DETECTION OF SPYWARE THREATS WITHIN VIRTUAL MACHINE

US 20130014259A1
Filed: 06/04/2012
Published: 01/10/2013
Est. Priority Date: 01/23/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting sources that are accessible over a network and that install spyware or other undesired content, the method comprising:

(a) producing a virtual machine on a computing device and installing an operating system on the virtual machine to create a virtual machine environment configured to test a potential source accessible on the network, to determine if the potential source attempts to install spyware on the computing device of a user;

(b) automatically loading the potential source within the virtual machine environment; and

(c) determining if the potential source has at least attempted to install spyware in the virtual machine environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system analyzes content accessed at a network site to determine whether it is malicious. The system employs a tool able to identify spyware that is piggy-backed on executable files (such as software downloads) and is able to detect “drive-by download” attacks that install software on the victim'"'"'s computer when a page is rendered by a browser program. The tool uses a virtual machine (VM) to sandbox and analyze potentially malicious content. By installing and running executable files within a clean VM environment, commercial anti-spyware tools can be employed to determine whether a specific executable contains piggy-backed spyware. By visiting a Web page with an unmodified browser inside a clean VM environment, predefined “triggers,” such as the installation of a new library, or the creation of a new process, can be used to determine whether the page mounts a drive-by download attack.

346 Citations

21 Claims

1. A method for detecting sources that are accessible over a network and that install spyware or other undesired content, the method comprising:
- (a) producing a virtual machine on a computing device and installing an operating system on the virtual machine to create a virtual machine environment configured to test a potential source accessible on the network, to determine if the potential source attempts to install spyware on the computing device of a user;
  
  (b) automatically loading the potential source within the virtual machine environment; and
  
  (c) determining if the potential source has at least attempted to install spyware in the virtual machine environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10, 11)
- - 2. The method of claim 1, wherein the potential source includes a web page component that is configured to be rendered by a browser program, and wherein loading the potential source within the virtual machine environment comprises:
    - (a) executing the browser program within the virtual machine environment;
      
      (b) requesting the web page from a remote site on the network using the browser program;
      
      (c) loading the web page into the browser program so that it is rendered;
      
      (d) detecting at least one of a plurality of predefined triggers that are fired as a result of the page being loaded into the browser program and rendered; and
      
      (e) if at least one of the plurality of predefined triggers is detected, determining that the web page is at least attempting to perform a drive-by attack in the virtual machine environment.
  - 3. The method of claim 2, wherein if at least one of the plurality of predefined triggers is detected, further executing anti-spyware software within the virtual machine environment to perform a spyware scan of the virtual machine environment to test for a definitive indication that spyware has been installed in the virtual machine environment.
  - 4. The method of claim 1, wherein the potential source includes an executable file, and wherein loading the potential source within the virtual machine environment comprises:
    - (a) installing the executable file within the virtual machine environment; and
      
      (b) analyzing the virtual machine environment after the executable file is installed, to determine if installation of the executable file has caused an attack to be made within the virtual machine environment, the attack comprising executable code that is installed by a software module included with the executable file.
  - 5. The method of claim 4, wherein installing the executable file comprises employing heuristics to emulate a user navigating and making selections in an installation process carried out by the executable file, when the executable file is executed within the virtual machine environment.
  - 6. The method of claim 4, wherein analyzing the virtual machine environment comprises:
    - (a) installing and executing an anti-spyware software program within the virtual machine environment; and
      
      (b) employing the anti-spyware software program to analyze the virtual machine environment using predefined criteria, to determine whether installation of the executable file has caused spyware to be installed within the virtual machine environment.
  - 7. The method of claim 1, further comprising automatically searching the network to find potential sources that attempt to attack the computing device of a user.
  - 8. The method of claim 7, wherein searching the network comprises employing a crawler program to access a plurality of sites on the network, wherein the crawler program successively follows links on pages on a site, to access other pages and other sites on the network.
  - 10. The method of claim 1, further comprising if it is determined that the potential source has at least attempted to install spyware in the virtual machine environment, retaining data identifying the potential source.
  - 11. A physical machine readable memory medium having machine instructions stored thereon for carrying out the method of claim 1.

9. (canceled)

12. A system for detecting sources that are accessible over a network and that at least attempt an attack, where the attack includes installing spyware or other undesired content, comprising:
- (a) a computing device having a memory, and a processor coupled to the memory, wherein the processor is configured to execute machine instructions that are stored in the memory; and
  
  (b) an interface coupling the computing device in communication with the network, wherein the machine instructions cause the processor to automatically carry out a plurality of functions using the interface to communicate over the network, including;
  
  (i) creating a virtual machine environment in which to test potential sources found on the network to determine if a potential source at least attempts an attack, and installing a clean operating system within the virtual machine environment;
  
  (ii) automatically loading the potential source into the virtual machine environment for testing; and
  
  (iii) determining if the potential source has at least attempted an attack in the virtual machine environment.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 20)
- - 13. The system of claim 12, wherein the machine instructions stored in the memory further cause the processor to:
    - (a) execute a browser program in the virtual machine environment;
      
      (b) from a remote site, automatically download a page having a component that is capable of being rendered as part of the page by a browser program, to determine if the component comprises the potential source that has at least attempted an attack in the virtual machine environment, the page being loaded into and rendered in the browser program;
      
      (c) detecting at least one of a plurality of predefined triggers that are fired as a result of the page being loaded into the browser program and rendered; and
      
      (d) if at least one of the plurality of predefined triggers is detected, determining that the page is at least attempting a drive-by attack in the virtual machine environment.
  - 14. The system of claim 13, wherein if at least one of the plurality of predefined triggers is detected, the machine instructions further cause the processor to execute antispyware software within the virtual machine environment to perform a spyware scan of the virtual machine environment and test for a definitive indication that spyware has been installed in the virtual machine environment during the attack.
  - 15. The system of claim 12, wherein the potential source that has at least attempted to install spyware comprises an executable file, and wherein the machine language instructions further cause the processor to:
    - (a) install the executable file within the virtual machine environment; and
      
      (b) analyze the virtual machine environment after the executable file is installed to determine if installation of the executable file has caused a drive-by attack to be made in the virtual machine environment by the executable file.
  - 16. The system of claim 14, wherein to install the executable file, the machine language instructions cause the processor to employ heuristics to emulate a user navigating and making selections in an installation process carried out by the executable file, when the executable file is executed within the virtual machine environment.
  - 17. The system of claim 14, wherein to analyze the virtual machine environment, the machine language instructions cause the processor to:
    - (a) install and execute an anti-spyware software program within the virtual machine environment; and
      
      (b) employ the anti-spyware software program to analyze the virtual machine environment using predefined criteria, to determine whether installation of the executable file has caused spyware to be installed within the virtual machine environment.
  - 18. The system of claim 12, wherein the machine language instructions further cause the processor to define a crawler program and employ the crawler program to access a plurality of sites on the network to search the network for potential sources of the attack, wherein the crawler program successively follows links on pages on a site, to access other pages and other sites on the network.
  - 20. The system of claim 12, wherein, if it is determined that the potential source has at least attempted an attack in the virtual machine environment, machine language instructions further cause the processor to retain data in the memory to identify the potential source.

19. (canceled)

21-49. -49. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
University of Washington
Original Assignee
University of Washington
Inventors
Gribble, Steven, Levy, Henry, Moshchuk, Alexander, Bragin, Tanya

Granted Patent

US 9,043,913 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

DETECTION OF SPYWARE THREATS WITHIN VIRTUAL MACHINE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

346 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTION OF SPYWARE THREATS WITHIN VIRTUAL MACHINE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

346 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links