SYSTEMS AND METHODS FOR SCANNING PACKED PROGRAMS IN RESPONSE TO DETECTING SUSPICIOUS BEHAVIORS
First Claim
1. A computer-implemented method for scanning packed programs in response to detecting suspicious behaviors, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- executing a packed program that comprises;
malicious code that has been obfuscated within the packed program;
unpacking code that deobfuscates and executes the malicious code when the packed program is executed;
monitoring, while the packed program is executing, how the packed program behaves;
detecting, while monitoring how the packed program behaves, a suspicious behavior of the malicious code that indicates that the unpacking code has deobfuscated and executed the malicious code;
performing a security operation on the packed program in response to detecting the suspicious behavior of the malicious code.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for scanning packed programs in response to detecting suspicious behaviors may include (1) executing a packed program that may include (i) malicious code that has been obfuscated within the packed program and (ii) unpacking code that deobfuscates and executes the malicious code when the packed program is executed, (2) monitoring, while the packed program is executing, how the packed program behaves, (3) detecting, while monitoring how the packed program behaves, a suspicious behavior of the malicious code that indicates that the unpacking code has deobfuscated and executed the malicious code, and (4) performing a security operation on the packed program in response to detecting the suspicious behavior of the malicious code. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
20 Claims
-
1. A computer-implemented method for scanning packed programs in response to detecting suspicious behaviors, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
executing a packed program that comprises; malicious code that has been obfuscated within the packed program; unpacking code that deobfuscates and executes the malicious code when the packed program is executed; monitoring, while the packed program is executing, how the packed program behaves; detecting, while monitoring how the packed program behaves, a suspicious behavior of the malicious code that indicates that the unpacking code has deobfuscated and executed the malicious code; performing a security operation on the packed program in response to detecting the suspicious behavior of the malicious code. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for scanning packed programs in response to detecting suspicious behaviors, the system comprising:
-
an executing module, stored in memory, that executes a packed program that comprises; malicious code that has been obfuscated within the packed program; unpacking code that deobfuscates and executes the malicious code when the packed program is executed; a monitoring module, stored in memory, that monitors how the packed program behaves while the packed program is executing; a detecting module, stored in memory, that detects, while the packed program is monitored, a suspicious behavior of the malicious code that indicates that the unpacking code has deobfuscated and executed the malicious code; a security module, stored in memory, that performs a security operation on the packed program in response to detecting the suspicious behavior of the malicious code; at least one processor that executes the executing module, the monitoring module, the detecting module, and the security module. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
execute a packed program that comprises; malicious code that has been obfuscated within the packed program; unpacking code that deobfuscates and executes the malicious code when the packed program is executed; monitor, while the packed program is executing, how the packed program behaves; detect, while monitoring how the packed program behaves, a suspicious behavior of the malicious code that indicates that the unpacking code has deobfuscated and executed the malicious code; perform a security operation on the packed program in response to detecting the suspicious behavior of the malicious code. - View Dependent Claims (20)
-
Specification