Malware protection

US 20110225655A1
Filed: 03/15/2010
Published: 09/15/2011
Est. Priority Date: 03/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method of protecting a computer system from malware, which malware attempts to prevent detection or analysis when executed in an emulated computer system, the method comprising:

determining if an executable file should be identified as being legitimate; and

if not, executing the executable file whilst providing indications to the executable file that it is being executed within an emulated computer system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to a first aspect of the present invention there is provided a method of protecting a computer system from malware, which malware attempts to prevent detection or analysis when executed in an emulated computer system. The method comprises determining if an executable file should be identified as being legitimate and, if not, executing the executable file whilst providing indications to the executable file that it is being executed within an emulated computer system.

Citations

27 Claims

1. A method of protecting a computer system from malware, which malware attempts to prevent detection or analysis when executed in an emulated computer system, the method comprising:
- determining if an executable file should be identified as being legitimate; and
  
  if not, executing the executable file whilst providing indications to the executable file that it is being executed within an emulated computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as claimed in claim 1, wherein the step of determining if an executable file should be identified as being legitimate is performed at the computer system.
  - 3. A method as claimed in claim 1, wherein the step of determining if an executable file should be identified as being legitimate comprises any of:
    - determining if an identifier for the executable file is contained in a database identifying legitimate executable files and, if so, identifying the executable file as legitimate;
      
      determining if an identifier for the executable file is contained in a database identifying prohibited executable files and, if not, identifying the executable file as legitimate; and
      
      determining if an identifier for the executable file is contained in a database relating to executable files, the database including a value indicating the legitimacy of each executable file and, if so, determining if the value associated with the executable file exceeds a threshold at which an executable file is considered to be legitimate.
  - 4. A method as claimed in claim 1, wherein the step of providing indications to the executable file that it is being executed within an emulated computer system comprises:
    - intercepting specified communications between the executable file and the computer system during execution of the executable file; and
      
      responding to the intercepted communications with data that is indicative of execution in an emulated computer system.
  - 5. A method as claimed in claim 4, wherein the specified communications can include any of function calls, messages and events.
  - 6. A computer program comprising computer program code means adapted to perform all the steps of claim 1 when said program is run on a computer.
  - 7. A computer program as claimed in claim 6 embodied on a computer readable medium.

8. A computer system comprising:
- a memory, the memory storing an executable file; and
  
  a processor for determining if the executable file should be identified as being legitimate, and, if it is determined that the executable file should not be identified as being legitimate, for executing the executable file in the computer system whilst providing indications to the executable file that it is being executed within an emulated computer system.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. A computer system as claimed in claim 8, wherein the processor is further configured to generate a message for sending to a server, the message including the executable file or an identifier for the executable file, and to process a response received from the server to determine if it indicates that the file should be identified as being legitimate.
  - 10. A computer system as claimed in claim 8, wherein the memory is further configured to store a database identifying legitimate executable files, and the processor is further configured to determine if an identifier for the executable file is contained in the database identifying legitimate executable files.
  - 11. A computer system as claimed in claim 8, wherein the memory is further configured to store a database identifying prohibited executable files, and the processor is further configured to determine if an identifier for the executable file is contained in the database identifying prohibited executable files.
  - 12. A computer system as claimed in claim 8, wherein the memory is further configured to store a database of information relating to executable files, the database including a value indicating the legitimacy of each executable file, and the processor is further configured to determine if an identifier for the executable file is contained in the database.
  - 13. A computer system as claimed in claim 12, wherein the processor is further configured to, if an identifier for the executable file is contained in the database of executable files, determine if the value associated with the executable file exceeds a threshold at which an executable file is considered to be legitimate.
  - 14. A computer system as claimed in claim 8, wherein the processor is further configured to intercept specified communications between the executable file and the computer system during execution of the executable file, and to respond to the intercepted communications with data that is indicative of execution in an emulated computer system.

