Method and apparatus for detecting a macro computer virus using static analysis

US 6,697,950 B1
Filed: 12/22/1999
Issued: 02/24/2004
Est. Priority Date: 12/22/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method for detecting a macro virus in a computer system by statically analyzing macro operations within a document, comprising:

receiving the document containing the macro operations;

locating the macro operations within the document;

performing a flow analysis on the macro operations within the document to determine associated values for variables within the macro operations, wherein performing the flow analysis on the macro operations includes performing at least one of a data flow analysis and a control flow analysis;

comparing the macro operations including the associated values for variables against a profile containing information about suspect macro operations and associated values for variables to determine whether the document contains suspect macro operations; and

if the document contains suspect macro operations, informing a user that the document contains suspect macro operations.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that detects a macro virus in a computer system by statically analyzing macro operations within a document. The system operates by receiving the document containing the macro operations. The system locates the macro operations within the document, and performs a flow analysis on the macro operations within the document to determine associated values for variables within the macro operations. Next, the system compares the macro operations including the associated values for variables against a profile containing information about suspect macro operations and associated values for variables to determine whether the document contains suspect macro operations. If so, the system informs a user that the document contains suspect macro operations. In one embodiment of the present invention, after informing the user, the system receives instructions from the user specifying an action to take with regards to the document. In a variation on this embodiment, the action can include, deleting the document or cleaning the document to remove suspect macro operations. Note that it is possible to perform static analysis on macro viruses, because unlike other viruses that are propagated in executable code form, macro viruses are propagated in source code form, which is more amenable to static analysis than executable code.

Citations

26 Claims

1. A method for detecting a macro virus in a computer system by statically analyzing macro operations within a document, comprising:
- receiving the document containing the macro operations;
  
  locating the macro operations within the document;
  
  performing a flow analysis on the macro operations within the document to determine associated values for variables within the macro operations, wherein performing the flow analysis on the macro operations includes performing at least one of a data flow analysis and a control flow analysis;
  
  comparing the macro operations including the associated values for variables against a profile containing information about suspect macro operations and associated values for variables to determine whether the document contains suspect macro operations; and
  
  if the document contains suspect macro operations, informing a user that the document contains suspect macro operations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 23, 24, 25, 26)
- - 2. The method of claim 1, further comprising after informing the user, receiving instructions from the user specifying an action to take with regards to the document.
  - 3. The method of claim 2, wherein the action can include one of:
4. The method of claim 1, wherein the profile includes information specifying suspect macro operations.
5. The method of claim 1, wherein the profile includes information specifying non-suspect macro operations.
6. The method of claim 1, wherein performing the flow analysis on the macro operations includes performing the data flow analysis and the control flow analysis.
7. The method of claim 1, wherein informing the user includes specifying a level of safety for the macro operations.
8. The method of claim 1, wherein the macro operations are received in source code form.
9. The method of claim 1, wherein informing the user includes informing the user that the macro operations in the document can potentially do one of,modifying data within another document;
- modifying other files in the computer system;
  
  deleting other files in the computer system;
  
  modifying operating system parameters in the computer system;
  
  exhausting a resource in the computer system;
  
  killing a process in the computer system;
  
  sending an electronic mail message to another computer system;
  
  causing a program to be run on the computer system;
  
  modifying macro operations in the document;
  
  locking a file in the computer system; and
  
  invoking a common object model (COM) object in the computer system.
10. The method of claim 1, wherein the document can include one of:
- a word processing document;
  
  a spreadsheet document;
  
  a presentation document; and
  
  a graphical image document.
11. The method of claim 1, wherein determining whether the macro operations specify suspect behavior includes using at least one of the following factors in determining if the macro operations specify suspect behavior:
- an identity of the user who is executing the macro operations in the document;
  
  an identity of an owner of an object upon which a macro operation operates; and
  
  information specifying a context in which a macro operation is called.
23. The method of claim 1, wherein the flow analysis includes the control flow analysis that determines how many times a specific operation is executed.
24. The method of claim 1, wherein the control flow analysis includes backwards data flow analysis on the macro operations.
25. The method of claim 1, wherein the control flow analysis includes both forward data flow analysis and backwards data flow analysis on the macro operations.
26. The method of claim 1, wherein the variables include a filename variable and the values include a specific filename.

