DETECTION OF SPYWARE THREATS WITHIN VIRTUAL MACHINE
First Claim
1. A method for detecting sources that are accessible over a network and that install spyware or other undesired content, the method comprising:
- (a) producing a virtual machine on a computing device and installing an operating system on the virtual machine to create a virtual machine environment configured to test a potential source accessible on the network, to determine if the potential source attempts to install spyware on the computing device of a user;
(b) automatically loading the potential source within the virtual machine environment; and
(c) determining if the potential source has at least attempted to install spyware in the virtual machine environment.
1 Assignment
0 Petitions
Accused Products
Abstract
A system analyzes content accessed at a network site to determine whether it is malicious. The system employs a tool able to identify spyware that is piggy-backed on executable files (such as software downloads) and is able to detect “drive-by download” attacks that install software on the victim'"'"'s computer when a page is rendered by a browser program. The tool uses a virtual machine (VM) to sandbox and analyze potentially malicious content. By installing and running executable files within a clean VM environment, commercial anti-spyware tools can be employed to determine whether a specific executable contains piggy-backed spyware. By visiting a Web page with an unmodified browser inside a clean VM environment, predefined “triggers,” such as the installation of a new library, or the creation of a new process, can be used to determine whether the page mounts a drive-by download attack.
-
Citations
21 Claims
-
1. A method for detecting sources that are accessible over a network and that install spyware or other undesired content, the method comprising:
-
(a) producing a virtual machine on a computing device and installing an operating system on the virtual machine to create a virtual machine environment configured to test a potential source accessible on the network, to determine if the potential source attempts to install spyware on the computing device of a user; (b) automatically loading the potential source within the virtual machine environment; and (c) determining if the potential source has at least attempted to install spyware in the virtual machine environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10, 11)
-
-
9. (canceled)
-
12. A system for detecting sources that are accessible over a network and that at least attempt an attack, where the attack includes installing spyware or other undesired content, comprising:
-
(a) a computing device having a memory, and a processor coupled to the memory, wherein the processor is configured to execute machine instructions that are stored in the memory; and (b) an interface coupling the computing device in communication with the network, wherein the machine instructions cause the processor to automatically carry out a plurality of functions using the interface to communicate over the network, including; (i) creating a virtual machine environment in which to test potential sources found on the network to determine if a potential source at least attempts an attack, and installing a clean operating system within the virtual machine environment; (ii) automatically loading the potential source into the virtual machine environment for testing; and (iii) determining if the potential source has at least attempted an attack in the virtual machine environment. - View Dependent Claims (13, 14, 15, 16, 17, 18, 20)
-
-
19. (canceled)
-
21-49. -49. (canceled)
Specification