System and method for identifying a macro virus family using a macro virus definitions database

US 7,210,041 B1
Filed: 04/30/2001
Issued: 04/24/2007
Est. Priority Date: 04/30/2001
Status: Expired due to Term

First Claim

Patent Images

1. A system for identifying a macro virus family using a macro virus definitions database, comprising:

a macro virus definitions database comprising a set of indices and macro virus definition data files with each index referencing one or more of the macro virus definition data files and each macro virus definition data file defining macro virus attributes for known macro viruses that are each comprised of at least one macro, the sets of the indices and the macro virus definition data files being organized into a hierarchy according to macro virus families based on a type of application to which the macro applies;

a parser parsing a suspect file into tokens comprising one of individual string constants and source code text and storing the tokens as suspect strings into a hierarchical parse tree;

a macro virus checker comparing each suspect string to the macro virus attributes defined in the one or more macro virus definition data files for each macro virus family in the macro virus definitions database and determining each macro virus family to which the suspect string belongs from the index for each macro virus definition data file at least partially containing the suspect string;

the macro virus checker parsing the macro virus attributes from one or more file objects and analyzing the macro virus definition data files by index for each macro virus family; and

the macro virus checker iteratively retrieving each macro virus definition data file using the index for each macro virus family and providing the macro virus attributes defined in the retrieved macro virus definition data file;

wherein the macro virus definitions database stores at least one of string constants and source code text common to each macro virus family in the macro virus attributes for the macro virus definition data files; and

the macro virus checker compares each suspect string to the at least one of string constants and source code text in the one or more macro virus definition data files for each macro virus family;

wherein a parameter is utilized for specifying a threshold to matches of commonly shared at least one of string constants and source code text;

wherein the macro virus definition data files are indexed into the macro virus families categorized by a replication method employed;

wherein the suspect string comprises part of the suspect file, the suspect file comprising a plurality of individual suspect strings;

wherein the macro virus checker identifies the replication method common to the plurality of the individual suspect strings in the suspect file;

wherein the macro virus checker identifies the macro virus family by which the common replication method is indexed.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A macro virus definitions database is maintained and includes a set of indices and associated macro virus definition data files. One or more of the macro virus definition data files are referenced by the associated index. Each macro virus definition data file defines macro virus attributes for known macro viruses. The sets of the indices and the macro virus definition data files are organized according to macro virus families. One or more strings stored in a suspect file are compared to the macro virus attributes defined in the one or more macro virus definition data files for each macro virus family in the macro virus definitions database. The macro virus family to which the suspect file belongs is determined from the indices for each of the macro virus definition data files at least partially containing the suspect file.

84 Citations

View as Search Results

16 Claims

1. A system for identifying a macro virus family using a macro virus definitions database, comprising:
- a macro virus definitions database comprising a set of indices and macro virus definition data files with each index referencing one or more of the macro virus definition data files and each macro virus definition data file defining macro virus attributes for known macro viruses that are each comprised of at least one macro, the sets of the indices and the macro virus definition data files being organized into a hierarchy according to macro virus families based on a type of application to which the macro applies;
  
  a parser parsing a suspect file into tokens comprising one of individual string constants and source code text and storing the tokens as suspect strings into a hierarchical parse tree;
  
  a macro virus checker comparing each suspect string to the macro virus attributes defined in the one or more macro virus definition data files for each macro virus family in the macro virus definitions database and determining each macro virus family to which the suspect string belongs from the index for each macro virus definition data file at least partially containing the suspect string;
  
  the macro virus checker parsing the macro virus attributes from one or more file objects and analyzing the macro virus definition data files by index for each macro virus family; and
  
  the macro virus checker iteratively retrieving each macro virus definition data file using the index for each macro virus family and providing the macro virus attributes defined in the retrieved macro virus definition data file;
  
  wherein the macro virus definitions database stores at least one of string constants and source code text common to each macro virus family in the macro virus attributes for the macro virus definition data files; and
  
  the macro virus checker compares each suspect string to the at least one of string constants and source code text in the one or more macro virus definition data files for each macro virus family;
  
  wherein a parameter is utilized for specifying a threshold to matches of commonly shared at least one of string constants and source code text;
  
  wherein the macro virus definition data files are indexed into the macro virus families categorized by a replication method employed;
  
  wherein the suspect string comprises part of the suspect file, the suspect file comprising a plurality of individual suspect strings;
  
  wherein the macro virus checker identifies the replication method common to the plurality of the individual suspect strings in the suspect file;
  
  wherein the macro virus checker identifies the macro virus family by which the common replication method is indexed.
- View Dependent Claims (2, 3, 4)
- - 2. A system according to claim 1, further comprising:
    - the macro virus checker resetting the index referencing one or more of the macro virus definition data files for at least one macro virus family and creating a new macro virus definition data file entry comprising an index referencing one or more macro virus definition files.
  - 3. A system according to claim 2, further comprising:
    - the new macro virus definition data file entry defining the macro virus attributes by storing at least one of a string constant and source code text.
  - 4. A system according to claim 1, further comprising:
    - the macro virus checker cross referencing at least one of a string constant and source code text from the parsed macro file attributes against the macro virus attributes defined in the virus definition data files.

