Detecting Script-Based Malware using Emulation and Heuristics
First Claim
1. In a computing environment, a method performed at least in part on at least one processor, comprising, processing data corresponding to a script sample in an emulation environment, including analyzing structure and content of a data structure corresponding to the script sample to match against generic and static signatures of malware, or analyzing events triggered during emulation against generic and static signatures of malware, or both, to detect whether the script sample comprises malware.
2 Assignments
0 Petitions
Accused Products
Abstract
The subject disclosure is directed towards running script through a malware detection system including an emulator environment to detect any malware within the script. Statistics are collected as part of processing the script, with parameterized heuristic analysis used to determine whether to run the emulation. The processing through the malware detection system may be iterative, to de-obfuscate layers of obfuscated malware. The emulator may be updated via signatures.
285 Citations
20 Claims
- 1. In a computing environment, a method performed at least in part on at least one processor, comprising, processing data corresponding to a script sample in an emulation environment, including analyzing structure and content of a data structure corresponding to the script sample to match against generic and static signatures of malware, or analyzing events triggered during emulation against generic and static signatures of malware, or both, to detect whether the script sample comprises malware.
-
10. In a computing environment, a system comprising:
-
a static script engine that incorporates or is coupled to a parser, tokenizer and normalizer, the static script engine configured to process a script sample for malware detection, and the parser, tokenizer or normalizer, or any combination thereof configured to generate statistics associated with the script sample; emulation decision logic configured to determine whether to invoke an emulator based upon a heuristic analysis of the statistics; and an emulator that incorporates or is coupled a parser and interpreter, the emulator configured to detect any malware in the script sample by running the script sample in an emulation, and by processing a data structure corresponding to the parsed script sample to match against generic and static signatures of malware, or by analyzing events triggered during emulation against generic and static signatures of malware, or both. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. One or more computer-readable media having computer-executable instructions, which when executed perform steps of a process, comprising:
-
(a) collecting statistics associated with a script sample or a sub-script including data from a previous iteration; (b) determining from the statistics whether to run the script sample or sub-script in an emulation environment, and if not, advancing to step (e); (c) processing the script sample or sub-script in an emulation environment, including performing signature matching to determine whether the script sample or sub-script matches a malware signature, and if so, ending the process with malware being detected; (d) determining whether to re-run a new sub-script in another iteration based upon information in the script sample or sub-script, and if so, placing data into a new sub-script and returning to step (a); and (e) ending the process with malware not being detected. - View Dependent Claims (18, 19, 20)
-
Specification