Polymorphic virus detection module

US 5,696,822 A
Filed: 09/28/1995
Issued: 12/09/1997
Est. Priority Date: 09/28/1995
Status: Expired due to Term

First Claim

Patent Images

1. A computer implemented method for detecting polymorphic viruses in a computer file, the method comprising the steps of;

fetching an instruction from the computer file;

determining whether the instruction is used in any decryption loop generated by a known polymorphic virus on a list;

delisting the known polymorphic virus if the instruction is not used in any decryption loop generated by the known polymorphic virus;

repeating the determining and delisting steps for each known polymorphic virus on the list;

emulating the instruction;

tagging a memory location associated with the instruction when at least one known polymorphic virus remains on the list;

repeating the above said steps when at least one known polymorphic virus remains on the list; and

scanning the tagged locations for virus signatures.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Polymorphic Anti-Virus Module (PAM) (200) comprises a CPU emulator (210) for emulating the target program, a virus signature scanning module (250) for scanning decrypted virus code, and an emulation control module (220), including a static exclusion module (230), a dynamic exclusion module (240), instruction/interrupt usage profiles (224) for the mutation engines (162) of the known polymorphic viruses (150), size and target file types (226) for these viruses, and a table (228) having an entry for each known polymorphic virus (150). Prior to emulation, the static exclusion module (230) examines the gross characteristics of the target file for attributes that are inconsistent with the size/type data (226), and excludes polymorphic viruses (150) from the list (228) accordingly. During emulation, the dynamic exclusion module (240) compares fetched instructions with the instruction/interrupt usage profiles (224) to determine when emulation has proceeded to a point where at least some code from the decrypted static virus body (160) may be scanned for virus signatures.

Citations

18 Claims

1. A computer implemented method for detecting polymorphic viruses in a computer file, the method comprising the steps of;
- fetching an instruction from the computer file;
  
  determining whether the instruction is used in any decryption loop generated by a known polymorphic virus on a list;
  
  delisting the known polymorphic virus if the instruction is not used in any decryption loop generated by the known polymorphic virus;
  
  repeating the determining and delisting steps for each known polymorphic virus on the list;
  
  emulating the instruction;
  
  tagging a memory location associated with the instruction when at least one known polymorphic virus remains on the list;
  
  repeating the above said steps when at least one known polymorphic virus remains on the list; and
  
  scanning the tagged locations for virus signatures.
- View Dependent Claims (2, 3, 4, 5, 6, 15, 16, 17, 18)
- - 2. The computer implemented method of claim 1, wherein the determining step comprises the substeps of:
    - comparing the instruction with an instruction/interrupt usage profile for the known polymorphic virus; and
      
      identifying the instruction as used if it appears in the instruction/interrupt usage profile.
  - 3. The computer implemented method of claim 1, wherein the step of repeating the above said steps is terminated if a threshold number of instructions have been fetched.
  - 4. The computer implemented method of claim 1, wherein the tagging step comprises the substeps of:
    - tagging a page in memory from which the emulated instruction is fetched; and
      
      tagging a page in memory including data modified by the emulated instruction.
  - 5. The computer implemented method of claim 1, comprising the additional steps of:
    - prior to the fetching step, determining size and type features of the computer file; and
      
      excluding from the known polymorphic viruses on the list, those known polymorphic viruses having characteristics inconsistent with the size and type features of the computer file.
  - 6. The computer implemented method of claim 5, wherein the step of determining size and type features of the computer file comprises at least one following substep:
    - determining the size of a load image of the computer file;
      
      determining the distance between an entry point of the computer file and an end of the load image of the computer file; and
      
      determining the type of the computer file.
  - 15. The computer implemented method of claim 1, wherein the emulating step is performed using an emulation module.
  - 16. The computer implemented method of claim 1, wherein the determining step is performed using a dynamic exclusion module.
  - 17. The computer implemented method of claim 1, wherein the scanning step is performed using a scanning engine.
  - 18. The computer implemented method of claim. 1, comprising the additional steps of:
    - prior to the fetching step, determining size and type features of the computer file; and
      
      excluding from the known polymorphic viruses on the list, those known polymorphic viruses having characteristics inconsistent with the size and type features of the computer file, where the excluding step is done using a static exclusion module.

7. A computer implemented method for detecting a polymorphic virus in a computer file, the method comprising the steps of:
- initializing a list of known polymorphic viruses;
  
  generating an instruction/interrupt usage profile for each polymorphic virus in the list;
  
  fetching an instruction from the computer file;
  
  comparing the fetched instruction with instruction/interrupt usage profiles for each listed polymorphic virus to identify those polymorphic viruses that can generate the fetched instruction;
  
  delisting each listed polymorphic virus that cannot generate the fetched instruction;
  
  when at least one polymorphic virus remains listed, tagging a memory location associated with the fetched instruction;
  
  repeating the fetching, comparing, delisting, and tagging steps until all listed polymorphic viruses have been removed from the list or until a threshold number of instructions have been fetched; and
  
  scanning the tagged locations for virus signatures.

