EMULATING SHELLCODE ATTACKS

US 20160261631A1
Filed: 05/17/2016
Published: 09/08/2016
Est. Priority Date: 05/07/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a target system from an intruder system, a shellcode including executable and operational instructions effective, when executed, to cause the target system to execute a shell for receiving and executing instructions on the target system;

determining, by the target system, failure of installation of the shellcode on the target system; and

in response to determining failure of installation of the shellcode on the target system—

identifying, by the target system, a type of the shellcode;

selecting, by the target system, a shellcode emulator corresponding to the type;

receiving, by the target system, instructions from the intruder system;

executing, by the target system, the instructions by the emulator;

characterizing, by one of the target system and another system, behavior of the shellcode according to the instructions to generate a shellcode characterization; and

transmitting, by the one of the target system and another system, the characterization to a plurality of computer systems.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. In the case of shellcode attacks, unsuccessful attacks may be emulated by selecting a corresponding emulator that will receive and execute instructions, as would a successful shellcode attack. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code.

239 Citations

20 Claims

1. A method comprising:
- receiving, by a target system from an intruder system, a shellcode including executable and operational instructions effective, when executed, to cause the target system to execute a shell for receiving and executing instructions on the target system;
  
  determining, by the target system, failure of installation of the shellcode on the target system; and
  
  in response to determining failure of installation of the shellcode on the target system—
  
  identifying, by the target system, a type of the shellcode;
  
  selecting, by the target system, a shellcode emulator corresponding to the type;
  
  receiving, by the target system, instructions from the intruder system;
  
  executing, by the target system, the instructions by the emulator;
  
  characterizing, by one of the target system and another system, behavior of the shellcode according to the instructions to generate a shellcode characterization; and
  
  transmitting, by the one of the target system and another system, the characterization to a plurality of computer systems.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising, wherein characterizing behavior of the shellcode according to the instructions comprises recording one or more of:
    - network connections invoked by the instructions;
      
      file system activities invoked by the instructions;
      
      process activities invoked by the instructions; and
      
      system calls invoked by the instructions.
  - 3. The method of claim 1, further comprising:
    - detecting, by the target system, outbound traffic from the emulator invoked by the instructions;
      
      in response to detecting outbound traffic invoked by the instructions, transmitting, by the target system, the outbound traffic to a sinkhole module;
      
      processing, by the sinkhole module, the outbound traffic and returning a response to the emulator.
  - 4. The method of claim 1, further comprising:
    - detecting, by the target system, outbound traffic from the emulator invoked by the instructions;
      
      identifying a service requested by the outbound traffic;
      
      instantiating a sinkhole module and provisioning the sinkhole module with the service in response to detecting the outbound traffic and identifying the service; and
      
      processing, by the sinkhole module, the outbound traffic and returning a response to the emulator.
  - 5. The method of claim 1, further comprising binding an instance of the emulator to a port of the target system;
    - wherein receiving the instructions from the intruder system comprises receiving the instructions at the port.
  - 6. The method of claim 1, further comprising:
    - transmitting access information for an instance of the emulator executing on the target system to the intruder system.
  - 7. The method of claim 1, wherein identifying the type of the shellcode comprises evaluating a signature of data constituting the shellcode.
  - 8. The method of claim 1, wherein identifying the type of the shellcode comprises evaluating assembler code of the shellcode.
  - 9. The method of claim 1, wherein the target system executes a secure service operable to accept requests to create a secure connection to a remote system, authenticate a user on the remote system, and execute instructions from the user;
    - andwherein the secure service performs all of determining blocking of installation of the shellcode on the target system, identifying a type of the shellcode, receiving instructions from the intruder system, and executing, by the target system, the instructions by the emulator;
  - 10. The method of claim 1, wherein selecting the shellcode emulator corresponding to the type comprises retrieving a definition of the shellcode emulator from a database storing a plurality of shellcode definitions.

11. A system comprising one or more processors and one or more memory devices storing executable and operational code, the executable and operational code effective to cause the one or more processors to:
- receive, from an intruder system, a shellcode including executable and operational instructions effective, when executed, to cause the target system to execute a shell for receiving and executing instructions on the target system;
  
  determine failure of installation of the shellcode on the target system; and
  
  in response to failure of installation of the shellcode on the target system—
  
  identify a type of the shellcode;
  
  select a shellcode emulator corresponding to the type;
  
  receive instructions from the intruder system;
  
  execute the instructions by the emulator;
  
  characterize behavior of the shellcode according to the instructions to generate a shellcode characterization; and
  
  transmit the characterization to a plurality of computer systems.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the executable and operational code are further effective to cause the one or more processors to characterize behavior of the shellcode according to the instructions by recording one or more of:
    - network connections invoked by the instructions;
      
      file system activities invoked by the instructions;
      
      process activities invoked by the instructions; and
      
      system calls invoked by the instructions.
  - 13. The system of claim 11, wherein the executable and operational code are further effective to cause the one or more processors to:
    - detect outbound traffic from the emulator invoked by the instructions;
      
      in response to detecting outbound traffic invoked by the instructions, transmit the outbound traffic to a sinkhole module;
      
      process the outbound traffic and returning a response to the emulator.
  - 14. The system of claim 11, wherein the executable and operational code are further effective to cause the one or more processors to:
    - detect outbound traffic from the emulator invoked by the instructions;
      
      identify a service requested by the outbound traffic;
      
      instantiate a sinkhole module and provisioning the sinkhole module with the service in response to detecting the outbound traffic and identifying the service; and
      
      process, by the sinkhole module, the outbound traffic and return a response to the emulator.
  - 15. The system of claim 11, wherein the executable and operational code are further effective to:
    - cause the one or more processors to bind an instance of the emulator to a port of the target system;
      
      receive the instructions from the intruder system by receiving the instructions at the port.
  - 16. The system of claim 11, wherein the executable and operational code are further effective to cause the one or more processors to:
    - transmit access information for an instance of the emulator executing on the target system to the intruder system.
  - 17. The system of claim 11, wherein the executable and operational code are further effective to cause the one or more processors to identify the type of the shellcode by evaluating a signature of data constituting the shellcode.
  - 18. The system of claim 11, wherein the executable and operational code are further effective to cause the one or more processors to identify the type of the shellcode by evaluating assembler code of the shellcode.
  - 19. The system of claim 11, wherein the executable and operational code are further effective to cause the one or more processors to execute a secure service operable to accept requests to create a secure connection to a remote system, authenticate a user on the remote system, and execute instructions from the user;
    - andwherein the secure service includes executable and operational code effective to perform all of determining blocking of installation of the shellcode on the target system, identifying a type of the shellcode, receiving instructions from the intruder system, and executing, by the target system, the instructions by the emulator;
  - 20. The system of claim 11, wherein the executable and operational code are further effective to cause the one or more processors to select the shellcode emulator corresponding to the type by retrieving a definition of the shellcode emulator from a database storing a plurality of shellcode definitions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SentinelOne Inc.
Original Assignee
Attivo Networks, Inc.
Inventors
Vissamsetty, Venu, Singh, Navtej, Kajekar, Sachin

Granted Patent

US 10,567,431 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2463/142   Denial of service attacks a...

H04L 2463/144   Detection or countermeasure...

H04L 63/08   for authentication of entit...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

EMULATING SHELLCODE ATTACKS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

239 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

EMULATING SHELLCODE ATTACKS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

239 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links