MALWARE DETECTION METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT

US 20110219449A1
Filed: 03/04/2010
Published: 09/08/2011
Est. Priority Date: 03/04/2010
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

receiving an indication that a software application is attempting to execute on a user'"'"'s device;

emulating, by a processor, the software application in a virtual environment, in response to receiving the indication;

analyzing, by the processor, one or more behavior characteristics of the emulated software application; and

identifying the software application as malicious based at least in part on the behavior characteristics analyzed.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, electronic device and computer program product for real-time detection of malicious software (“malware”) are provided. In particular, execution of a suspicious software application attempting to execute on a user'"'"'s device may be emulated in a virtual operating system environment in order to observe the behavior characteristics of the suspicious application. If after observing the behavior of the suspicious application in the virtual environment, it is determined that the application is malicious, the application may not be permitted to execute on the user'"'"'s actual device. The suspicious application may be identified as malicious if an isolated data string of the application matches a “blacklisted” data string, a certain behavior of the application matches a behavior that is known to be malicious, and/or the overall behavior of the application is substantially the same or similar to a known family of malware.

356 Citations

30 Claims

1. A method comprising:
- receiving an indication that a software application is attempting to execute on a user'"'"'s device;
  
  emulating, by a processor, the software application in a virtual environment, in response to receiving the indication;
  
  analyzing, by the processor, one or more behavior characteristics of the emulated software application; and
  
  identifying the software application as malicious based at least in part on the behavior characteristics analyzed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 further comprising:
    - identifying the software application as suspicious, wherein the software application is only emulated if the software application is identified as suspicious.
  - 3. The method of claim 2, wherein receiving an indication further comprises receiving the indication in response to the user attempting to open or download a file.
  - 4. The method of claim 3, wherein identifying the software application as suspicious further comprises:
    - comparing the file to a set of one or more safe files; and
      
      identifying the software application as suspicious if the file is not included in the set of safe files.
  - 5. The method of claim 3, wherein identifying the software application as suspicious further comprises:
    - identifying the software application as suspicious if the file does not have a certificate associated therewith.
  - 6. The method of claim 1, wherein emulating the software application further comprises:
    - using dynamic translation to emulate a plurality of instructions associated with the software application.
  - 7. The method of claim 1, wherein emulating the software application further comprises:
    - identifying a conditional step in the software application, wherein a result of the conditional step is either true or false;
      
      associating a conditional bookmark with the identified conditional step;
      
      executing the software application as if the result of the conditional step were true;
      
      returning to the conditional bookmark; and
      
      executing the software application as if the result of the conditional step were false.
  - 8. The method of claim 1, wherein analyzing one or more behavior characteristics further comprises:
    - isolating a data string of the software application, said data string comprising a string type and string data;
      
      accessing a database comprising a plurality of string type and data pairs known to be malicious; and
      
      identifying the software application as malicious if the string type and string data of the isolated data string is substantially the same as a string type and data pair stored in the database.
  - 9. The method of claim 8, wherein the string type is selected from a group consisting of a window/dialog string, a file/object string, a registry string, a URL/domain string, a string operation and a process/task string.
  - 10. The method of claim 1, wherein analyzing one or more behavior characteristics further comprises:
    - isolating a behavior characteristic of the software application.
  - 11. The method of claim 10, wherein analyzing one or more behavior characteristics further comprises:
    - accessing a database comprising a plurality of known malicious behaviors; and
      
      identifying the software application as malicious if the isolated behavior characteristic is substantially the same as one of the plurality of known malicious behaviors stored in the database.
  - 12. The method of claim 10, wherein analyzing one or more behavior characteristics further comprises:
    - isolating a plurality of behavior characteristics of the software application;
      
      comparing respective isolated behavior characteristics to a set of behavior characteristics associated with a known family of malicious software; and
      
      for each isolated behavior characteristic;
      
      increasing a family point total associated with the software application if the isolated behavior characteristic is substantially the same as or similar to a behavior characteristic in the set of behavior characteristics associated with the known family of malicious software; and
      
      decreasing the family point total associated with the software application if the isolated behavior characteristic is dissimilar to a behavior characteristic in the set of behavior characteristics associated with the known family of malicious software.
  - 13. The method of claim 12, wherein analyzing one or more behavior characteristics further comprises:
    - comparing the family point total to a threshold value associated with the known family of malicious software; and
      
      identifying the software as malicious if the family point total is equal to or greater than the threshold value.
  - 14. The method of claim 10, wherein the behavior characteristic is selected from a group consisting of creating or opening a file having a file name, opening a window or dialog box having a window title, accessing a web site having a URL or domain name, and accessing an application having an application name.