15. A method of detecting potential malware, the method comprising:
- executing an executable file whilst providing indications to the executable file that it is being executed within an emulated computer system;
  
  monitoring the behaviour of the executable file; and
  
  determining if this behaviour corresponds with that expected of malware executed in an emulated computer system.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. A method as claimed in claim 15, wherein the step of executing an executable file whilst providing indications to the executable file that it is being executed within an emulated computer system comprises:
    - executing the executable file in a non-emulated computer system;
      
      intercepting specified communications between the executable file and the computer system during execution of the executable file; and
      
      responding to intercepted communications with data that is indicative of execution in an emulated computer system.
  - 17. A method as claimed in claim 15, wherein the step of executing an executable file whilst providing indications to the executable file that it is being executed within an emulated computer system comprises:
    - executing the executable file in an emulated computer system.
  - 18. A method as claimed in claim 15, wherein the behaviour that is expected of malware executed in an emulated computer system comprises any of:
    - attempting to prevent execution without providing a notification;
      
      attempting to collect information relating to the emulated computer system; and
      
      significant variation from the behaviour of the executable file in a non-emulated computer system.
  - 19. A computer program comprising computer program code means adapted to perform all the steps of claim 15 when said program is run on a computer.
  - 20. A computer program as claimed in claim 19 embodied on a computer readable medium.

21. A computer system comprising:
- a memory, the memory storing an executable file; and
  
  a processor for executing an executable file whilst providing indications to the executable file that it is being executed within an emulated computer system, for monitoring the behaviour of the executable file, and for determining if this behaviour corresponds with that expected of malware executed in an emulated computer system.

22. A method of maintaining a database of information relating to executable files, the database including values representing the legitimacy of each executable file, for the purpose of enabling any of a plurality of computer devices to determine if an executable file should be identified as being legitimate, the method comprising:
- at a network based service, receiving data regarding an executable file from a computer device of the plurality of computer devices that has executed the executable file, using the data to determine a value representing the legitimacy of the executable file, and providing the value to any of the plurality of computer devices.
- View Dependent Claims (23, 24, 25, 26)
- - 23. A method as claimed in claim 22, wherein the data regarding an executable file comprises any of:
    - an identifier for the computer system that has executed the executable file;
      
      information regarding any suspicious behaviour of the executable file observed by the computer system that has executed the executable file; and
      
      a value representing the legitimacy of the executable file as determined by the computer system that has executed the executable file.
  - 24. A method as claimed in claim 23, wherein the step of using the data to determine a value representing the legitimacy of each of the executable files comprises any of:
    - determining if each of the computer systems that has executed the executable file is trusted, and determining the value based on the number or proportion of trusted computer systems that have executed the executable file;
      
      analysing the information regarding any suspicious behaviour of the executable file observed by each of the computer systems that have executed the executable file, and determining the value based on the amounts, types and extent of the suspicious behaviour; and
      
      collating the values determined by each of the computer system that have executed the executable file.
  - 25. A computer program comprising computer program code means adapted to perform all the steps of claim 22 when said program is run on a computer.
  - 26. A computer program as claimed in claim 25 embodied on a computer readable medium.

27. A server for use in maintaining database of information relating to executable files, the database including values representing the legitimacy of each executable file, for the purpose of enabling any of a plurality of computer devices to determine if an executable file should be identified as being legitimate, the server comprising:
- a receiver for receiving data regarding an executable file from one or more of a plurality of computer devices that have executed the executable file;
  
  a processor for using the data to determine a value representing the legitimacy of the executable file; and
  
  a transmitter for providing the value to one or more of the plurality of computer devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Withsecure Corporation
Original Assignee
F-Secure Oyj
Inventors
Niemelä, Jarno, Hyppönen, Mikko, Kangas, Santeri

Granted Patent

US 9,501,644 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/629   to features or functions of...

Malware protection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Malware protection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links