Malware detection

US 20110041179A1
Filed: 08/11/2009
Published: 02/17/2011
Est. Priority Date: 08/11/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method of detecting potential malware, the method comprising:

at a server, receiving a plurality of code samples, the code samples including at least one code sample known to be malware and at least one code sample known to be legitimate, executing each of the code samples in an emulated computer system, extracting bytestrings from any changes in the memory of the emulated computer system that result from the execution of each sample, using the extracted bytestrings to determine one or more rules for differentiating between malware and legitimate code, and sending the rule(s) to one or more client computers; and

at the one of more client computers, for a given target code, executing the target code in an emulated computer system, extracting bytestrings from any changes in the memory of the emulated computer system that result from the execution of the target code, and applying the rule(s) received from the server to the extracted bytestrings to determine if the target code is potential malware.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to a first aspect of the present invention there is provided a method of detecting potential malware. The method comprises, at a server, receiving a plurality of code samples, the code samples including at least one code sample known to be malware and at least one code sample known to be legitimate, executing each of the code samples in an emulated computer system, extracting bytestrings from any changes in the memory of the emulated computer system that result from the execution of each sample, using the extracted bytestrings to determine one or more rules for differentiating between malware and legitimate code, and sending the rule(s) to one or more client computers. At the or each client computer, for a given target code, executing the target code in an emulated computer system, extracting bytestrings from any changes in the memory of the emulated computer system that result from the execution of the target code, and applying the rule(s) received from the server to the extracted bytestrings to determine if the target code is potential malware.

406 Citations

26 Claims

1. A method of detecting potential malware, the method comprising:
- at a server, receiving a plurality of code samples, the code samples including at least one code sample known to be malware and at least one code sample known to be legitimate, executing each of the code samples in an emulated computer system, extracting bytestrings from any changes in the memory of the emulated computer system that result from the execution of each sample, using the extracted bytestrings to determine one or more rules for differentiating between malware and legitimate code, and sending the rule(s) to one or more client computers; and
  
  at the one of more client computers, for a given target code, executing the target code in an emulated computer system, extracting bytestrings from any changes in the memory of the emulated computer system that result from the execution of the target code, and applying the rule(s) received from the server to the extracted bytestrings to determine if the target code is potential malware.
- View Dependent Claims (2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 26)
- - 2. A method as claimed in claim 1, and further comprising:
    - at the server, storing the one or more rules, receiving an additional code sample, executing the additional code sample in an emulated computer system, extracting bytestrings from any changes in the memory of the emulated computer system that result from the execution of the additional code sample, using the extracted bytestrings to update the one or more stored rules, and sending the updated rules to the one of more client computers.
  - 3. A method as claimed in claim 1, and further comprising:
    - at the server, gathering metadata associated with said extracted bytestrings, and using said metadata together with said extracted bytestrings to determine the one or more rules for differentiating between malware and legitimate code.
  - 4. A method as claimed in claim 3, and further comprising:
    - at the one or more client computers, gathering metadata associated with said extracted bytestrings, and applying the rules received from the server to said bytestrings and associated metadata.
  - 6. A method as claimed in claim 1, wherein the bytestrings extracted from the memory of the emulated computer system includes bytestrings extracted from the heap and the stack sections of the memory.
  - 7. A method as claimed in claim 1, and further comprising:
    - at the server, extracting bytestrings written into files that are created on the disk of the emulated computer system by the sample code during execution in the emulated computer system.
  - 8. A method as claimed in claim 7, and further comprising:
    - at the one of more client computers, extracting bytestrings written into files that are created on the disk of the emulated computer system by the target code during execution in the emulated computer system.
  - 9. A method as claimed in claim 1, and further comprising:
    - using decoy bytestrings in documents and when imitating user actions within the emulated environment, and identifying any decoy bytestrings extracted from the memory during execution of the sample or target code in the emulated computer system.
  - 10. A method as claimed in claim 1, and further comprising:
    - at the server, prior to determining one or more rules for differentiating between malware and legitimate code, removing from the extracted bytestrings any bytestrings that match those contained within a list of insignificant bytestrings.
  - 11. A method as claimed in claim 1, and further comprising:
    - at the server, prior to determining one or more rules for differentiating between malware and legitimate code, measuring the difference between each of the extracted bytestrings and bytestrings that have previously been identified as being associated with both malware and legitimate code, and removing from the extracted bytestrings any bytestrings for which this difference does not exceed a threshold.
  - 12. A method as claimed in claim 1, and further comprising:
    - at the one of more client computers, prior to applying the rule(s) received from the server, removing from the extracted bytestrings any bytestrings that match those contained within a list of insignificant bytestrings.
  - 13. A method as claimed in claim 1, wherein the step of using the extracted bytestrings to determine one or more rules for differentiating between malware and legitimate code comprises:
    - at the server, providing the bytestrings to one or more artificial intelligence algorithms, the artificial intelligence algorithm(s) being configured to generate the one or more rules for differentiating between malware and legitimate code.
  - 26. A method as claimed in claim 3, wherein the one or more rules comprise one or more combinations of bytestrings and/or metadata associated with bytestrings, the presence of which in the bytestrings and associated metadata extracted during execution of the target code is indicative of malware.

