Method and apparatus for replicating and analyzing worm programs

US 6,981,279 B1
Filed: 08/17/2000
Issued: 12/27/2005
Est. Priority Date: 08/17/2000
Status: Expired due to Term

First Claim

Patent Images

1. A system for monitoring operation of a software program in a network environment, comprising:

an execution component for executing the software program, said execution component being coupled to an isolated network that does not have a direct connection to another network that is not an isolated network;

a monitoring component for obtaining information about actions performed by the software program; and

a network emulation component, coupled to said isolated network, for emulating the behavior of at least a host providing network services;

whereinsaid execution component and said network emulation component cooperate with said isolated network in order to elicit a behavior of the software program that is detectable by said monitoring component.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and a method are disclosed for dynamically analyzing software, some of whose potentially-important behaviors (such as worm-like behavior) may only be displayed when the software is executed in an environment where it has, or appears to have, access to a production network and/or to the global Internet. The software can be executed in a real or an emulated network environment that includes a monitoring component and an emulation component. The monitoring component serves to capture and/or record the behaviors displayed by the software and/or other components of the system, and the emulation component gives the software being analyzed the impression that it is executing with access to a production network and/or to the global Internet. The software being analyzed is effectively confined to the analysis network environment, and cannot in fact read information from, or alter any information on, any production network or the global Internet.

375 Citations

46 Claims

1. A system for monitoring operation of a software program in a network environment, comprising:
- an execution component for executing the software program, said execution component being coupled to an isolated network that does not have a direct connection to another network that is not an isolated network;
  
  a monitoring component for obtaining information about actions performed by the software program; and
  
  a network emulation component, coupled to said isolated network, for emulating the behavior of at least a host providing network services;
  
  whereinsaid execution component and said network emulation component cooperate with said isolated network in order to elicit a behavior of the software program that is detectable by said monitoring component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. A system as in claim 1, where said emulation component further comprises a server programmed so as to return emulated results in response to a request resulting from the software program being executed on said execution component.
  - 3. A system as in claim 1, where said emulation component is programmed so as to limit access by the software program to only certain resources.
  - 4. A system as in claim 1, where at least one of said emulation component and monitoring component are programmed so as to provide information about the performance of the software program for the purposes of testing, debugging, performance profiling, or optimization.
  - 5. A system as in claim 1, where at least one of said emulation component and monitoring component are programmed so as to provide information about actions of the software program for the purposes of reverse engineering or otherwise determining the function and behavior of the software program.
  - 6. A system as in claim 1, where at least one of said emulation component and monitoring component are programmed so as to provide information about actions of the software program for the purposes of detecting a presence of an undesirable software entity within the software program.
  - 7. A system as in claim 6, wherein the undesirable software entity comprises at least one of a worm or a virus.
  - 8. A system as in claim 6, wherein the undesirable software entity comprises a worm that exhibits viral characteristics.
  - 9. A system as in claim 1, where the elicited behavior of the software program comprises self-replication.
  - 10. A system as in claim 1, where the elicited behavior of the software program comprises viral or malicious activity.
  - 11. A system as in claim 2, where said server is programmed to determine what result to return based at least in part on a result of a corresponding real query sent to a corresponding real server on a corresponding real, non-isolated network.
  - 12. A system as in claim 2, where said server is programmed so as to function as an optimistic host.
  - 13. A system as in claim 2, where said server comprises at least one of a real or an emulated Web server.
  - 14. A system as in claim 2, where said server comprises at least one of a real or an emulated http, ftp, imap4, pop3, nntp, news, irc, chat, smtp, mail or mailbox server.
  - 15. A system as in claim 2, where said server comprises at least one of a real or an emulated router.
  - 16. A system as in claim 2, where said server comprises at least one of a real or an emulated DNS, WINS, or other Name server.
  - 17. A system as in claim 2, where said server comprises at least one of a real or an emulated SNMP server.
  - 18. A system as in claim 2, where said server comprises at least one of a real or an emulated NetBIOS server.
  - 19. A system as in claim 2, where said server comprises at least one of a real or an emulated server that operates in accordance with SMB, NES or other distributed file system protocols.
  - 20. A system as in claim 1, where said monitoring component comprises a monitor programmed to record certain information or types of information that flow across the isolated network as a result of the execution of the software program.
  - 21. A system as in claim 1, where said monitoring component comprises a monitor programmed to record at least one of certain operating system level or application level activities or types of activities that occur in real or emulated host computers as a result of the execution of the software program.
  - 22. A system as in claim 2, where said monitoring component comprises a monitor programmed to record at least certain activities or types of activities that occur in said server as a result of the execution of the software program.
  - 23. A system as in claim 1, where said monitoring component comprises at least one event handler programmed so as to obtain control when certain events or types of events occur.
  - 24. A system as in claim 23, where the certain events or types of events comprise at least one of creation of a new file in a filesystem, a receipt of mail, an opening of mail, a posting of news, an opening of a new socket connection, an execution of a particular application, and an alteration of a system registry.
  - 25. A system as in claim 1, where said emulation component further comprises a system activity emulation component for emulating typical or specific activity on at least one of said isolated network and a real or emulated host computer.
  - 26. A system as in claim 25, where the typical or specific activity comprises at least one of sending mail, opening mail, opening or execution of a mail attachment, entry of keystrokes, issuing of user commands, execution of a particular application, rebooting a real or emulated host computer, restarting a real or emulated host computer, reinitialization of a real or emulated host computer, posting of news, participation in real-time messaging, and a transfer of files.

