SYSTEM AND METHOD FOR DETECTING MULTI-COMPONENT MALWARE

US 20090126016A1
Filed: 10/02/2007
Published: 05/14/2009
Est. Priority Date: 10/02/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious program behavior, comprising:

emulating at least a part of a computer system in an isolated computer environment;

emulating execution of the computer program in the isolated computer environment, including emulating execution of one or more remote threads of the computer program;

detecting events being generated by the one or more remote threads of the emulated computer program;

determining, substantially in real time, whether each detected event is associated with malicious program behaviors;

storing in a data structure each detected event associated with the malicious program behaviors;

periodically comparing a totality of events stored in the data structure for the emulated computer program with one or more event patterns associated with the malicious program behaviors; and

terminating emulation of the computer program if, based on the comparison, the totality of events stored in the data structure for the emulated computer program corresponds to one of the event patterns associated with the malicious program behaviors.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.

Citations

23 Claims

1. A computer-implemented method for detecting malicious program behavior, comprising:
- emulating at least a part of a computer system in an isolated computer environment;
  
  emulating execution of the computer program in the isolated computer environment, including emulating execution of one or more remote threads of the computer program;
  
  detecting events being generated by the one or more remote threads of the emulated computer program;
  
  determining, substantially in real time, whether each detected event is associated with malicious program behaviors;
  
  storing in a data structure each detected event associated with the malicious program behaviors;
  
  periodically comparing a totality of events stored in the data structure for the emulated computer program with one or more event patterns associated with the malicious program behaviors; and
  
  terminating emulation of the computer program if, based on the comparison, the totality of events stored in the data structure for the emulated computer program corresponds to one of the event patterns associated with the malicious program behaviors.
- View Dependent Claims (2, 3, 5, 6, 19, 20)
- - 2. The computer-implemented method of claim 1, wherein individually events generated by the one or more emulated remote threads of a malicious computer program exhibit benign behavior.
  - 3. The computer-implemented method of claim 2, wherein emulating execution of one or more remote threads of the computer program includes one or more of:
    - executing two or more remote threads in parallel; and
      
      executing two or more remote threads sequentially.
  - 5. The computer-implemented method of claim 3, further comprising continuing emulating execution of one or more remote threads of the computer program even when one or more remote threads are terminated.
  - 6. The computer-implemented method of claim 5, wherein detecting an event includes detecting at least one of one or more program'"'"'s system calls and one or more system responses to the program'"'"'s system calls.
  - 19. The computer-implemented method of claim 1, wherein the one or more remote threads of the emulated computer program are created by one or more processes of the emulated computer program.
  - 20. The computer-implemented method of claim 19, wherein the one or more remote threads are created in programs activated by the emulated computer program.

4. (canceled)

7. A system for detecting malicious program behavior, comprising:
- a system memory; and
  
  a processor configured toemulate in an isolated computer environment of the system memory at least a part of a computer system;
  
  emulate in the isolated computer environment execution of the computer program, including execution of one or more remote threads of the computer program;
  
  detect events being generated by the one or more remote threads of the emulated computer program;
  
  determine, substantially in real times whether each detected event is associated with malicious program behaviors;
  
  store in a data structure each detected event associated with the malicious program behaviors;
  
  periodically compare a totality of events stored in the data structure for the emulated computer program with one or more event patterns associated with the malicious program behaviors; and
  
  terminate emulation of the computer program if, based on the comparison, the totality of events stored in the data structure for the emulated computer program corresponds to one of the event patterns associated with the malicious program behaviors.
- View Dependent Claims (8, 9, 11, 12, 21, 22)
- - 8. The system of claim 7, wherein individually events generated by the one or more emulated remote threads of a malicious computer program exhibit benign behavior.
  - 9. The system of claim 8, wherein execution of one or more remote threads of the computer program includes one or more of:
    - execution of two or more remote threads in parallel; and
      
      execution of two or more remote threads sequentially.
  - 11. The system of claim 9, wherein the processor is further configured to continue emulating execution of one or more remote threads of the computer program even when one or more remote threads are terminated.
  - 12. The system of claim 11, wherein the processor is further configured to detect at least one of one or more program'"'"'s system calls and one or more system responses to the program'"'"'s system calls.
  - 21. The system of claim 7, wherein the one or more remote threads of the emulated computer program are created by one or more processes of the emulated computer program.
  - 22. The system of claim 21, wherein the one or more remote threads are created in programs activated by the emulated computer program.

10. (canceled)

13. A computer-readable medium comprising computer-executable instructions for detecting malicious program behavior, the computer-executable instructions include:
- instructions for emulating in an isolated computer environment at least a part of a computer system;
  
  instructions for emulating execution of the computer program in the isolated computer environment, including instructions for emulating execution of one or more remote threads of the computer program;
  
  instructions for detecting events being generated by the one or more remote threads of the emulated computer program;
  
  instructions for determining, substantially in real time, whether each detected event is associated with malicious program behaviors;
  
  instructions for storing in a data structure each detected event associated with the malicious program behaviors;
  
  instructions for periodically comparing a totality of events stored in the data structure for the emulated computer program with one or more event patterns associated with the malicious program behaviors; and
  
  instructions for terminating emulation of the computer program if, based on the comparison, the totality of events stored in the data structure for the emulated computer program corresponds to one of the event patterns associated with the malicious program behaviors.
- View Dependent Claims (14, 15, 17, 18, 23)
- - 14. The computer-readable medium of claim 13, wherein individually events generated by the one or more emulated remote threads of a malicious computer program exhibit benign behavior.
  - 15. The computer-readable medium of claim 14, wherein instructions for emulating execution of the one or more remote threads includes instruction for one or more of:
    - executing two or more remote threads in parallel; and
      
      executing two or more remote threads sequentially.
  - 17. The computer-readable medium of claim 15, further including instructions for continuing emulating execution of one or more remote threads of the computer program even when one or more remote threads are terminated.
  - 18. The computer-readable medium of claim 17, wherein instructions for monitoring include instructions for monitoring at least one of one or more program'"'"'s system calls and one or more system responses to the program'"'"'s system calls.
  - 23. The computer-readable medium of claim 13, wherein the one or more remote threads of the emulated computer program are created by one or more processes of the emulated computer program.

16. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Sobko, Andrey, Pavlyushchik, Mikhail A.

Granted Patent

US 7,559,086 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

SYSTEM AND METHOD FOR DETECTING MULTI-COMPONENT MALWARE

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR DETECTING MULTI-COMPONENT MALWARE

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links