Polymorphic virus detection module
First Claim
1. A computer implemented method for detecting polymorphic viruses in a computer file, the method comprising the steps of;
- fetching an instruction from the computer file;
determining whether the instruction is used in any decryption loop generated by a known polymorphic virus on a list;
delisting the known polymorphic virus if the instruction is not used in any decryption loop generated by the known polymorphic virus;
repeating the determining and delisting steps for each known polymorphic virus on the list;
emulating the instruction;
tagging a memory location associated with the instruction when at least one known polymorphic virus remains on the list;
repeating the above said steps when at least one known polymorphic virus remains on the list; and
scanning the tagged locations for virus signatures.
2 Assignments
0 Petitions
Accused Products
Abstract
A Polymorphic Anti-Virus Module (PAM) (200) comprises a CPU emulator (210) for emulating the target program, a virus signature scanning module (250) for scanning decrypted virus code, and an emulation control module (220), including a static exclusion module (230), a dynamic exclusion module (240), instruction/interrupt usage profiles (224) for the mutation engines (162) of the known polymorphic viruses (150), size and target file types (226) for these viruses, and a table (228) having an entry for each known polymorphic virus (150). Prior to emulation, the static exclusion module (230) examines the gross characteristics of the target file for attributes that are inconsistent with the size/type data (226), and excludes polymorphic viruses (150) from the list (228) accordingly. During emulation, the dynamic exclusion module (240) compares fetched instructions with the instruction/interrupt usage profiles (224) to determine when emulation has proceeded to a point where at least some code from the decrypted static virus body (160) may be scanned for virus signatures.
-
Citations
18 Claims
-
1. A computer implemented method for detecting polymorphic viruses in a computer file, the method comprising the steps of;
-
fetching an instruction from the computer file; determining whether the instruction is used in any decryption loop generated by a known polymorphic virus on a list; delisting the known polymorphic virus if the instruction is not used in any decryption loop generated by the known polymorphic virus; repeating the determining and delisting steps for each known polymorphic virus on the list; emulating the instruction; tagging a memory location associated with the instruction when at least one known polymorphic virus remains on the list; repeating the above said steps when at least one known polymorphic virus remains on the list; and scanning the tagged locations for virus signatures. - View Dependent Claims (2, 3, 4, 5, 6, 15, 16, 17, 18)
-
-
7. A computer implemented method for detecting a polymorphic virus in a computer file, the method comprising the steps of:
-
initializing a list of known polymorphic viruses; generating an instruction/interrupt usage profile for each polymorphic virus in the list; fetching an instruction from the computer file; comparing the fetched instruction with instruction/interrupt usage profiles for each listed polymorphic virus to identify those polymorphic viruses that can generate the fetched instruction; delisting each listed polymorphic virus that cannot generate the fetched instruction; when at least one polymorphic virus remains listed, tagging a memory location associated with the fetched instruction; repeating the fetching, comparing, delisting, and tagging steps until all listed polymorphic viruses have been removed from the list or until a threshold number of instructions have been fetched; and scanning the tagged locations for virus signatures.
-
-
8. A computer implemented method for determining whether an instruction fetched from a computer file may be part of a decryption loop generated by a polymorphic virus infecting the computer file, the method comprising the steps of:
-
initializing a list of polymorphic viruses; for each listed polymorphic computer virus, generating a list of instructions and interrupts employed by the polymorphic virus in producing decryption loops; and fetching instructions from the computer file and for each fetched instruction; comparing the fetched instruction with the list of instructions and interrupts used by each polymorphic virus on the list; removing from the list of polymorphic viruses each polymorphic virus that does not employ the fetched instruction; and repeating the comparing and removing steps until all polymorphic viruses have been removed from the list.
-
-
9. A computer readable storage medium on which is stored data for analyzing computer files for the presence of polymorphic viruses, the data being suitable for implementation by a computer to perform the steps of:
-
fetching an instruction from the computer file; determining whether the instruction is used in any decryption loop generated by a known polymorphic virus on a list; delisting the known polymorphic virus if the instruction is not used in any decryption loop generated by the known polymorphic virus; repeating the determining and delisting steps for each known polymorphic virus on the list; emulating the instruction; tagging a memory location associated with the instruction when at least one known polymorphic virus remains on the list; repeating the above said steps when at least one known polymorphic virus remains on the list; and scanning the tagged locations for virus signatures.
-
-
10. A system for testing a computer file for polymorphic viruses, the system comprising:
-
an emulation module for emulating instructions from the computer file to be tested; a scanning module including viral signatures to identify each polymorphic virus to be tested for; and an emulation control module coupled to the scanning module and the emulation module, the emulation control module including; an instruction/interrupt usage profile for each polymorphic virus for identifying decryption loop instructions generated by the polymorphic virus; and a dynamic emulation module for comparing computer file instructions processed by the emulation module with the instruction/interrupt usage profiles to determine whether the instruction may be from a polymorphic virus decryption loop, and triggering the scanning module to scan the file for viral signatures when the comparison indicates a scan condition has occurred.
-
-
11. An emulation control module for directing emulation of a computer filed to be tested for a polymorphic virus by an an emulation module, the emulation control module comprising:
-
a table of known polymorphic viruses; instruction/interrupt usage profiles for the known polymorphic viruses; a dynamic exclusion module coupled to the instruction/interrupt usage profiles, the table, and the emulation module for comparing instructions fetched by the emulation module with the instruction/interrupt usage profiles of the known polymorphic viruses in the table, and excluding from the table polymorphic viruses having instruction/interrupt usage profiles that are inconsistent with the fetched instruction, the dynamic exclusion module being effective to determine whether the instruction may be from a decryption loop in the computer file; size/type data for known polymorphic viruses; and a static control module coupled to the size/type data, the table, and the emulation module for excluding from the table polymorphic viruses having size/data properties inconsistent with the size/type data in the table.
-
-
12. A computer implemented method for detecting polymorphic viruses in a computer file, the method comprising the steps of:
-
fetching instructions from the computer file; comparing the fetched instructions with instruction/interrupt usage profiles associated with listed polymorphic viruses; tagging memory locations associated with the fetched instructions that are consistent with the instruction/interrupt usage profiles associated with the listed polymorphic viruses; delisting polymorphic viruses having associated instruction/interrupt usage profiles that are inconsistent with the fetched instructions; and scanning the tagged locations for virus signatures when all polymorphic viruses have been delisted. - View Dependent Claims (13, 14)
-
Specification