SYSTEMS AND METHODS FOR MALWARE EVASION MANAGEMENT

US 20160259939A1
Filed: 03/05/2015
Published: 09/08/2016
Est. Priority Date: 03/05/2015
Status: Active Grant

First Claim

Patent Images

1. A method for emulating at least one resource in a host computer to a querying hosted code, comprising:

monitoring a plurality of operating system (OS) queries received from a plurality of code executed on a monitored computing unit, said plurality of OS queries are designated to an OS of said monitored computing unit;

detecting among said plurality of OS queries at least one query for receiving at least one characteristic of at least one resource of said monitored computing unit among said plurality of OS queries, said at least one query is received from querying code of said plurality of code;

preparing a response of said OS to said at least one query, said response comprising a false indication at least one false characteristic of said at least one resource; and

sending said response to said querying code in response to said at least one query.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for emulating at least one resource in a host computer to a querying hosted code. The method comprises monitoring a plurality of operating system (OS) queries received from a plurality of code executed on a monitored computing unit, the plurality of OS queries are designated to an OS of the monitored computing unit, detecting among the plurality of OS queries at least one query for receiving at least one characteristic of at least one resource of the monitored computing unit among the plurality of OS queries, the at least one query is received from querying code of the plurality of code, preparing a response of the OS to the at least one query, the response comprising a false indication at least one false characteristic of the at least one resource, and sending the response to the querying code in response to the at least one query.

Citations

26 Claims

1. A method for emulating at least one resource in a host computer to a querying hosted code, comprising:
- monitoring a plurality of operating system (OS) queries received from a plurality of code executed on a monitored computing unit, said plurality of OS queries are designated to an OS of said monitored computing unit;
  
  detecting among said plurality of OS queries at least one query for receiving at least one characteristic of at least one resource of said monitored computing unit among said plurality of OS queries, said at least one query is received from querying code of said plurality of code;
  
  preparing a response of said OS to said at least one query, said response comprising a false indication at least one false characteristic of said at least one resource; and
  
  sending said response to said querying code in response to said at least one query.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 22)
- - 2. The method of claim 1, wherein said false indication is of an execution of a security mechanism for processing running programs by said monitored computing unit, said false indication is sent while said monitored computing unit does not execute said security mechanism.
  - 3. The method of claim 1, wherein said false indication is of an absence of execution of a security mechanism for processing running programs on said monitored computing unit, said false indication is sent while said monitored computing unit executes said security mechanism.
  - 4. The method of claim 1, wherein said at least one query comprises a query for accessing at least part of sensitive data managed by said OS of said monitored computing unit;
    - wherein said false indication comprises an indication of a false copy of said at least part of said sensitive data.
  - 5. The method of claim 1, wherein said plurality of OS queries comprises a plurality of OS Application Program Interface (API) service requests selected to invoke said OS to perform a task at runtime.
  - 6. The method of claim 1, wherein said monitoring comprises hooking said plurality of OS queries before said OS receives said plurality of OS queries.
  - 7. The method of claim 1, further comprising hooking a true response by said OS to said OS query before said querying code receives said true response.
  - 8. The method of claim 1, wherein said plurality of OS queries comprises a member of a group consisting of a function call, an event and a message.
  - 9. The method of claim 1, further comprising classifying said querying code as a malicious code and blocking at least one function of said querying code from being executed by said monitored computing unit.
  - 10. The method of claim 1, further comprising detecting at least one action performed by said querying code after receiving said response and classifying said querying code according to said at least one action.
  - 11. The method of claim 10, wherein said detecting comprises matching said at least one action to a predefined model and classifying said querying code according to said match.
  - 12. The method of claim 1, further comprising counting the number of processor instructions that arise from said response and classifying said querying code according to said counting.
  - 13. The method of claim 1, further comprising accessing and analyzing the executable instructions of the querying code stored within a local memory of said monitored computing.
  - 14. The method of claim 1, wherein said response is a preconfigured response emulating a response of a computing unit running a SandBox environment for executing said querying code.
  - 15. The method of claim 1, wherein said response is a preconfigured response emulating a response of a computing unit of without an actual resource managed by said monitored computing unit.
  - 16. The method of claim 1, further comprising managing a general response policy defining a plurality of local response policies each for another of a plurality of monitored computing units including said monitored computing unit;
    - wherein said preparing comprises preparing said response according to response instructions defined in a respective said local response policy.
  - 17. The method of claim 16, further comprising in response to said detecting at least one query, managing said general response policy by dynamically correlating between at least some of said plurality of local response policies at run time, wherein said local response policy for each one of a plurality of monitored computing units is correlated based on said general response policy.
  - 18. The method of claim 1, further comprising:
    - forwarding said querying code to run in a testing environment;
      