8. A computer implemented method for determining whether an instruction fetched from a computer file may be part of a decryption loop generated by a polymorphic virus infecting the computer file, the method comprising the steps of:
- initializing a list of polymorphic viruses;
  
  for each listed polymorphic computer virus, generating a list of instructions and interrupts employed by the polymorphic virus in producing decryption loops; and
  
  fetching instructions from the computer file and for each fetched instruction;
  
  comparing the fetched instruction with the list of instructions and interrupts used by each polymorphic virus on the list;
  
  removing from the list of polymorphic viruses each polymorphic virus that does not employ the fetched instruction; and
  
  repeating the comparing and removing steps until all polymorphic viruses have been removed from the list.

9. A computer readable storage medium on which is stored data for analyzing computer files for the presence of polymorphic viruses, the data being suitable for implementation by a computer to perform the steps of:
- fetching an instruction from the computer file;
  
  determining whether the instruction is used in any decryption loop generated by a known polymorphic virus on a list;
  
  delisting the known polymorphic virus if the instruction is not used in any decryption loop generated by the known polymorphic virus;
  
  repeating the determining and delisting steps for each known polymorphic virus on the list;
  
  emulating the instruction;
  
  tagging a memory location associated with the instruction when at least one known polymorphic virus remains on the list;
  
  repeating the above said steps when at least one known polymorphic virus remains on the list; and
  
  scanning the tagged locations for virus signatures.

10. A system for testing a computer file for polymorphic viruses, the system comprising:
- an emulation module for emulating instructions from the computer file to be tested;
  
  a scanning module including viral signatures to identify each polymorphic virus to be tested for; and
  
  an emulation control module coupled to the scanning module and the emulation module, the emulation control module including;
  
  an instruction/interrupt usage profile for each polymorphic virus for identifying decryption loop instructions generated by the polymorphic virus; and
  
  a dynamic emulation module for comparing computer file instructions processed by the emulation module with the instruction/interrupt usage profiles to determine whether the instruction may be from a polymorphic virus decryption loop, and triggering the scanning module to scan the file for viral signatures when the comparison indicates a scan condition has occurred.

11. An emulation control module for directing emulation of a computer filed to be tested for a polymorphic virus by an an emulation module, the emulation control module comprising:
- a table of known polymorphic viruses;
  
  instruction/interrupt usage profiles for the known polymorphic viruses;
  
  a dynamic exclusion module coupled to the instruction/interrupt usage profiles, the table, and the emulation module for comparing instructions fetched by the emulation module with the instruction/interrupt usage profiles of the known polymorphic viruses in the table, and excluding from the table polymorphic viruses having instruction/interrupt usage profiles that are inconsistent with the fetched instruction, the dynamic exclusion module being effective to determine whether the instruction may be from a decryption loop in the computer file;
  
  size/type data for known polymorphic viruses; and
  
  a static control module coupled to the size/type data, the table, and the emulation module for excluding from the table polymorphic viruses having size/data properties inconsistent with the size/type data in the table.

12. A computer implemented method for detecting polymorphic viruses in a computer file, the method comprising the steps of:
- fetching instructions from the computer file;
  
  comparing the fetched instructions with instruction/interrupt usage profiles associated with listed polymorphic viruses;
  
  tagging memory locations associated with the fetched instructions that are consistent with the instruction/interrupt usage profiles associated with the listed polymorphic viruses;
  
  delisting polymorphic viruses having associated instruction/interrupt usage profiles that are inconsistent with the fetched instructions; and
  
  scanning the tagged locations for virus signatures when all polymorphic viruses have been delisted.
- View Dependent Claims (13, 14)
- - 13. The method of claim 12, including the additional step of scanning the tagged memory locations for virus signatures at preselected intervals of fetched instructions.
  - 14. The method of claim 12, comprising the additional step of scanning the tagged locations for virus signatures when a preselected total number of the fetched instructions reaches a preselected number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey
Primary Examiner(s)
Buczinski, Stephen C.

Application Number

US08/535,340
Time in Patent Office

803 Days
Field of Search

380/49, 380/4, 380/25, 395/183.01, 395/183.09, 395/183.14, 364/709.05
US Class Current

726/24
CPC Class Codes

G06F 21/564 by virus signature recognition

G06F 21/566 Dynamic detection, i.e. det...

Polymorphic virus detection module

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Polymorphic virus detection module

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links