System and Method for Detecting Time-Bomb Malware

US 20140380474A1
Filed: 06/24/2013
Published: 12/25/2014
Est. Priority Date: 06/24/2013
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more counters;

comparison logic; and

one or more hardware processors communicatively coupled to the one or more counters and the comparison logic, the one or more hardware processors being configured to instantiate one or more virtual machines that are adapted to analyze received content, the one or more virtual machines being configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a system comprises one or more counters; comparison logic; and one or more hardware processors communicatively coupled to the one or more counters and the comparison logic. The one or more hardware processors are configured to instantiate one or more virtual machines that are adapted to analyze received content, where the one or more virtual machines are configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period.

279 Citations

20 Claims

1. A system comprising:
- one or more counters;
  
  comparison logic; and
  
  one or more hardware processors communicatively coupled to the one or more counters and the comparison logic, the one or more hardware processors being configured to instantiate one or more virtual machines that are adapted to analyze received content, the one or more virtual machines being configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the one or more virtual machines being configured to monitor time intervals for Sleep request messages initiated during processing of the content and identifying the content as including malware if a combined delay for the Sleep request message exceeds the first time period.
  - 3. The system of claim 1, wherein the one or more virtual machines being configured to monitor time intervals for Sleep request messages initiated during processing of the content and identifying the content as including malware if one of the time intervals exceeds the first time period.
  - 4. The system of claim 1, wherein the one or more virtual machines being configured to further monitor the one or more events being a number of function calls initiated during processing of the content and identifying the content as including malware if the number of function calls exceeds a threshold value.
  - 5. The system of claim 1, wherein the one or more virtual machines being configured to further monitor the one or more events by determining if, during processing of the content, the instruction pointer is repeatedly directed to a specific address or address range and identifying the content as including malware if the instruction pointer is repeatedly directed to the specific address or address range.
  - 6. The system of claim 1, wherein the first time period has a duration that is dynamically set.
  - 7. The system of claim 1, wherein the one or more virtual machines being configured to maintain and monitor values of time intervals for Sleep calls per call site, initiated during processing of the content and identifying the content as including malware if one of the time intervals exceeds a predetermined time period.
  - 8. The system of claim 1, wherein the one or more virtual machines being configured to maintain and monitor values of call counters for certain functions per call site, initiated during processing of the content, and identifying the content as including malware if one of the call counters exceeds the a predetermined count threshold.
  - 9. The system of claim 1 further comprising a reporting module being configured to differentiate call sites based on module names and assign weights accordingly and identifying the content as including malware if a higher count is associated with a call site residing in the content under analysis.
  - 10. The system of claim 1 further comprising a heuristic engine being configured to identify delay hotspots and identifying the content as including malware if one of a plurality of time intervals associated with the delay exceeds a predetermined time period.
  - 11. The system of claim 1, wherein the comparison logic includes one or more comparators.

12. A system comprising:
- one or more processors;
  
  a memory communicatively coupled to the one or more processors, whereinthe one or more processors being configured to instantiate one or more virtual machines that are adapted to analysis received content and determine if the content includes time-bomb malware by monitoring at least one of (i) a number of events that delay processing of the received content and (ii) an amount of delay caused by the events and correspondingly determining that the content includes malware if at least one of (a) the number of events exceeds a first threshold and (b) the amount of delay caused by the events exceeds a second threshold.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, wherein the one or more virtual machines being configured to monitor time intervals for one type of event being one or more Sleep request messages initiated during processing of the received content and identifying the content as including malware if a total delay requested by the one or more Sleep request messages exceeds the second threshold being a first predetermined time period.
  - 14. The system of claim 12, wherein the one or more virtual machines being configured to monitor time intervals for one type of event being one or more Sleep request messages initiated during processing of the content and identifying the content as including malware if one of the time intervals exceeds a first predetermined time period.
  - 15. The system of claim 12, wherein the one or more virtual machines being configured to further monitor the number of events being a number of function calls initiated during processing of the content and identifying the content as including malware if the number of function calls exceeds the first threshold.
  - 16. The system of claim 12, wherein the one or more virtual machines being configured to further monitor an event by determining if, during processing of the content, the instruction pointer is repeatedly directed to a specific address or address range and identifying the content as including malware if the instruction pointer is repeatedly directed to the specific address or address range.
  - 17. The system of claim 12, wherein the second threshold has a duration that is dynamically set.
  - 18. The system of claim 12, wherein the one or more virtual machines being configured to maintain and monitor time intervals for Sleep calls per call site, initiated during processing of the content and identifying the content as including malware if one of the time intervals exceeds a predetermined time period.
  - 19. The system of claim 12 further comprising a reporting module being configured to differentiate call sites based on module names and assign weights accordingly and identifying the content.

20. A system comprising:
- one or more counters;
  
  one or more comparators coupled to the one or more counters; and
  
  one or more hardware processors communicatively coupled to the one or more counters and the one or more comparators, the one or more hardware processors being configured to instantiate one or more virtual machines that are adapted to analyze received content, the one or more virtual machines being configured to (i) monitor a delay caused by at least one of (a) repetitive Sleep request messages or (b) Application Programming Interface (API) function calls that is conducted during processing of the content and (ii) identify the content as including malware if the delay exceed a first time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Paithane, Sushant, Vincent, Michael, Vashisht, Sai

Granted Patent

US 9,536,091 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

B01D 61/06   Energy recovery

C02F 1/44   by dialysis, osmosis or rev...

C02F 1/52   by flocculation or precipit...

C02F 1/66   by neutralisation; pH adjus...

C02F 1/76   with halogens or compounds ...

C02F 2103/08   Seawater, e.g. for desalina...

C02F 2303/10   Energy recovery

C02F 2303/18   Removal of treatment agents...

C02F 2303/185   The treatment agent being h...

C02F 3/1273   Submerged membrane bioreactors

C02F 5/08   Treatment of water with com...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Y02W 10/10   Biological treatment of wat...

Y02W 10/30   Wastewater or sewage treatm...

System and Method for Detecting Time-Bomb Malware

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

279 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Detecting Time-Bomb Malware

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

279 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links