Dynamic heuristic method for detecting computer viruses using decryption exploration and evaluation phases

US 6,357,008 B1
Filed: 09/23/1997
Issued: 03/12/2002
Est. Priority Date: 09/23/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method for detecting a virus in a digital file, the method comprising the steps of:

determining at least one region of the digital file in which the virus is likely to be present;

emulating code within only the at least one region in order to fully explore the at least one region for the virus during an exploration phase;

pointing to an instruction to be emulated from a section of code;

determining whether during the exploration phase the instruction to be emulated has already been emulated; and

if the instruction to be emulated has already been emulated during the exploration phase, then not emulating the instruction to be emulated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting computer viruses comprising three phases: a decryption phase, an exploration phase, and an evaluation phase. A purpose of the decryption phase is to emulate a sufficient number of instructions to allow an encrypted virus to decrypt its viral body. A purpose of the exploration phase is to emulate at least once all sections of code within a region deemed likely to contain any virus present in the target program. A purpose of the evaluation phase is to analyze any suspicious behavior observed during the decryption and exploration phases to determine whether the target appears to be infected.

Citations

31 Claims

1. A method for detecting a virus in a digital file, the method comprising the steps of:
- determining at least one region of the digital file in which the virus is likely to be present;
  
  emulating code within only the at least one region in order to fully explore the at least one region for the virus during an exploration phase;
  
  pointing to an instruction to be emulated from a section of code;
  
  determining whether during the exploration phase the instruction to be emulated has already been emulated; and
  
  if the instruction to be emulated has already been emulated during the exploration phase, then not emulating the instruction to be emulated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the at least one region includes an end portion of the digital file.
  - 3. The method of claim 1, wherein the at least one region includes a beginning portion of the digital file.
  - 4. The method of claim 1, wherein the step of emulating code within the at least one region in order to fully explore the at least one region during an exploration phase further comprises the steps of:
5. The method of claim 4, further comprising the steps of:
- determining whether any untaken branch destination remains; and
  
  if any untaken branch destination remains, then pointing to a next untaken branch destination as the instruction to be emulated and setting a state of a CPU emulator to a stored state which corresponds to the next untaken branch destination.
6. The method of claim 5, further comprising the steps of:
- if no untaken branch destinations remain, then determining whether any unemulated section of code remains within the at least one region; and
  
  if any unemulated section of code remains within the at least one region, then pointing to a beginning instruction of an unemulated section of code as the instruction to be emulated and resetting the state of the CPU emulator.
7. The method of claim 4, wherein emulating the instruction to be emulated comprises the steps of:
- determining whether the instruction to be emulated performs a suspicious operation; and
  
  recording the suspicious operation if the instruction to be emulated performs the suspicious operation.
8. The method of claim 4, wherein emulating the instruction to be emulated comprises the steps of:
- determining whether the instruction to be emulated comprises an interrupt; and
  
  if the instruction to be emulated comprises an interrupt, then faking completion of the interrupt but not actually performing the interrupt.
9. The method of claim 4, wherein emulating the instruction to be emulated comprises the steps of:
- determining whether the instruction to be emulated comprises a memory write to a location within the at least one region;
  
  redirecting the memory write to a different segment S if the instruction to be emulated comprises a memory write to a location within the at least one region.
10. The method of claim 9, wherein emulating the instruction to be emulated further comprises the steps of:
- determining whether the instruction to be emulated comprises initiating a memory read of data previously written by redirection to segment S; and
  
  redirecting the memory read of data to the segment S if the instruction to be emulated comprises the memory read of data previously written by redirection to the segment S.
11. The method of claim 4, wherein emulating the instruction to be emulated comprises the steps of:
- determining whether the instruction to be emulated comprises a branch point;
  
  storing an untaken destination address of the branch point and a CPU emulator state if the instruction to be emulated comprises a branch point.

12. A method for detecting a computer virus in a target program, the method comprising:
- a first emulation of instructions of the target program to allow the computer virus to decrypt a viral body;
  
  a determination of at least one region of the target program in which the decrypted viral body is likely to be present;
  
  a second emulation of instructions of the at least one region of the target program in which the decrypted viral body is likely to be present; and
  
  an evaluation of suspicious operations observed during the first and the second emulations, to detect the computer virus.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, wherein the first emulation begins at an entry-point instruction of the target program.
  - 14. The method of claim 12, wherein the second emulation begins at an instruction immediately following a last instruction emulated during the first emulation.
  - 15. The method of claim 12, wherein during the first emulation the computer virus does not decrypt the viral body because the viral body is not encrypted;
    - and wherein the second emulation begins at an entry-point instruction of the target program.
  - 16. The method of claim 12, wherein whether the viral body has decrypted is determined by identifying a contiguous section of bytes in memory which were overwritten during the first emulation.

17. In a computer system, a method for detecting computer viruses in a target program comprising the steps of:
- emulation of instructions of the target program;
  
  evaluation of operations observed during the emulation, to detect computer viruses; and
  
  stopping the evaluation if an innocent operation is observed and no highly suspicious operation is observed.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 18. The method of claim 17, wherein the innocent operation comprises printing or displaying a character.
  - 19. The method of claim 17, wherein the innocent operation comprises a program termination instruction within a particular region of the program.
  - 20. The method of claim 17, wherein the innocent operation comprises a re-vectoring of an error vector.
  - 21. The method of claim 17, wherein the innocent operation comprises calling from within a particular region of the program a function far away from a present location.
  - 22. The method of claim 17, wherein the highly suspicious operation comprises comparing contents of a register or memory location with an identifier of a file header.
  - 23. The method of claim 17, wherein the highly suspicious operation comprises a file write of a similar size in bytes as a number of bytes from an entry-point of the target program to an end-of-file of the target program.
  - 24. The method of claim 17, wherein the highly suspicious operation comprises a seek to an end-of-file followed by a file write of a jump instruction.
  - 25. The method of claim 24, wherein the seek determines a size in bytes and the jump instruction covers a similar number of bytes.
  - 26. The method of claim 17, wherein the highly suspicious operation comprises a file write of a similar size as a size of a header, and the file write includes a tag that is characteristic of the header.
  - 27. The method of claim 17, wherein the highly suspicious operation comprises having a header of an executable file within a body of the target program.
  - 28. The method of claim 17, wherein the highly suspicious operation comprises finding an executable file in a directory.
  - 29. The method of claim 17, wherein the highly suspicious operation comprises examination or modification of a memory allocation scheme.
  - 30. The method of claim 17, wherein the highly suspicious operation comprises one or more move string operations that move approximately a same number of bytes as a number of bytes from an entry-point of the target program to an end-of-file of the target program.

31. A method for detecting a virus in a target program including the step of detecting a presence of an operation comprising a seek to an end-of-file followed by a file write of a jump instruction, wherein the seek determines a size in bytes and the jump instruction covers a similar number of bytes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S.
Primary Examiner(s)
LE, DIEU MINH T

Application Number

US08/935,577
Time in Patent Office

1,631 Days
Field of Search

713/200, 714/28, 714/33, 714/38, 364/269.4, 380/3, 380/4
US Class Current

726/24
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Dynamic heuristic method for detecting computer viruses using decryption exploration and evaluation phases

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic heuristic method for detecting computer viruses using decryption exploration and evaluation phases

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links