Detecting Script-Based Malware using Emulation and Heuristics

US 20120266244A1
Filed: 04/13/2011
Published: 10/18/2012
Est. Priority Date: 04/13/2011
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a method performed at least in part on at least one processor, comprising, processing data corresponding to a script sample in an emulation environment, including analyzing structure and content of a data structure corresponding to the script sample to match against generic and static signatures of malware, or analyzing events triggered during emulation against generic and static signatures of malware, or both, to detect whether the script sample comprises malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The subject disclosure is directed towards running script through a malware detection system including an emulator environment to detect any malware within the script. Statistics are collected as part of processing the script, with parameterized heuristic analysis used to determine whether to run the emulation. The processing through the malware detection system may be iterative, to de-obfuscate layers of obfuscated malware. The emulator may be updated via signatures.

285 Citations

20 Claims

1. In a computing environment, a method performed at least in part on at least one processor, comprising, processing data corresponding to a script sample in an emulation environment, including analyzing structure and content of a data structure corresponding to the script sample to match against generic and static signatures of malware, or analyzing events triggered during emulation against generic and static signatures of malware, or both, to detect whether the script sample comprises malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein analyzing the structure and content of the data structure comprises accessing a parsed program tree.
  - 3. The method of claim 1 further comprising, updating the runtime emulation environment via signatures.
  - 4. The method of claim 1 further comprising, dynamically changing the behavior of the runtime during the emulation.
  - 5. The method of claim 1 further comprising, determining whether to perform emulation in the emulation environment based on a heuristic analysis of the script sample.
  - 6. The method of claim 5 further comprising, generating statistics for the heuristic analysis via tokenization, normalization and parsing of the script sample.
  - 7. The method of claim 5 further comprising, dynamically updating the statistics or heuristics rules, or both during emulation-enabled run-time.
  - 8. The method of claim 1 further comprising, performing static signature matching on a parsed representation of a script sample to attempt to detect malware.
  - 9. The method of claim 1 further comprising, placing content corresponding to the script sample into a sub-script, and processing data corresponding to the sub-script in the emulation environment, including analyzing structure and content of a data structure corresponding to the subscript to match against generic and static signatures of malware, or analyzing events triggered during emulation against generic and static signatures of malware, or both, to detect whether the sub-script comprises malware.

10. In a computing environment, a system comprising:
- a static script engine that incorporates or is coupled to a parser, tokenizer and normalizer, the static script engine configured to process a script sample for malware detection, and the parser, tokenizer or normalizer, or any combination thereof configured to generate statistics associated with the script sample;
  
  emulation decision logic configured to determine whether to invoke an emulator based upon a heuristic analysis of the statistics; and
  
  an emulator that incorporates or is coupled a parser and interpreter, the emulator configured to detect any malware in the script sample by running the script sample in an emulation, and by processing a data structure corresponding to the parsed script sample to match against generic and static signatures of malware, or by analyzing events triggered during emulation against generic and static signatures of malware, or both.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10 wherein the emulation decision logic is configured to determine whether to invoke the emulator based upon a presence of one or more string manipulation functions in the script sample.
  - 12. The system of claim 10 wherein the emulation decision logic is configured to determine whether to invoke the emulator based upon parameters evaluated against at least some of the statistics.
  - 13. The system of claim 10 further comprising parameters corresponding to the heuristics, corresponding to the emulation, or corresponding to both the heuristics and the emulation, the parameters including memory-related data, emulation instruction-related data, weight data for different heuristics, or triggering threshold data, or any combination of memory-related data, emulation instruction-related data, weight data for different heuristics, or triggering threshold data.
  - 14. The system of claim 10 further comprising emulation re-run decision logic configured to determine whether to re-process a sub-script based upon information in the script sample.
  - 15. The system of claim 14 wherein the information in the script sample comprises the presence of at least one monitored function.
  - 16. The system of claim 10 wherein the emulation occurs in a runtime environment that is configured at least in part based upon updateable signatures.

17. One or more computer-readable media having computer-executable instructions, which when executed perform steps of a process, comprising:
- (a) collecting statistics associated with a script sample or a sub-script including data from a previous iteration;
  
  (b) determining from the statistics whether to run the script sample or sub-script in an emulation environment, and if not, advancing to step (e);
  
  (c) processing the script sample or sub-script in an emulation environment, including performing signature matching to determine whether the script sample or sub-script matches a malware signature, and if so, ending the process with malware being detected;
  
  (d) determining whether to re-run a new sub-script in another iteration based upon information in the script sample or sub-script, and if so, placing data into a new sub-script and returning to step (a); and
  
  (e) ending the process with malware not being detected.
- View Dependent Claims (18, 19, 20)
- - 18. The one or more computer-readable media of claim 17 wherein collecting the statistics includes parsing the sample or sub-script as part of a static antimalware signature scan.
  - 19. The one or more computer-readable media of claim 17 having further computer-executable instructions comprising updating the emulation environment via signatures.
  - 20. The one or more computer-readable media of claim 17 having further computer-executable instructions comprising dynamically changing the behavior of the emulation environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Green, Jonathon Patrick, Chandnani, Anjali Doulatram, Christensen, Simon David

Granted Patent

US 8,997,233 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/561   Virus type analysis

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/145   the attack involving the pr...

Detecting Script-Based Malware using Emulation and Heuristics

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

285 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting Script-Based Malware using Emulation and Heuristics

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

285 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links