5. A method as claimed in claim 3, wherein the metadata comprises one or more of:
- the location of a bytestring in the memory;
  
  the string in its encrypted or plaintext form;
  
  the encoding of the bytestring;
  
  the time or event at which the bytestring occurred;
  
  the number of memory accesses to the bytestring;
  
  the location of the function that created the bytestring;
  
  the memory injection type used and the target process;
  
  whether the bytestring was overwritten or the allocated memory de-allocated.

5-1. (canceled)

14. A method of detecting potential malware, the method comprising:
- at a server, receiving a plurality of code samples, the code samples including at least one code sample known to be malware and at least one code sample known to be legitimate, executing each of the code samples in an emulated computer system, extracting bytestrings from changes in the memory of the emulated computer system that result from the execution of each sample, using the extracted bytestrings to determine one or more rules for differentiating between malware and legitimate code;
  
  at one of more client computers, for a given target code, executing the target code in an emulated computer system, extracting bytestrings from changes in the memory of the emulated computer system that result from the execution of the target code, and sending the extracted bytestrings to the server; and
  
  at the server, for each of the one of more client computers applying the rule(s) to the extracted bytestrings received from the client computer to determine if the target code is potential malware and sending the result to the client computer.

15. A server for use in provisioning a malware detection service, the server comprising:
- a receiver for receiving a plurality of code samples, the code samples including at least one sample known to be malware and at least one code sample known to be legitimate;
  
  a processor for executing each of the code samples in an emulated computer system, and for extracting bytestrings from changes in the memory of the emulated computer system that result from the execution of each sample;
  
  an analysis unit for using the bytestrings extracted from the or each code sample to determine one or more rules for differentiating between malware and legitimate code; and
  
  a transmitter for sending the rules to one or more client computers.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. A server as claimed in claim 15 and comprising a database for storing the one or more rules, wherein the receiver is further arranged to receive an additional code sample, the processor is further arranged to execute the additional code sample in an emulated computer system, to extract bytestrings from changes in the memory of the emulated computer system that result from the execution of the additional code sample, the analysis unit is further arranged to use the bytestrings extracted from the additional sample to update the one or more rules stored in the database, and the transmitter is further arranged to send the updated rules to the client computer.
  - 17. A server as claimed in claim 15, wherein the processor is further arranged to gather metadata associated with said extracted bytestrings, and the analysis unit is further arranged to use said metadata together with said extracted bytestrings to determine the one or more rules for differentiating between malware and legitimate code.
  - 18. A server as claimed in claim 17, wherein the one or more rules comprise one or more combinations of bytestrings and/or metadata associated with bytestrings, the presence of which in the bytestrings and associated metadata extracted during execution of the target code is indicative of malware.
  - 19. A server as claimed in claim 15, wherein the processor is further arranged to extract bytestrings from the heap and the stack sections of the memory of the emulated computer system.
  - 20. A server as claimed in claim 15, wherein the processor is further arranged to remove, from the extracted bytestrings, any bytestrings that match those contained within a list of insignificant bytestrings.
  - 21. A server as claimed in claim 15, wherein the analysis unit is further arranged to implement one or more artificial intelligence algorithms, the artificial intelligence algorithm(s) being configured to generate the one or more rules for differentiating between malware and legitimate code.

22. A client computer comprising:
- a receiver for receiving from a server one or more rules for differentiating between malware and legitimate code;
  
  a memory for storing the one or more rules; and
  
  a malware detection unit for executing a target code in an emulated computer system, for extracting bytestrings from changes in the memory of the emulated computer system that result from the execution of each sample, and applying said one or more rules received from the server to the extracted bytestrings to determine if the target code is potential malware.
- View Dependent Claims (23, 24, 25)
- - 23. A client computer as claimed in claim 22, wherein the malware detection unit is further arranged to extract bytestrings from the heap and the stack sections of the memory of the emulated computer system.
  - 24. A client computer as claimed in claim 22, wherein the malware detection unit is further arranged to gather metadata associated with said extracted bytestrings from the memory during execution of the target code, and to apply the rules received from the server to said bytestrings and their associated metadata.
  - 25. A client computer as claimed in claim 22, wherein the malware detection unit is further arranged to remove, from the extracted bytestrings, any bytestrings that match those contained within a list of insignificant bytestrings, prior to applying the rule(s) received from the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F-Secure Oyj
Original Assignee
F-Secure Oyj
Inventors
STÅHLBERG, Mika

Application Number

US12/462,913
Publication Number

US 20110041179A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Malware detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

406 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Malware detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

406 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others