SYSTEM AND METHOD FOR DETECTING MULTI-COMPONENT MALWARE

US 20090126015A1
Filed: 10/02/2007
Published: 05/14/2009
Est. Priority Date: 10/02/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious behavior of a computer program, comprising:

emulating at least a part of a computer system in an isolated computer environment;

emulating execution of the computer program in the isolated computer environment, including emulating execution of a first process and a second process of the computer program;

monitoring events being generated by the first process and the second process; and

determining, substantially in real time, based on at least one or more event generated by the first process and one or more event generated by the second process whether or not the computer program exhibits malicious behavior.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.

298 Citations

20 Claims

1. A computer-implemented method for detecting malicious behavior of a computer program, comprising:
- emulating at least a part of a computer system in an isolated computer environment;
  
  emulating execution of the computer program in the isolated computer environment, including emulating execution of a first process and a second process of the computer program;
  
  monitoring events being generated by the first process and the second process; and
  
  determining, substantially in real time, based on at least one or more event generated by the first process and one or more event generated by the second process whether or not the computer program exhibits malicious behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein individually the first process and the second process of a malicious computer program exhibit benign behavior.
  - 3. The computer-implemented method of claim 2, wherein emulating execution of a first process and a second process of the computer program includes one or more of:
    - executing the first and second processes in parallel; and
      
      executing the first and second processes sequentially.
  - 4. The computer-implemented method of claim 3, wherein determining includes comparing the two or more events generated by the first process and the second process with a pattern of events associated with a malicious program.
  - 5. The computer-implemented method of claim 4, further comprising continuing emulating execution of the second process of the computer program even when the first process is terminated.
  - 6. The computer-implemented method of claim 5, wherein detecting an event includes detecting at least one of one or more program'"'"'s system calls and one or more system responses to the program'"'"'s system calls.
  - 7. The computer-implemented method of claim 6, whereinthe first process of the computer program includes one ofa main process of the computer program;
    - anda child processes of the computer program; and
      
      the second process of the computer program includes one ofa child process of the computer program; and
      
      a grand child process of the computer program.

8. A system for detecting malicious behavior of a computer program, the system comprising:
- a system memory; and
  
  a processor configured toemulate in an isolated computer environment of the system memory at least a part of a computer system;
  
  emulate in the isolated computer environment of the system memory execution of the computer program, including execution of a first process and a second process of the computer program;
  
  monitor events being generated by the first process and second process; and
  
  determine, substantially in real time, based at least on one or more events generated by the first process and one or more event generated by the second process whether or not the computer program exhibits malicious behavior.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein individually the first process and the second process of a malicious computer program exhibit benign behavior.
  - 10. The system of claim 9, wherein execution of the first process and the second process of the computer program includes one or more of:
    - execution of the first and second processes in parallel; and
      
      execution of the first and second processes sequentially.
  - 11. The system of claim 10, wherein the processor is further configured to compare the two or more events generated by the first process and the second process with a pattern of events associated with a malicious program.
  - 12. The system of claim 11, wherein the processor is further configured to continue emulating execution of the second process of the computer program even when the first process is terminated.
  - 13. The system of claim 12, wherein the processor is further configured to detect at least one of one or more program'"'"'s system calls and one or more system responses to the program'"'"'s system calls.
  - 14. The system of claim 13, whereinthe first process of the computer program includes one ofa main process of the computer program;
    - anda child processes of the computer program; and
      
      the second process of the computer program includes one ofa child process of the computer program; and
      
      a grand child process of the computer program.

15. A computer-readable medium comprising computer-executable instructions for detecting malicious behavior of a computer program, the computer-executable instructions include:
- instructions for emulating in an isolated computer environment at least a part of a computer system;
  
  instructions for emulating execution of the computer program in the isolated computer environment, including instructions for emulating execution of a first process and a second process of the computer program;
  
  instructions for monitoring events being generated by the first process and second process; and
  
  instructions for determining, substantially in real time, based on at least one or more events generated by the first process and one or more events generated by the second process whether or not the computer program exhibits malicious behavior.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable medium of claim 15, wherein individually the first process and the second process of a malicious computer program exhibit benign behavior.
  - 17. The computer-readable medium of claim 16, wherein instructions for emulating execution of the first process and the second process includes instruction for one or more of:
    - executing the first and second processes in parallel; and
      
      executing the first and second processes sequentially.
  - 18. The computer-readable medium of claim 17, wherein instructions for determining include instructions for comparing the two or more events generated by the first process and the second process with a pattern of events associated with a malicious program.
  - 19. The computer-readable medium of claim 18, further including instructions for continuing emulating execution of the second process of the computer program even when the first process is terminated.
  - 20. The computer-readable medium of claim 15, whereinthe first process of the computer program includes one ofa main process of the computer program;
    - anda child processes of the computer program; and
      
      the second process of the computer program includes one ofa child process of the computer program; and
      
      a grand child process of the computer program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Sobko, Andrey V., Pavlyushchik, Mikhail A., Monastyrsky, Alexey V.

Granted Patent

US 7,620,992 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

SYSTEM AND METHOD FOR DETECTING MULTI-COMPONENT MALWARE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

298 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD FOR DETECTING MULTI-COMPONENT MALWARE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

298 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others