Detecting computer viruses or malicious software by patching instructions into an emulator

US 6,907,396 B1
Filed: 06/01/2000
Issued: 06/14/2005
Est. Priority Date: 06/01/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for emulating computer viruses and/or malicious software that operates by patching additional program instructions into an emulator in order to aid in detecting a computer virus and/or malicious software within suspect code, the method comprising:

receiving the suspect code;

loading the suspect code into an emulator buffer within a data space of a computer system;

loading a first emulator extension into the emulator, the emulator capable of performing an emulation using emulation code, the first emulator extension including program instructions that aid in the process of emulating the suspect code in order to detect a computer virus and/or malicious software, wherein the program instructions of the first emulator extension are additional beyond that associated with the emulator code, for assisting the emulator code in the emulation by patching the additional program instructions into the emulator in order to aid in detecting the computer virus and/or malicious software within the suspect code;

performing the emulation using the first emulator extension, the emulation code and the suspect code, the emulation being performed within an insulated environment in the computer system so that the computer system is insulated from malicious actions of the suspect code; and

determining whether the suspect code is likely to exhibit malicious behavior based upon the emulation.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system for emulating computer viruses and/or malicious software that operates by patching additional program instructions into an emulator in order to aid in detecting a computer virus and/or malicious software within suspect code. During operation, the system loads a first emulator extension into the emulator. This first emulator extension includes program instructions that aid in the process of emulating the suspect code in order to detect a computer virus and/or malicious software. The system also loads the suspect code into an emulator buffer. Next, the system performs an emulation using the first emulator extension and the suspect code. This emulation is performed within an insulated environment in a computer system so that the computer system is insulated from malicious actions of the suspect code. During this emulation, the system determines whether the suspect code is likely to exhibit malicious behavior. In one embodiment of the present invention, loading the first emulator extension into the emulator involves loading the first emulator extension into the emulator buffer within the emulator. In this embodiment, performing the emulation involves emulating the program instructions that comprise the first emulator extension.

309 Citations

37 Claims

1. A method for emulating computer viruses and/or malicious software that operates by patching additional program instructions into an emulator in order to aid in detecting a computer virus and/or malicious software within suspect code, the method comprising:
- receiving the suspect code;
  
  loading the suspect code into an emulator buffer within a data space of a computer system;
  
  loading a first emulator extension into the emulator, the emulator capable of performing an emulation using emulation code, the first emulator extension including program instructions that aid in the process of emulating the suspect code in order to detect a computer virus and/or malicious software, wherein the program instructions of the first emulator extension are additional beyond that associated with the emulator code, for assisting the emulator code in the emulation by patching the additional program instructions into the emulator in order to aid in detecting the computer virus and/or malicious software within the suspect code;
  
  performing the emulation using the first emulator extension, the emulation code and the suspect code, the emulation being performed within an insulated environment in the computer system so that the computer system is insulated from malicious actions of the suspect code; and
  
  determining whether the suspect code is likely to exhibit malicious behavior based upon the emulation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein loading the first emulator extension into the emulator includes loading the first emulator extension into the emulator buffer within the emulator;
    - andwherein performing the emulation includes emulating the program instructions that comprise the first emulator extension.
  - 3. The method of claim 2, wherein emulating the program instructions that comprise the first emulator extension causes the emulator to examine the suspect code looking for patterns that indicate that the suspect code is likely to exhibit malicious behavior.
  - 4. The method of claim 2, wherein emulating the program instructions that comprise the first emulator extension causes the program instructions within the first emulator extension to facilitate emulation of the suspect code.
  - 5. The method of claim 1, further comprising emulating the suspect code prior to loading the first emulator extension into the emulator buffer.
  - 6. The method of claim 1, further comprising:
    - loading a second emulator extension into the emulator; and
      
      performing a second emulation using the second emulator extension and the suspect code.
  - 7. The method of claim 6, wherein the first emulator extension and the second emulator extension provide support for conflicting emulator environments.
  - 8. The method of claim 1, wherein loading the first emulator extension involves loading the first emulator extension from a database containing a plurality of different emulator extensions.
  - 9. The method of claim 1, wherein the first emulator extension includes code for decrypting an encrypted computer virus and other encrypted malicious code.
  - 10. The method of claim 1, further comprising if a computer virus or other malicious software is detected within the suspect code, disinfecting the suspect code.
  - 11. The method of claim 1, wherein the first emulator extension facilitates emulating a non-standard computer instruction opcode.
  - 12. The method of claim 1, wherein the first emulator extension facilitates emulating an uncommonly used operating system call.
  - 13. The method of claim 1, wherein if the computer virus and/or malicious software is not detected, it is determined if there are any remaining emulator extensions remaining in a database that have not already been used, wherein if there are any remaining emulator extensions remaining in the database that have not already been used, a next emulator extension is loaded into the emulator to repeat the emulation using the next emulator extension.

14. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for emulating computer viruses and/or malicious software that operates by patching additional program instructions into an emulator in order to aid in detecting a computer virus and/or malicious software within suspect code, the method comprising:
- receiving the suspect code;
  
  loading the suspect code into an emulator buffer within a data space of a computer system;
  
  loading a first emulator extension into the emulator, the emulator capable of performing an emulation using emulation code, the first emulator extension including program instructions that aid in the process of emulating the suspect code in order to detect a computer virus and/or malicious software, wherein the program instructions of the first emulator extension are additional beyond that associated with the emulator code, for assisting the emulator code in the emulation by patching the additional program instructions into the emulator in order to aid in detecting the computer virus and/or malicious software within the suspect code;
  
  performing the emulation using the first emulator extension, the emulation code and the suspect code, the emulation being performed within an insulated environment in the computer system so that the computer system is insulated from malicious actions of the suspect code; and
  
  determining whether the suspect code is likely to exhibit malicious behavior based upon the emulation.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The computer-readable storage medium of claim 14, wherein loading the first emulator extension into the emulator includes loading the first emulator extension into the emulator buffer within the emulator;
    - andwherein performing the emulation includes emulating the program instructions that comprise the first emulator extension.
  - 16. The computer-readable storage medium of claim 15, wherein emulating the program instructions that comprise the first emulator extension causes the emulator to examine the suspect code looking for patterns that indicate that the suspect code is likely to exhibit malicious behavior.
  - 17. The computer-readable storage medium of claim 15, wherein emulating the program instructions that comprise the first emulator extension causes the program instructions within the first emulator extension to facilitate emulation of the suspect code.
  - 18. The computer-readable storage medium of claim 14, wherein the method further comprises emulating the suspect code prior to loading the first emulator extension into the emulator buffer.
  - 19. The computer-readable storage medium of claim 14, wherein the method further comprises:
    - loading a second emulator extension into the emulator; and
      
      performing a second emulation using the second emulator extension and the suspect code.
  - 20. The computer-readable storage medium of claim 19, wherein the first emulator extension and the second emulator extension provide support for conflicting emulator environments.
  - 21. The computer-readable storage medium of claim 14, wherein loading the first emulator extension involves loading the first emulator extension from a database containing a plurality of different emulator extensions.
  - 22. The computer-readable storage medium of claim 14, wherein the first emulator extension includes code for decrypting an encrypted computer virus and other encrypted malicious code.
  - 23. The computer-readable storage medium of claim 14, wherein if a computer virus or other malicious software is detected within the suspect code, the method further comprises disinfecting the suspect code.
  - 24. The computer-readable storage medium of claim 14, wherein the first emulator extension facilitates emulating a non-standard computer instruction opcode.
  - 25. The computer-readable storage medium of claim 14, wherein the first emulator extension facilitates emulating an uncommonly used operating system call.

26. An apparatus that emulates computer viruses and/or malicious software that operates by patching additional program instructions into an emulator in order to aid in detecting a computer virus and/or malicious software within suspect code, the apparatus comprising:
- a loading mechanism that is configured to load the suspect code into an emulator buffer within a data space of a computer system;
  
  wherein the loading mechanism is additionally configured to load a first emulator extension into the emulator, the emulator capable of performing an emulation using emulation code, the first emulator extension including program instructions that aid in the process of emulating the suspect code in order to detect a computer virus and/or malicious software, wherein the program instructions of the first emulator extension are additional beyond that associated with the emulator code, for assisting the emulator code in the emulation by patching the additional program instructions into the emulator in order to aid in detecting the computer virus and/or malicious software within the suspect code;
  
  an emulation mechanism that is configured to perform the emulation using the first emulator extension, the emulation code and the suspect code, the emulation being performed within an insulated environment in the computer system so that the computer system is insulated from malicious actions of the suspect code; and
  
  a determination mechanism that is configured to determine whether the suspect code is likely to exhibit malicious behavior based upon the emulation.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 27. The apparatus of claim 26, wherein the loading mechanism is configured to load the first emulator extension into the emulator buffer within the emulator;
    - andwherein the emulation mechanism is configured to emulate the program instructions that comprise the first emulator extension.
  - 28. The apparatus of claim 27, wherein emulating the program instructions that comprise the first emulator extension causes the emulation mechanism to examine the suspect code looking for patterns that indicate that the suspect code is likely to exhibit malicious behavior.
  - 29. The apparatus of claim 27, wherein emulating the program instructions that comprise the first emulator extension causes the emulation mechanism to facilitate emulation of the suspect code.
  - 30. The apparatus of claim 26, wherein the emulator is configured to emulate the suspect code prior to loading the first emulator extension into the emulator buffer.
  - 31. The apparatus of claim 26, wherein the loading mechanism is additionally configured to:
    - load a second emulator extension into the emulator; and
      
      to perform a second emulation using the second emulator extension and the suspect code.
  - 32. The apparatus of claim 31, wherein the first emulator extension and the second emulator extension provide support for conflicting emulator environments.
  - 33. The apparatus of claim 26, wherein the loading mechanism is configured to load the first emulator extension from a database containing a plurality of different emulator extensions.
  - 34. The apparatus of claim 26, wherein the first emulator extension includes code for decrypting an encrypted computer virus and other encrypted malicious code.
  - 35. The apparatus of claim 26, further comprising a disinfecting mechanism that is configured to disinfect the suspect code if a computer virus or other malicious software is detected within the suspect code.
  - 36. The apparatus of claim 26, wherein the first emulator extension is configured to facilitate emulating a non-standard computer instruction opcode.
  - 37. The apparatus of claim 26, wherein the first emulator extension is configured to facilitate emulating an uncommonly used operating system call.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Networks Associates Technology, Inc. (McAfee, LLC)
Inventors
Long, Duncan V., Muttik, Igor
Primary Examiner(s)
PHAN, THAI Q

Application Number

US09/586,671
Time in Patent Office

1,839 Days
Field of Search

703/22, 703/26, 703/27, 713/156, 713/200, 713/201, 717/134, 717/168
US Class Current

703/22
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

Detecting computer viruses or malicious software by patching instructions into an emulator

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

309 Citations

37 Claims

Specification

Use Cases

Quick Links

Others

Detecting computer viruses or malicious software by patching instructions into an emulator

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

309 Citations

37 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others