Method and apparatus for detecting a macro computer virus using static analysis
First Claim
1. A method for detecting a macro virus in a computer system by statically analyzing macro operations within a document, comprising:
- receiving the document containing the macro operations;
locating the macro operations within the document;
performing a flow analysis on the macro operations within the document to determine associated values for variables within the macro operations, wherein performing the flow analysis on the macro operations includes performing at least one of a data flow analysis and a control flow analysis;
comparing the macro operations including the associated values for variables against a profile containing information about suspect macro operations and associated values for variables to determine whether the document contains suspect macro operations; and
if the document contains suspect macro operations, informing a user that the document contains suspect macro operations.
4 Assignments
0 Petitions
Accused Products
Abstract
One embodiment of the present invention provides a system that detects a macro virus in a computer system by statically analyzing macro operations within a document. The system operates by receiving the document containing the macro operations. The system locates the macro operations within the document, and performs a flow analysis on the macro operations within the document to determine associated values for variables within the macro operations. Next, the system compares the macro operations including the associated values for variables against a profile containing information about suspect macro operations and associated values for variables to determine whether the document contains suspect macro operations. If so, the system informs a user that the document contains suspect macro operations. In one embodiment of the present invention, after informing the user, the system receives instructions from the user specifying an action to take with regards to the document. In a variation on this embodiment, the action can include, deleting the document or cleaning the document to remove suspect macro operations. Note that it is possible to perform static analysis on macro viruses, because unlike other viruses that are propagated in executable code form, macro viruses are propagated in source code form, which is more amenable to static analysis than executable code.
-
Citations
26 Claims
-
1. A method for detecting a macro virus in a computer system by statically analyzing macro operations within a document, comprising:
-
receiving the document containing the macro operations;
locating the macro operations within the document;
performing a flow analysis on the macro operations within the document to determine associated values for variables within the macro operations, wherein performing the flow analysis on the macro operations includes performing at least one of a data flow analysis and a control flow analysis;
comparing the macro operations including the associated values for variables against a profile containing information about suspect macro operations and associated values for variables to determine whether the document contains suspect macro operations; and
if the document contains suspect macro operations, informing a user that the document contains suspect macro operations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 23, 24, 25, 26)
deleting the document;
cleaning the document to remove suspect macro operations; and
not taking any action.
-
-
4. The method of claim 1, wherein the profile includes information specifying suspect macro operations.
-
5. The method of claim 1, wherein the profile includes information specifying non-suspect macro operations.
-
6. The method of claim 1, wherein performing the flow analysis on the macro operations includes performing the data flow analysis and the control flow analysis.
-
7. The method of claim 1, wherein informing the user includes specifying a level of safety for the macro operations.
-
8. The method of claim 1, wherein the macro operations are received in source code form.
-
9. The method of claim 1, wherein informing the user includes informing the user that the macro operations in the document can potentially do one of,
modifying data within another document; -
modifying other files in the computer system;
deleting other files in the computer system;
modifying operating system parameters in the computer system;
exhausting a resource in the computer system;
killing a process in the computer system;
sending an electronic mail message to another computer system;
causing a program to be run on the computer system;
modifying macro operations in the document;
locking a file in the computer system; and
invoking a common object model (COM) object in the computer system.
-
-
10. The method of claim 1, wherein the document can include one of:
-
a word processing document;
a spreadsheet document;
a presentation document; and
a graphical image document.
-
-
11. The method of claim 1, wherein determining whether the macro operations specify suspect behavior includes using at least one of the following factors in determining if the macro operations specify suspect behavior:
-
an identity of the user who is executing the macro operations in the document;
an identity of an owner of an object upon which a macro operation operates; and
information specifying a context in which a macro operation is called.
-
-
23. The method of claim 1, wherein the flow analysis includes the control flow analysis that determines how many times a specific operation is executed.
-
24. The method of claim 1, wherein the control flow analysis includes backwards data flow analysis on the macro operations.
-
25. The method of claim 1, wherein the control flow analysis includes both forward data flow analysis and backwards data flow analysis on the macro operations.
-
26. The method of claim 1, wherein the variables include a filename variable and the values include a specific filename.
-
12. A method for detecting a macro virus in a computer system by statically analyzing macro operations within a document, comprising:
-
receiving the document containing the macro operations, the macro operations being in source code form;
locating the macro operations within the document;
performing a flow analysis on the macro operations within the document to determine associated values for variables within the macro operations, wherein performing the flow analysis on the macro operations includes performing at least one of a data flow analysis and a control flow analysis;
comparing the macro operations including the associated values for variables against a profile containing information about suspect macro operations and associated values for variables to determine whether the document contains suspect macro operations;
if the document contains suspect macro operations, informing a user that the document contains suspect macro operations; and
receiving instructions from the user specifying an action to take with regards to the document. - View Dependent Claims (13, 14)
deleting the document;
cleaning the document to remove suspect macro operations; and
not taking any action.
-
-
14. The method of claim 12, wherein comparing the macro operations further comprises performing a flow analysis on the macro operations in the document, the flow analysis including the data flow analysis and the control flow analysis.
-
15. A computer readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for detecting a macro virus in a computer system by statically analyzing macro operations within a document, comprising:
-
receiving the document containing the macro operations;
locating the macro operations within the document;
performing a flow analysis on the macro operations within the document to determine associated values for variables within the macro operations, wherein performing the flow analysis on the macro operations includes performing at least one of a data flow analysis and a control flow analysis;
comparing the macro operations including the associated values for variables against a profile containing information about suspect macro operations and associated values for variables to determine whether the document contains suspect macro operations; and
if the document contains suspect macro operations, informing a user that the document contains suspect macro operations. - View Dependent Claims (16, 17, 18)
-
-
19. An apparatus that detects a macro virus in a computer system by statically analyzing macro operations within a document, comprising:
-
a receiving mechanism that receives the document containing the macro operations;
a macro operation locating mechanism that locates the macro operations within the document;
a flow analysis mechanism that performs a flow analysis on the macro operations within the document to determine associated values for variables within the macro operations, wherein performing the flow analysis on the macro operations includes performing at least one of a data flow analysis and a control flow analysis;
a comparison mechanism that compares the macro operations including the associated values for variables against a profile containing information about suspect macro operations and associated values for variables to determine whether the document contains suspect macro operations; and
an informing mechanism that informs a user if the document contains suspect macro operations. - View Dependent Claims (20, 21, 22)
-
Specification