EMULATING SHELLCODE ATTACKS
First Claim
1. A method comprising:
- receiving, by a target system from an intruder system, a shellcode including executable and operational instructions effective, when executed, to cause the target system to execute a shell for receiving and executing instructions on the target system;
determining, by the target system, failure of installation of the shellcode on the target system; and
in response to determining failure of installation of the shellcode on the target system—
identifying, by the target system, a type of the shellcode;
selecting, by the target system, a shellcode emulator corresponding to the type;
receiving, by the target system, instructions from the intruder system;
executing, by the target system, the instructions by the emulator;
characterizing, by one of the target system and another system, behavior of the shellcode according to the instructions to generate a shellcode characterization; and
transmitting, by the one of the target system and another system, the characterization to a plurality of computer systems.
3 Assignments
0 Petitions
Accused Products
Abstract
A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. In the case of shellcode attacks, unsuccessful attacks may be emulated by selecting a corresponding emulator that will receive and execute instructions, as would a successful shellcode attack. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code.
239 Citations
20 Claims
-
1. A method comprising:
-
receiving, by a target system from an intruder system, a shellcode including executable and operational instructions effective, when executed, to cause the target system to execute a shell for receiving and executing instructions on the target system; determining, by the target system, failure of installation of the shellcode on the target system; and in response to determining failure of installation of the shellcode on the target system— identifying, by the target system, a type of the shellcode; selecting, by the target system, a shellcode emulator corresponding to the type; receiving, by the target system, instructions from the intruder system; executing, by the target system, the instructions by the emulator; characterizing, by one of the target system and another system, behavior of the shellcode according to the instructions to generate a shellcode characterization; and transmitting, by the one of the target system and another system, the characterization to a plurality of computer systems. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising one or more processors and one or more memory devices storing executable and operational code, the executable and operational code effective to cause the one or more processors to:
-
receive, from an intruder system, a shellcode including executable and operational instructions effective, when executed, to cause the target system to execute a shell for receiving and executing instructions on the target system; determine failure of installation of the shellcode on the target system; and in response to failure of installation of the shellcode on the target system— identify a type of the shellcode; select a shellcode emulator corresponding to the type; receive instructions from the intruder system; execute the instructions by the emulator; characterize behavior of the shellcode according to the instructions to generate a shellcode characterization; and transmit the characterization to a plurality of computer systems. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification