Automated sample creation of polymorphic and non-polymorphic marcro viruses

US 6,108,799 A
Filed: 03/12/1998
Issued: 08/22/2000
Est. Priority Date: 11/21/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method for automatically generating at least one instance of a computer macro virus associated with an application, comprising steps of:

providing a suspect macro virus sample; and

replicating the suspect macro virus sample onto a least one goat file, using at least one of simulated user input or interprocess communication commands for exercising the goat file through the application, to generate an infected goat file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a system and method for automatically generating at least one instance of a computer macro virus that is native to or associated with an application. The method includes steps of (a) providing a suspect virus sample; and (b) replicating the suspect virus sample onto a least one goat file, using at least one of simulated user input or interprocess communication commands for exercising the goat file through the application, to generate an infected goat file. A further step can be executed of (c) replicating the infected goat file onto a least one further goat file, using at least one of simulated user input, such as keystrokes, mouse clicks and the like, or interprocess communication commands, to generate an additional instance of an infected goat file. The step of providing includes a step of determining attributes of the suspect virus sample, and the steps of exercising employ simulated user input or interprocess communication commands that are selected based at least in part on the determined attributes. As a parallel process the steps of exercising include steps of detecting an occurrence of a window, such as a pop-up window that is opened by one of the application or the macro virus; and using at least one of simulated user input or interprocess communication command(s) for closing the opened window. In this manner the replication process is not halted by a window that requires input from a user.

385 Citations

20 Claims

1. A method for automatically generating at least one instance of a computer macro virus associated with an application, comprising steps of:
- providing a suspect macro virus sample; and
  
  replicating the suspect macro virus sample onto a least one goat file, using at least one of simulated user input or interprocess communication commands for exercising the goat file through the application, to generate an infected goat file.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as in claim 1, and further comprising a step of:
    - replicating the infected goat file onto a least one further goat file, using at least one of simulated user input or interprocess communication commands, to generate an additional infected goat file.
  - 3. A method as in claim 2, wherein the step of providing includes a step of determining attributes of the suspect macro virus sample, and wherein the steps of exercising use simulated user input or interprocess communication commands selected based at least in part on the determined attributes.
  - 4. A method as in claim 2, wherein the steps of exercising include steps of:
    - detecting an occurrence of a window that is opened by one of the application or the macro virus; and
      
      using at least one of simulated user input or interprocess communication commands for closing the opened window.
  - 5. A method as in claim 2, wherein the steps of replicating each comprise a step of interpreting a plurality of scripts to generate a plurality of application commands.
  - 6. A method as in claim 5, wherein the application commands are comprised of application open, application close, and document manipulation commands.
  - 7. A method as in claim 2, wherein the steps of replicating include a step of comparing an exercised goat file to a secure copy of the goat file to detect the creation of new macros or the modification of existing macros in the exercised goat file, and declaring a changed goat file to be an infected goat file.

8. A system for automatically generating at least one instance of a computer macro virus associated with an application, comprising a memory for storing the application, a suspect sample containing at least one macro, a replication engine comprising a plurality of scripts representing an application command file and a command interpreter, a plurality of goat files, and databases including a database for storing at least information expressive of predetermined user input required for implementing certain of said commands;
- said replication engine operating to interpret said command file for generating a plurality of application commands, and for sending at least one of corresponding predetermined simulated user input or interprocess communication commands for exercising a goat file through the application, said system further comprising means for comparing an exercised goat file to a secure copy thereof to detect the creation of new macros or the modification of existing macros in the exercised goat file, and for declaring a modified goat file to be an infected goat file containing a replicated macro virus.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. A system as in claim 8, wherein said replication engine is further operable for replicating an infected goat file onto a least one further goat file, using at least one of corresponding predetermined simulated user input or interprocess communication commands, to provide a further generation of the macro virus.
  - 10. A system as in claim 9, wherein the macro virus is a polymorphic macro virus, and wherein the further generation of the macro virus differs from the replicated macro virus.
  - 11. A system as in claim 8, and further comprising means for determining attributes of the suspect virus sample, and wherein said interpreter selects user input or interprocess communication commands based at least in part on the determined attributes.
  - 12. A system as in claim 8, and further comprising means, operating in parallel with said interpreter, for detecting an occurrence of a window that is opened by one of the application or the macro virus, for determining in accordance with a windows database whether the opened window is a standard window, and for using at least one of simulated user input or interprocess communication commands for closing the opened window.
  - 13. A system as in claim 8, wherein the application commands are comprised of application open, application close, and document manipulation commands.

14. A computer program stored within a memory device for execution by a computer that comprises an operating system and an application of interest, said computer program directing said computer to automatically generate at least one instance of a computer macro virus that is associated with the application of interest, and comprising a program portion that is responsive to a suspect macro virus sample for replicating the suspect macro virus sample onto a least one goat file, said program portion employing at least one of simulated user input or interprocess communication commands for automatically exercising the goat file with the application of interest to attempt to generate an infected goat file.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. A computer program as in claim 14, and further comprising a program portion for automatically detecting an occurrence of an opening of a window, and for automatically closing the opened window.
  - 16. A computer program as in claim 15, wherein the program portion automatically closes the opened window by performing a soft close.
  - 17. A computer program as in claim 15, wherein the program portion automatically closes the opened window by performing a hard close.
  - 18. A computer program as in claim 14, and further comprising a program portion for automatically identifying a presence of an infected goat file, and a program portion for using the identified infected goat file to attempt to generate another instance of an infected goat file.
  - 19. A computer program as in claim 14, wherein the suspect macro virus sample is comprised of one of a document template, a global template, or a document.
  - 20. A computer program as in claim 14, and further comprising a program portion for automatically closing any instances of the application of interest that may be running, and for automatically opening at least one instance of the application of interest.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Boulay, Jean-Michel Yann, Petrillo, August T., Swimmer, Morton Gregory
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
Weir, James G.

Application Number

US09/041,493
Time in Patent Office

894 Days
Field of Search

713/200, 713/201, 380/3, 380/4, 714/28, 714/26, 714/33, 714/41, 703/22
US Class Current

714/38.13
CPC Class Codes

G06F 21/564 by virus signature recognition

Automated sample creation of polymorphic and non-polymorphic marcro viruses

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

385 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automated sample creation of polymorphic and non-polymorphic marcro viruses

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

385 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links