SYSTEMS AND METHODS FOR SCANNING PACKED PROGRAMS IN RESPONSE TO DETECTING SUSPICIOUS BEHAVIORS

US 20150227742A1
Filed: 02/12/2014
Published: 08/13/2015
Est. Priority Date: 02/12/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for scanning packed programs in response to detecting suspicious behaviors, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

executing a packed program that comprises;

malicious code that has been obfuscated within the packed program;

unpacking code that deobfuscates and executes the malicious code when the packed program is executed;

monitoring, while the packed program is executing, how the packed program behaves;

detecting, while monitoring how the packed program behaves, a suspicious behavior of the malicious code that indicates that the unpacking code has deobfuscated and executed the malicious code;

performing a security operation on the packed program in response to detecting the suspicious behavior of the malicious code.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for scanning packed programs in response to detecting suspicious behaviors may include (1) executing a packed program that may include (i) malicious code that has been obfuscated within the packed program and (ii) unpacking code that deobfuscates and executes the malicious code when the packed program is executed, (2) monitoring, while the packed program is executing, how the packed program behaves, (3) detecting, while monitoring how the packed program behaves, a suspicious behavior of the malicious code that indicates that the unpacking code has deobfuscated and executed the malicious code, and (4) performing a security operation on the packed program in response to detecting the suspicious behavior of the malicious code. Various other methods, systems, and computer-readable media are also disclosed.

38 Citations

View as Search Results

20 Claims

1. A computer-implemented method for scanning packed programs in response to detecting suspicious behaviors, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- executing a packed program that comprises;
  
  malicious code that has been obfuscated within the packed program;
  
  unpacking code that deobfuscates and executes the malicious code when the packed program is executed;
  
  monitoring, while the packed program is executing, how the packed program behaves;
  
  detecting, while monitoring how the packed program behaves, a suspicious behavior of the malicious code that indicates that the unpacking code has deobfuscated and executed the malicious code;
  
  performing a security operation on the packed program in response to detecting the suspicious behavior of the malicious code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein performing the security operation on the packed program comprises scanning, while the packed program is executing, at least a portion of memory of the packed program for at least one malware signature.
  - 3. The method of claim 1, further comprising receiving scanning criteria that specifies at least one suspicious behavior that will trigger scanning of memory of the packed program for at least one malware signature, wherein:
    - monitoring how the packed program behaves comprises monitoring how the packed program behaves for the specified suspicious behavior;
      
      detecting the suspicious behavior comprises detecting the specified suspicious behavior;
      
      performing the security operation on the packed program comprises scanning, in response to detecting the specified suspicious behavior, the memory of the packed program for the malware signature.
  - 4. The method of claim 3, wherein:
    - the scanning criteria further specifies a portion of the memory of the packed program that should be scanned in response to detecting the specified suspicious behavior;
      
      scanning the memory of the packed program for the malware signature comprises scanning the specified portion of the memory of the packed program for the malware signature.
  - 5. The method of claim 3, wherein:
    - the scanning criteria further specifies at least one malware signature with which to scan the memory of the packed program in response to detecting the specified suspicious behavior;
      
      scanning the memory of the packed program for the malware signature comprises scanning the memory of the packed program for the specified malware signature.
  - 6. The method of claim 1, wherein detecting the suspicious behavior of the malicious code comprises detecting an attempt, by the malicious code, to create a run registry key.
  - 7. The method of claim 1, wherein detecting the suspicious behavior of the malicious code comprises detecting an attempt, by the malicious code, to create a generic load point.
  - 8. The method of claim 1, wherein detecting the suspicious behavior of the malicious code comprises detecting an attempt, by the malicious code, to inject the malicious code into another process.
  - 9. The method of claim 1, wherein detecting the suspicious behavior of the malicious code comprises detecting an attempt, by the malicious code, to modify security settings.

10. A system for scanning packed programs in response to detecting suspicious behaviors, the system comprising:
- an executing module, stored in memory, that executes a packed program that comprises;
  
  malicious code that has been obfuscated within the packed program;
  
  unpacking code that deobfuscates and executes the malicious code when the packed program is executed;
  
  a monitoring module, stored in memory, that monitors how the packed program behaves while the packed program is executing;
  
  a detecting module, stored in memory, that detects, while the packed program is monitored, a suspicious behavior of the malicious code that indicates that the unpacking code has deobfuscated and executed the malicious code;
  
  a security module, stored in memory, that performs a security operation on the packed program in response to detecting the suspicious behavior of the malicious code;
  
  at least one processor that executes the executing module, the monitoring module, the detecting module, and the security module.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the security module performs the security operation on the packed program by scanning, while the packed program is executing, at least a portion of memory of the packed program for at least one malware signature.
  - 12. The system of claim 10, further comprising a receiving module, stored in memory, that receives scanning criteria that specifies at least one suspicious behavior that will trigger scanning of memory of the packed program for at least one malware signature, wherein:
    - the monitoring module monitors how the packed program behaves by monitoring how the packed program behaves for the specified suspicious behavior;
      
      the detecting module detects the suspicious behavior by detecting the specified suspicious behavior;
      
      the security module performs the security operation on the packed program by scanning, in response to detecting the specified suspicious behavior, the memory of the packed program for the malware signature.
  - 13. The system of claim 12, wherein:
    - the scanning criteria further specifies a portion of the memory of the packed program that should be scanned in response to detecting the specified suspicious behavior;
      
      the security module scans the memory of the packed program for the malware signature by scanning the specified portion of the memory of the packed program for the malware signature.
  - 14. The system of claim 12, wherein:
    - the scanning criteria further specifies at least one malware signature with which to scan the memory of the packed program in response to detecting the specified suspicious behavior;
      
      the security module scans the memory of the packed program for the malware signature by scanning the memory of the packed program for the specified malware signature.
  - 15. The system of claim 10, wherein the detecting module detects the suspicious behavior of the malicious code by detecting an attempt, by the malicious code, to create a run registry key.
  - 16. The system of claim 10, wherein the detecting module detects the suspicious behavior of the malicious code by detecting an attempt, by the malicious code, to create a generic load point.
  - 17. The system of claim 10, wherein the detecting module detects the suspicious behavior of the malicious code by detecting an attempt, by the malicious code, to inject the malicious code into another process.
  - 18. The system of claim 10, wherein the detecting module detects the suspicious behavior of the malicious code by detecting an attempt, by the malicious code, to modify security settings.

19. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- execute a packed program that comprises;
  
  malicious code that has been obfuscated within the packed program;
  
  unpacking code that deobfuscates and executes the malicious code when the packed program is executed;
  
  monitor, while the packed program is executing, how the packed program behaves;
  
  detect, while monitoring how the packed program behaves, a suspicious behavior of the malicious code that indicates that the unpacking code has deobfuscated and executed the malicious code;
  
  perform a security operation on the packed program in response to detecting the suspicious behavior of the malicious code.
- View Dependent Claims (20)
- - 20. The non-transitory computer-readable medium of claim 19, wherein the one or more computer-executable instructions cause the computing device to perform the security operation on the packed program by causing the computing device to scan, while the packed program is executing, at least a portion of memory of the packed program for at least one malware signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Pereira, Shane

Granted Patent

US 9,171,154 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

SYSTEMS AND METHODS FOR SCANNING PACKED PROGRAMS IN RESPONSE TO DETECTING SUSPICIOUS BEHAVIORS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR SCANNING PACKED PROGRAMS IN RESPONSE TO DETECTING SUSPICIOUS BEHAVIORS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links