Dynamic heuristic method for detecting computer viruses using decryption exploration and evaluation phases
First Claim
Patent Images
1. A method for detecting a virus in a digital file, the method comprising the steps of:
- determining at least one region of the digital file in which the virus is likely to be present;
emulating code within only the at least one region in order to fully explore the at least one region for the virus during an exploration phase;
pointing to an instruction to be emulated from a section of code;
determining whether during the exploration phase the instruction to be emulated has already been emulated; and
if the instruction to be emulated has already been emulated during the exploration phase, then not emulating the instruction to be emulated.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for detecting computer viruses comprising three phases: a decryption phase, an exploration phase, and an evaluation phase. A purpose of the decryption phase is to emulate a sufficient number of instructions to allow an encrypted virus to decrypt its viral body. A purpose of the exploration phase is to emulate at least once all sections of code within a region deemed likely to contain any virus present in the target program. A purpose of the evaluation phase is to analyze any suspicious behavior observed during the decryption and exploration phases to determine whether the target appears to be infected.
-
Citations
31 Claims
-
1. A method for detecting a virus in a digital file, the method comprising the steps of:
-
determining at least one region of the digital file in which the virus is likely to be present;
emulating code within only the at least one region in order to fully explore the at least one region for the virus during an exploration phase;
pointing to an instruction to be emulated from a section of code;
determining whether during the exploration phase the instruction to be emulated has already been emulated; and
if the instruction to be emulated has already been emulated during the exploration phase, then not emulating the instruction to be emulated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
determining whether the instruction to be emulated is outside of the at least one region; and
if the instruction to be emulated is outside the at least one region, then not emulating the instruction to be emulated.
-
-
5. The method of claim 4, further comprising the steps of:
-
determining whether any untaken branch destination remains; and
if any untaken branch destination remains, then pointing to a next untaken branch destination as the instruction to be emulated and setting a state of a CPU emulator to a stored state which corresponds to the next untaken branch destination.
-
-
6. The method of claim 5, further comprising the steps of:
-
if no untaken branch destinations remain, then determining whether any unemulated section of code remains within the at least one region; and
if any unemulated section of code remains within the at least one region, then pointing to a beginning instruction of an unemulated section of code as the instruction to be emulated and resetting the state of the CPU emulator.
-
-
7. The method of claim 4, wherein emulating the instruction to be emulated comprises the steps of:
-
determining whether the instruction to be emulated performs a suspicious operation; and
recording the suspicious operation if the instruction to be emulated performs the suspicious operation.
-
-
8. The method of claim 4, wherein emulating the instruction to be emulated comprises the steps of:
-
determining whether the instruction to be emulated comprises an interrupt; and
if the instruction to be emulated comprises an interrupt, then faking completion of the interrupt but not actually performing the interrupt.
-
-
9. The method of claim 4, wherein emulating the instruction to be emulated comprises the steps of:
-
determining whether the instruction to be emulated comprises a memory write to a location within the at least one region;
redirecting the memory write to a different segment S if the instruction to be emulated comprises a memory write to a location within the at least one region.
-
-
10. The method of claim 9, wherein emulating the instruction to be emulated further comprises the steps of:
-
determining whether the instruction to be emulated comprises initiating a memory read of data previously written by redirection to segment S; and
redirecting the memory read of data to the segment S if the instruction to be emulated comprises the memory read of data previously written by redirection to the segment S.
-
-
11. The method of claim 4, wherein emulating the instruction to be emulated comprises the steps of:
-
determining whether the instruction to be emulated comprises a branch point;
storing an untaken destination address of the branch point and a CPU emulator state if the instruction to be emulated comprises a branch point.
-
-
12. A method for detecting a computer virus in a target program, the method comprising:
-
a first emulation of instructions of the target program to allow the computer virus to decrypt a viral body;
a determination of at least one region of the target program in which the decrypted viral body is likely to be present;
a second emulation of instructions of the at least one region of the target program in which the decrypted viral body is likely to be present; and
an evaluation of suspicious operations observed during the first and the second emulations, to detect the computer virus. - View Dependent Claims (13, 14, 15, 16)
-
-
17. In a computer system, a method for detecting computer viruses in a target program comprising the steps of:
-
emulation of instructions of the target program;
evaluation of operations observed during the emulation, to detect computer viruses; and
stopping the evaluation if an innocent operation is observed and no highly suspicious operation is observed. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A method for detecting a virus in a target program including the step of detecting a presence of an operation comprising a seek to an end-of-file followed by a file write of a jump instruction, wherein the seek determines a size in bytes and the jump instruction covers a similar number of bytes.
Specification