15. A computer program product comprising at least one computer-readable storage medium having computer-readable program code portions stored therein, said computer-readable program code portions comprising:
- a first executable portion for receiving an indication that a software application is attempting to execute on a user'"'"'s device;
  
  a second executable portion for emulating the software application in a virtual environment, in response to receiving the indication;
  
  a third executable portion for analyzing one or more behavior characteristics of the emulated software application; and
  
  a fourth executable portion for identifying the software application as malicious based at least in part on the behavior characteristics analyzed.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The computer program product of claim 15, wherein the computer-readable program code portions further comprise:
    - a sixth executable portion for identifying the software application as suspicious, wherein the software application is only emulated if the software application is identified as suspicious.
  - 17. The computer program product of claim 16, wherein the first executable portion is further configured to receive the indication in response to the user attempting to open or download a file.
  - 18. The computer program product of claim 17, wherein the sixth executable portion is further configured to:
    - compare the file to a set of one or more safe files; and
      
      identify the software application as suspicious if the file is not included in the set of safe files.
  - 19. The computer program product of claim 17, wherein the sixth executable portion is further configured to:
    - identify the software application as suspicious if the file does not have a certificate associated therewith.
  - 20. The computer program product of claim 15, wherein the second executable portion is further configured to:
    - use dynamic translation to emulate a plurality of instructions associated with the software application.
  - 21. The computer program product of claim 15, wherein the second executable portion is further configured to:
    - identify a conditional step in the software application, wherein a result of the conditional step is either true or false;
      
      associate a conditional bookmark with the identified conditional step;
      
      execute the software application as if the result of the conditional step were true;
      
      return to the conditional bookmark; and
      
      execute the software application as if the result of the conditional step were false.
  - 22. The computer program product of claim 15, wherein the third executable portion is further configured to:
    - isolate a data string of the software application, said data string comprising a string type and string data;
      
      access a database comprising a plurality of string type and data pairs known to be malicious; and
      
      identify the software application as malicious if the string type and string data of the isolated data string is substantially the same as a string type and data pair stored in the database.
  - 23. The computer program product of claim 15, wherein the third executable portion is further configured to:
    - isolate a behavior characteristic of the software application.
  - 24. The computer program product of claim 23, wherein the third executable portion is further configured to:
    - access a database comprising a plurality of known malicious behaviors; and
      
      identify the software application as malicious if the isolated behavior characteristic is substantially the same as one of the plurality of known malicious behaviors stored in the database.
  - 25. The computer program product of claim 15, wherein the third executable portion is further configured to:
    - isolate a plurality of behavior characteristics of the software application;
      
      compare respective isolated behavior characteristics to a set of behavior characteristics associated with a known family of malicious software;
      
      for each isolated behavior characteristic;
      
      increase a family point total associated with the software application if the isolated behavior characteristic is substantially the same as or similar to a behavior characteristic in the set of behavior characteristics associated with the known family of malicious software; and
      
      decrease the family point total associated with the software application if the isolated behavior characteristic is dissimilar to a behavior characteristic in the set of behavior characteristics associated with the known family of malicious software;
      
      compare the family point total to a threshold value associated with the known family of malicious software; and
      
      identify the software as malicious if the family point total is equal to or greater than the threshold value.

26. An electronic device comprising:
- a processor configured to;
  
  receive an indication that a software application is attempting to execute on a user'"'"'s device;
  
  emulate the software application in a virtual environment, in response to receiving the indication;
  
  analyze one or more behavior characteristics of the emulated software application; and
  
  identify the software application as malicious based at least in part on the behavior characteristics analyzed.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The electronic device of claim 26, wherein in order to emulate the software application the processor is further configured to:
    - use dynamic translation to emulate a plurality of instructions associated with the software application.
  - 28. The electronic device of claim 26, wherein the electronic device further comprises:
    - a memory storing a blacklist database comprising a plurality of string type and data pairs known to be malicious, wherein in order to analyze one or more behavior characteristics, the processor is further configured to;
      
      isolate a data string of the software application, said data string comprising a string type and string data;
      
      access the blacklist database; and
      
      identify the software application as malicious if the string type and string data of the isolated data string is substantially the same as a string type and data pair stored in the database.
  - 29. The electronic device of claim 26, wherein the electronic device further comprises:
    - a memory storing a malicious behavior database comprising a plurality of known malicious behaviors, and wherein in order to analyze one or more behavior characteristics, the processor is further configured to;
      
      isolate a behavior characteristic of the software application;
      
      access the malicious behavior database; and
      
      identify the software application as malicious if the isolated behavior characteristic is substantially the same as one of the plurality of known malicious behaviors stored in the database.
  - 30. The electronic device of claim 26, wherein in order to analyze one or more behavior characteristics, the processor is further configured to:
    - isolate a plurality of behavior characteristics of the software application;
      
      compare respective isolated behavior characteristics to a set of behavior characteristics associated with a known family of malicious software;
      
      for each isolated behavior characteristic;
      
      increase a family point total associated with the software application if the isolated behavior characteristic is substantially the same as or similar to a behavior characteristic in the set of behavior characteristics associated with the known family of malicious software; and
      
      decrease the family point total associated with the software application if the isolated behavior characteristic is dissimilar to a behavior characteristic in the set of behavior characteristics associated with the known family of malicious software;
      
      compare the family point total to a threshold value associated with the known family of malicious software; and
      
      identify the software as malicious if the family point total is equal to or greater than the threshold value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sunbelt Software Incorporated (GFI Software Limited)
Original Assignee
Sunbelt Software Incorporated (GFI Software Limited)
Inventors
Sites, Eric, St. Neitzel, Michael

Application Number

US12/717,325
Publication Number

US 20110219449A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 21/00   Security arrangements for p...

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

MALWARE DETECTION METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

356 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

MALWARE DETECTION METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

356 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links