27. A system for eliciting a desired behavior from a software program, comprising:
- an emulated data communications network having at least one emulated network server coupled thereto, said at least one emulated network server responding to requests received from said emulated data communications network;
  
  an emulated host computer coupled to said emulated data communications network, said emulated host computer for executing the software program, the software program operating to originate requests to said emulated data communications network;
  
  at least one emulated goat computer coupled to said emulated data communications network; and
  
  at least one monitor for detecting an occurrence of the desired behavior in at least one of said emulated network server, said emulated host computer, and said at least one emulated goat computer.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 28. A system as in claim 27, wherein said at least one emulated network server operates as an optimistic server when responding to requests received from said emulated data communications network.
  - 29. A system as in claim 27, wherein the desired behavior is indicative of a presence of an undesirable software entity within the software program.
  - 30. A system as in claim 29, wherein the undesirable software entity comprises at least one of a worm or a virus.
  - 31. A system as in claim 29, wherein the undesirable software entity comprises a worm that exhibits viral characteristics.
  - 32. A system as in claim 27, where the desired behavior comprises self-replication.
  - 33. A system as in claim 27, where the desired behavior comprises viral activity or malicious activity.
  - 34. A system as in claim 27, wherein said monitor operates to detect at least one of a creation of a new file, a receipt of mail, an opening of mail, a posting of news, an opening of a new socket connection, an execution of a particular application, and an alteration of a system registry.
  - 35. A system as in claim 27, where at least one of said emulated host computer and said monitor are programmed so as to provide information about the performance of the software program for the purposes of testing, debugging, performance profiling, or optimization.
  - 36. A system as in claim 27, where at least one of said emulated host computer and said monitor are programmed so as to provide information about the performance of the software program for the purposes of reverse engineering or otherwise determining the function and behavior of the software program.

37. A computer program embodied on at least one computer-readable medium for executing a method for eliciting a behavior from a software program, the method comprising steps of:
- emulating a data communications network having at least one emulated network server coupled thereto, said at least one emulated network server operating to respond to requests received from said emulated data communications network;
  
  emulating a host computer coupled to said emulated data communications network, said emulated host computer executing the software program, the software program operating to originate requests to said emulated data communications network; and
  
  detecting an occurrence of the behavior in at least one of said emulated network server and said emulated host computer.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 38. A computer program as in claim 37, and further comprising a step of emulating at least one goat computer coupled to said emulated data communications network, and wherein the step of detecting an occurrence of the behavior detects the occurrence of the behavior in said at least one goat computer.
  - 39. A computer program as in claim 37, wherein the elicited behavior is indicative of a presence of an undesirable software entity within the software program.
  - 40. A computer program as in claim 38, wherein the elicited behavior is indicative of a presence of an undesirable software entity within the software program, and wherein the undesirable software entity comprises at least one of a worm, a virus, or a worm that exhibits viral characteristics.
  - 41. A computer program as in claim 37, wherein the elicited behavior comprises self-replication.
  - 42. A computer program as in claim 37, wherein the elicited behavior comprises worm-like or virus-like behavior.
  - 43. A computer program as in claim 37, wherein said step of detecting operates to detect at least one of a creation of a new file, a receipt of mail, an opening of mail, a posting of news, an opening of a new socket connection, an execution of a particular application, and an alteration of a system registry.
  - 44. A computer program as in claim 37, wherein said at least one emulated network server operates as an optimistic server.
  - 45. A computer program as in claim 37, wherein said method provides information about the performance of the software program for the purposes of testing, debugging, performance profiling, or optimization.
  - 46. A computer program as in claim 37, wherein said method provides information about the performance of the software program for the purposes of reverse engineering or otherwise determining the function and behavior of the software program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Arnold, William C., Chess, David M., Morar, John F., Segal, Alla, Swimmer, Morton G., Whalley, Ian N., White, Steve R.
Primary Examiner(s)
Moise, Emmanuel L.
Assistant Examiner(s)
FIELDS, COURTNEY D

Application Number

US09/640,453
Time in Patent Office

1,958 Days
Field of Search

717/138, 713200-202, 395/181, 395/186, 726/22, 726/3, 726/5, 726/23, 726/24, 714/28, 703/27
US Class Current

726/22
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Method and apparatus for replicating and analyzing worm programs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

375 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for replicating and analyzing worm programs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

375 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links