program instructions to inspect said one or more established long loop entries ascertained to find an established long loop entry of said one or more established long loop entries ascertained having a respective second hash value matching said second hash value calculated, said third program instructions including instructions to execute, if said entry matching said second hash value calculated is found, a routine contained within said established long loop entry found, wherein execution of said long loop of said suspected malware is skipped for optimizing emulation of said suspected malware in said virtual environment.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product according to claim 15, wherein said first program instructions further comprise instructions to determine if said current instruction is a control transfer instruction for transferring control to another instruction and if said current instruction is determined to be said control transfer instruction, to verify whether said another instruction and said current instruction forms said long loop, and wherein said pre-specified condition comprises at least one of:
    - number of iterations in said long loop, number of times said long loop is executed and time it takes to execute said long loop.
  - 17. The computer program product according to claim 16, wherein said second program instructions further comprise instructions to generate said first hash value for said long loop based on contents of said long loop and based on a length computed for said long loop, said first hash value comprising a 32-bit hash value.
  - 18. The computer program product according to claim 17, wherein said third program instructions further comprise instructions to compare said first hash value generated with said respective first hash value corresponding to said one or more established long loop entries and if said one or more established long loop entries having said respective first hash value matching said first hash value generated are not ascertained, to execute said current instruction using an emulation engine.
  - 19. The computer program product according to claim 18, wherein said second hash value calculated comprises a value unique to said long loop, said second hash value for said long loop being based on said contents of said long loop and based on said length computed for said long loop;
    - and wherein said third program instructions further comprise instructions to compare said second hash value calculated with a respective second hash value corresponding to said one or more established long loop entries having said respective first hash value.
  - 20. The computer program product according to claim 19, wherein said third program instructions further comprise instructions to update one or more states of said emulation engine emulating said suspected malware in said virtual environment for skipping execution of said long loop.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Wu, Ji Yan

Granted Patent

US 8,176,477 B2
Time in Patent Office

Days
Field of Search
US Class Current

717/160
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

METHOD, SYSTEM AND PROGRAM PRODUCT FOR OPTIMIZING EMULATION OF A SUSPECTED MALWARE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD, SYSTEM AND PROGRAM PRODUCT FOR OPTIMIZING EMULATION OF A SUSPECTED MALWARE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links