Automated sample creation of polymorphic and non-polymorphic marcro viruses
First Claim
1. A method for automatically generating at least one instance of a computer macro virus associated with an application, comprising steps of:
- providing a suspect macro virus sample; and
replicating the suspect macro virus sample onto a least one goat file, using at least one of simulated user input or interprocess communication commands for exercising the goat file through the application, to generate an infected goat file.
2 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is a system and method for automatically generating at least one instance of a computer macro virus that is native to or associated with an application. The method includes steps of (a) providing a suspect virus sample; and (b) replicating the suspect virus sample onto a least one goat file, using at least one of simulated user input or interprocess communication commands for exercising the goat file through the application, to generate an infected goat file. A further step can be executed of (c) replicating the infected goat file onto a least one further goat file, using at least one of simulated user input, such as keystrokes, mouse clicks and the like, or interprocess communication commands, to generate an additional instance of an infected goat file. The step of providing includes a step of determining attributes of the suspect virus sample, and the steps of exercising employ simulated user input or interprocess communication commands that are selected based at least in part on the determined attributes. As a parallel process the steps of exercising include steps of detecting an occurrence of a window, such as a pop-up window that is opened by one of the application or the macro virus; and using at least one of simulated user input or interprocess communication command(s) for closing the opened window. In this manner the replication process is not halted by a window that requires input from a user.
385 Citations
20 Claims
-
1. A method for automatically generating at least one instance of a computer macro virus associated with an application, comprising steps of:
-
providing a suspect macro virus sample; and replicating the suspect macro virus sample onto a least one goat file, using at least one of simulated user input or interprocess communication commands for exercising the goat file through the application, to generate an infected goat file. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for automatically generating at least one instance of a computer macro virus associated with an application, comprising a memory for storing the application, a suspect sample containing at least one macro, a replication engine comprising a plurality of scripts representing an application command file and a command interpreter, a plurality of goat files, and databases including a database for storing at least information expressive of predetermined user input required for implementing certain of said commands;
- said replication engine operating to interpret said command file for generating a plurality of application commands, and for sending at least one of corresponding predetermined simulated user input or interprocess communication commands for exercising a goat file through the application, said system further comprising means for comparing an exercised goat file to a secure copy thereof to detect the creation of new macros or the modification of existing macros in the exercised goat file, and for declaring a modified goat file to be an infected goat file containing a replicated macro virus.
- View Dependent Claims (9, 10, 11, 12, 13)
- 14. A computer program stored within a memory device for execution by a computer that comprises an operating system and an application of interest, said computer program directing said computer to automatically generate at least one instance of a computer macro virus that is associated with the application of interest, and comprising a program portion that is responsive to a suspect macro virus sample for replicating the suspect macro virus sample onto a least one goat file, said program portion employing at least one of simulated user input or interprocess communication commands for automatically exercising the goat file with the application of interest to attempt to generate an infected goat file.
Specification