12. A method for detecting a macro virus in a computer system by statically analyzing macro operations within a document, comprising:
- receiving the document containing the macro operations, the macro operations being in source code form;
  
  locating the macro operations within the document;
  
  performing a flow analysis on the macro operations within the document to determine associated values for variables within the macro operations, wherein performing the flow analysis on the macro operations includes performing at least one of a data flow analysis and a control flow analysis;
  
  comparing the macro operations including the associated values for variables against a profile containing information about suspect macro operations and associated values for variables to determine whether the document contains suspect macro operations;
  
  if the document contains suspect macro operations, informing a user that the document contains suspect macro operations; and
  
  receiving instructions from the user specifying an action to take with regards to the document.
- View Dependent Claims (13, 14)
- - 13. The method of claim 12, wherein the action can include one of:
14. The method of claim 12, wherein comparing the macro operations further comprises performing a flow analysis on the macro operations in the document, the flow analysis including the data flow analysis and the control flow analysis.

15. A computer readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for detecting a macro virus in a computer system by statically analyzing macro operations within a document, comprising:
- receiving the document containing the macro operations;
  
  locating the macro operations within the document;
  
  performing a flow analysis on the macro operations within the document to determine associated values for variables within the macro operations, wherein performing the flow analysis on the macro operations includes performing at least one of a data flow analysis and a control flow analysis;
  
  comparing the macro operations including the associated values for variables against a profile containing information about suspect macro operations and associated values for variables to determine whether the document contains suspect macro operations; and
  
  if the document contains suspect macro operations, informing a user that the document contains suspect macro operations.
- View Dependent Claims (16, 17, 18)
- - 16. The computer-readable storage medium of claim 15, wherein the method further comprises after informing the user, receiving instructions from the user specifying an action to take with regards to the document.
  - 17. The computer-readable storage medium of claim 15, wherein performing the flow analysis on the macro operations includes performing the data flow analysis and the control flow analysis.
  - 18. The computer-readable storage medium of claim 15, wherein the macro operations are received in source code form.

19. An apparatus that detects a macro virus in a computer system by statically analyzing macro operations within a document, comprising:
- a receiving mechanism that receives the document containing the macro operations;
  
  a macro operation locating mechanism that locates the macro operations within the document;
  
  a flow analysis mechanism that performs a flow analysis on the macro operations within the document to determine associated values for variables within the macro operations, wherein performing the flow analysis on the macro operations includes performing at least one of a data flow analysis and a control flow analysis;
  
  a comparison mechanism that compares the macro operations including the associated values for variables against a profile containing information about suspect macro operations and associated values for variables to determine whether the document contains suspect macro operations; and
  
  an informing mechanism that informs a user if the document contains suspect macro operations.
- View Dependent Claims (20, 21, 22)
- - 20. The apparatus of claim 19, further comprising an instruction receiving mechanism that is configured to receive instructions from the user specifying an action to take with regards to the document.
  - 21. The apparatus of claim 19, wherein the flow analysis mechanism is configured to perform the data flow analysis and the control flow analysis.
  - 22. The apparatus of claim 19, wherein the macro operations are received in source code form.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
Networks Associates Technology, Inc. (McAfee, LLC)
Inventors
Ko, Cheuk W.
Primary Examiner(s)
Barron, Gilberto
Assistant Examiner(s)
McArdle, Joseph M

Application Number

US09/469,758
Time in Patent Office

1,525 Days
Field of Search

713/200, 713/188, 713/201, 714/38
US Class Current

726/24
CPC Class Codes

G06F 21/562 Static detection

G06F 21/563 by source code analysis

Method and apparatus for detecting a macro computer virus using static analysis

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting a macro computer virus using static analysis

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links