INTRUSION PREVENTION AND REMEDY SYSTEM

US 20150372980A1
Filed: 06/24/2014
Published: 12/24/2015
Est. Priority Date: 06/24/2014
Status: Active Grant

First Claim

Patent Images

1. A computerized method, comprising:

intercepting an incoming message from a remote source directed to an endpoint device, the endpoint device being detected as including a callback malware;

substituting a first portion of information within the incoming message with a second portion of information, the second portion of information mitigates operability of the callback malware; and

returning the incoming message including the second portion of the information to the endpoint device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a computerized method is directed to neutralizing callback malware. This method involves intercepting an incoming message from a remote source directed to a compromised endpoint device. Next, a first portion of information within the incoming message is substituted with a second portion of information. The second portion of information is designed to mitigate operability of the callback malware. Thereafter, the modified incoming message, which includes the second portion of the information, is returned to the compromised endpoint device.

230 Citations

27 Claims

1. A computerized method, comprising:
- intercepting an incoming message from a remote source directed to an endpoint device, the endpoint device being detected as including a callback malware;
  
  substituting a first portion of information within the incoming message with a second portion of information, the second portion of information mitigates operability of the callback malware; and
  
  returning the incoming message including the second portion of the information to the endpoint device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The computerized method of claim 1, wherein prior to intercepting the incoming message, the method further comprisesdetermining whether a portion of the incoming message matches a callback signature, the callback signature generated in response to a prior detection of the callback malware within an object associated with monitored network traffic.
  - 3. The computerized method of claim 2, wherein the prior detection of the callback malware comprises detecting one or more anomalous behaviors indicative of the callback malware during virtual execution of a second object associated with the monitored network traffic within a virtual machine.
  - 4. The computerized method of claim 1, wherein prior to intercepting the incoming message, the method further comprisesdetermining whether a portion of the incoming message violates at least one callback rule, the callback rule being generated in response to a prior detection of the callback malware within an object associated with monitored network traffic.
  - 5. The computerized method of claim 1, wherein the substituting of the first portion of information with the second portion of information comprisesuploading a neutralized version of at least a portion of the callback malware as the second portion of information into the incoming message, the neutralized version being code that modifies at least the portion of the callback malware to cause the callback malware to mitigate operability of the callback malware.
  - 6. The computerized method of claim 5, wherein prior to the uploading of the neutralized version being code that modifies at least the portion of the callback malware, the method further comprises accessing a data store based on the identified callback malware and determining whether the data store includes the neutralized version.
  - 7. The computerized method of claim 5, wherein prior to the uploading of the neutralized version being code that modifies at least the portion of the callback malware, the method further comprises generating the neutralized version that is configured to modify a callback identifier included within the incoming message.
  - 8. The computerized method of claim 5, wherein the callback malware becomes inoperable upon modifying the portion of the callback malware with the neutralized version of at least the portion of the callback malware.
  - 9. The computerized method of claim 5, wherein prior to the uploading of the neutralized version being code that modifies at least the portion of the callback malware, the method further comprises conducting a virtual analysis of the code associated with the neutralized version to confirm that the operability of the callback malware has been mitigated.
  - 10. The computerized method of claim 1, wherein the substituting of the first portion of information with the second portion of information comprisesdetermining whether the incoming message is a command from a Command and Control (CnC) server that causes the compromised endpoint device to attempt to exfiltrate sensitive information.
  - 11. The computerized method of claim 1, wherein the substituting of the first portion of information with the second portion of information comprisesdetermining whether the incoming message is a command from a Command and Control (CnC) server that causes the compromised endpoint device to evade detection.
  - 12. The computerized method of claim 1, wherein the substituting of the first portion of information with the second portion of information comprisesdetermining whether the incoming message is a code update from a Command and Control (CnC) server that causes the compromised endpoint device to attempt to exfiltrate sensitive information.
  - 13. The computerized method of claim 1, wherein the returning of the incoming message comprises modifying a portion of the callback malware with the second portion of the information being information that, when processed, mitigates operability of the callback malware.
  - 14. The computerized method of claim 1, wherein the returning of the incoming message comprises modifying a portion of the callback malware with the second portion of the information being information that, when processed, causes the callback malware to become inoperable.
  - 15. The computerized method of claim 1, wherein the intercepting of the incoming message, the substituting of the first portion of information, and returning of the incoming message are conducted by an intrusion protection system (IPS) logic.
  - 16. The computerized method of claim 2, wherein upon determining that the portion of the incoming message matches the callback signature by logic within an intrusion protection system, a first grouping of logic within the intrusion protection system becomes inactive and a second grouping of logic within the intrusion protection system becomes active, the second grouping of logic performs functionality of intercepting the incoming message, substituting the first portion of information, and returning of the incoming message.
  - 17. The computerized method of claim 16, wherein the second grouping of logic includes a malware protocol decoder logic that is accessible to a data store.

18. A computerized method comprising:
- scanning memory of an endpoint device;
  
  performing virtual analysis on information obtained from the scanned memory to (1) determine that the information is callback malware and (2) generate callback check information corresponding to the callback malware;
  
  in response to a malicious callback session being detected based on the callback check information,intercepting an incoming message from a remote source directed to the endpoint device of the one or more endpoint devices, the incoming message being a response to a callback message from the endpoint device,substituting a first portion of information within the incoming message with a second portion of information, the second portion of information mitigates operability of the callback malware, andreturning the incoming message including the second portion of the information to the endpoint device.
- View Dependent Claims (19)
- - 19. The computerized method of claim 18, wherein the callback check information includes one or more callback signatures.

20. A system comprising:
- an interface to receive an incoming message from a remote source directed to an endpoint device, the endpoint device being previously detected as including a callback malware; and
  
  a first analysis engine in communication with the interface, the first analysis engine to (i) intercept the incoming message, (ii) substitute a first portion of information within the incoming message with a second portion of information where the second portion of information mitigates operability of the callback malware, and (iii) return the incoming message including the second portion of the information to the endpoint device.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The system of claim 20, wherein the first analysis engine is logic within an intrusion prevention system (IPS) device.
  - 22. The system of claim 20, wherein the first analysis engine intercepts the incoming message by extracting one or more objects from the incoming message and determining that the one or more object matches callback check information corresponding to the callback malware.
  - 23. The system of claim 22 further comprising a second analysis engine that, prior to receipt of the incoming message by the system, detects one or more anomalous behaviors indicative of the callback malware during virtual execution of an object associated with network traffic within a virtual machine and generates the callback check information based on detection of the callback malware.
  - 24. The system of claim 20, wherein substituting of the first portion of information with the second portion of information by the first analysis engine includes uploading a neutralized version of at least a portion of the callback malware as the second portion of information into the incoming message, the neutralized version being code that modifies at least the portion of the callback malware to cause the callback malware to mitigate operability of the callback malware.
  - 25. The system of claim 24, wherein the first analysis engine, prior to the uploading of the neutralized version being, further accesses a data store based on the identified callback malware and determines whether the data store includes the neutralized version.
  - 26. The system of claim 24, wherein the first analysis engine returns the neutralized version of at least the portion of the callback malware to the endpoint device to modify the callback malware and cause the callback malware to become inoperable.
  - 27. The system of claim 24, wherein the first analysis engine to return the incoming message with the second portion of the information that, when processed, mitigates operability of the callback malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Eyada, Hatem

Granted Patent

US 10,084,813 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/57   Certifying or maintaining t...

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

INTRUSION PREVENTION AND REMEDY SYSTEM

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

230 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

INTRUSION PREVENTION AND REMEDY SYSTEM

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

230 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links