      detecting at least one additional query for receiving said at least one characteristic among said plurality of operating system (OS) queries from said querying code;
      
      preparing an additional response of said OS to said at least one additional query for provoking said querying code to escalate a malicious attack, said additional response comprises another false indication of an absence of execution of a security mechanism for processing running programs on said monitored computing unit, said false indication is sent while said testing environment executes said security mechanism;
      
      sending said additional response to said querying code in response to said at least one additional query; and
      
      monitoring said querying code for detecting said malicious attack.
  - 19. The method of claim 1, further comprising calculating a score for said querying code and managing operations of said querying code according to said score.
  - 20. A computer readable medium comprising computer executable instructions adapted to perform the method of claim 1.
  - 22. The system comprising a plurality of hosting devices, each defined recited in claim 1.

21. A hosting device for emulating at least one resource to a querying hosted code, comprising:
- a processor unit coupled to an evasion manipulation module, said evasion manipulation module for implementing stored code, the stored code comprising;
  
  code to monitor a plurality of operating system (OS) queries send from a plurality of code executed on a monitored computing unit to an OS of said monitored computing unit;
  
  code to detect among said plurality of OS queries at least one query for receiving at least one characteristic of at least one resource of said monitored computing unit among said plurality of operating system (OS) queries, said at least one query is received from a querying code of said plurality of code;
  
  code to prepare a response of said OS to said at least one query, said response comprising at least one false characteristic of said at least one resource; and
  
  code to send said response to said querying code in response to said at least one query.
- View Dependent Claims (23)
- - 23. The system of claim 21, wherein a respective processing unit of at least one of a plurality of network nodes prepares said false indication to indicate an absence of execution of a security mechanism for processing running programs on a respective said monitored computing unit and a respective said processing unit of at least one other of said plurality of network nodes prepares said false indication to indicate an execution of said security mechanism by a respective said monitored computing unit.

24. A system for emulating at least one resource to a querying hosted code, comprising:
- a plurality of evasion manipulation modules which are installed in a plurality of connected computing nodes;
  
  a processor coupled to each evasion manipulation module, each evasion manipulation module for implementing stored code, the stored code comprising;
  
  code to respond to OS queries received from one or more querying codes hosted by respective computing nodes with false responses faking the presence or the absence of a security mechanism in the respective hosting computing node such that when the querying code is a malicious code an escalation process is triggered in the computing node with a security mechanism.
- View Dependent Claims (25)
- - 25. The system of claim 24, wherein the evasion manipulation modules of respective connected computing nodes are adapted to generate the fake responses such that the malicious code is passively routed from at least one computing node without the security mechanism to at least one computing node having the security mechanism.

26. A computer program product for emulating a at least one resource in a host computer to a querying hosted code comprising a readable storage medium storing program code thereon for use by a processor, the program code comprising:
- instructions for monitoring a plurality of operating system (OS) queries received from a plurality of code executed on a monitored computing unit, said plurality of OS queries are designated to an OS of said monitored computing unit;
  
  instructions for detecting among said plurality of OS queries at least one query for receiving at least one characteristic of at least one resource of said monitored computing unit among said plurality of OS queries, said at least one query is received from a querying code of said plurality of code;
  
  instructions for preparing a response of said OS to said at least one query, said response comprising a false indication at least one false characteristic of said at least one resource; and
  
  instructions for sending said response to said querying code in response to said at least one query.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rapid7 (Rapid7, Inc.), Rapid7 International Ltd. (Rapid7, Inc.)
Original Assignee
Minerva Labs Ltd. (Rapid7, Inc.)
Inventors
MOYAL, Omri, BOBRITSKY, Eduard, BREIMAN, Erez

Granted Patent

US 9,846,775 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/245 Query processing

G06F 21/566 Dynamic detection, i.e. det...

SYSTEMS AND METHODS FOR MALWARE EVASION MANAGEMENT

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR MALWARE EVASION MANAGEMENT

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links