5. A method for identifying a macro virus family using a macro virus definitions database, comprising:
- maintaining a macro virus definitions database comprising a set of indices and macro virus definition data files with each index referencing one or more of the macro virus definition data files and each macro virus definition data file defining macro virus attributes for known macro viruses that are each comprised of at least one macro;
  
  organizing the sets of the indices and the macro virus definition data files into a hierarchy according to macro virus families based on a type of application to which the macro applies;
  
  parsing a suspect file into tokens comprising one of individual string constants and source code text and storing the tokens as suspect strings into a hierarchical parse tree;
  
  comparing each suspect string to the macro virus attributes defined in the one or more macro virus definition data files for each macro virus family in the macro virus definitions database; and
  
  determining each macro virus family to which the suspect string belongs from the index for each macro virus definition data file at least partially containing the suspect string;
  
  parsing the macro virus attributes from one or more file objects and analyzing the macro virus definition data files by index for each macro virus family; and
  
  iteratively retrieving each macro virus definition data file using the index for each macro virus family and providing the macro virus attributes defined in the retrieved macro virus definition data file;
  
  wherein the macro virus definitions database stores at least one of string constants and source code text common to each macro virus family in the macro virus attributes for the macro virus definition data files; and
  
  a comparison is performed between each suspect string and the at least one of string constants and source code text in the one or more macro virus definition data files for each macro virus family;
  
  wherein a parameter is utilized for specifying a threshold to matches of commonly shared at least one of string constants and source code text;
  
  wherein the macro virus definition data files are indexed into the macro virus families categorized by a replication method employed;
  
  wherein the suspect string comprises part of the suspect file, the suspect file comprising a plurality of individual suspect strings;
  
  wherein the replication method common to the plurality of the individual suspect strings in the suspect file is identified;
  
  wherein further included is an identification of the macro virus family by which the common replication method is indexed.
- View Dependent Claims (6, 7, 8, 9)
- - 6. A method according to claim 5, further comprising:
    - resetting the index referencing one or more of the macro virus definition data files for at least one macro virus family; and
      
      creating a new macro virus definition data file entry comprising an index referencing one or more macro virus definition files.
  - 7. A method according to claim 6, further comprising:
    - defining the macro virus attributes for the new macro virus definition data file entry by storing at least one of a string constant and source code text.
  - 8. A method according to claim 5, further comprising:
    - cross referencing at least one of a string constant and source code text from the parsed macro file attributes against the macro virus attributes defined in the virus definition data files.
  - 9. A computer-readable storage medium holding code for performing the method according to claims 5, or 6.

10. A system for identifying a macro virus family using a macro virus definitions database, comprising:
- a macro virus definitions database comprising a set of indices and associated macro virus definition data files, further comprising;
  
  one or more of the macro virus definition data files referenced by the associated index with each macro virus definition data file defining macro virus attributes for known macro viruses that are each comprised of at least one macro;
  
  a hierarchy organized according to a macro family to which each of the sets of the indices and the macro virus definition data files belong based on a type of application to which the macro applies;
  
  a parser parsing a suspect file into tokens comprising one of individual string constants and source code text and storing the tokens as strings into a hierarchical parse tree;
  
  a macro virus checker comparing one or more strings stored in a suspect file to the macro virus attributes defined in the one or more macro virus definition data files for each macro virus family in the macro virus definitions database and determining the macro virus family to which the suspect file belongs from the indices for each of the macro virus definition data files at least partially containing the suspect file;
  
  the macro virus checker parsing macro virus attributes from one or more file objects and analyzing the macro virus definition data files by index for each macro virus family; and
  
  the macro virus checker iteratively retrieving each macro virus definition data file using the index for each macro virus family and providing the macro virus attributes defined in the retrieved macro virus definition data file;
  
  wherein the macro virus definitions database stores at least one of string constants and source code text common to each macro virus family in the macro virus attributes for the macro virus definition data files; and
  
  the macro virus checker compares a suspect string to the at least one of string constants and source code text in the one or more macro virus definition data files for each macro virus family;
  
  wherein a parameter is utilized for specifying a threshold to matches of commonly shared at least one of string constants and source code text;
  
  wherein the macro virus definition data files are indexed into the macro virus families categorized by a replication method employed;
  
  wherein the suspect string comprises part of the suspect file, the suspect file comprising a plurality of individual suspect strings;
  
  wherein the macro virus checker identifies the replication method common to the plurality of the individual suspect strings in the suspect file;
  
  wherein the macro virus checker identifies the macro virus family by which the common replication method is indexed.
- View Dependent Claims (11, 12)
- - 11. A system according to claim 10, further comprising:
    - each macro virus family defined according to the replication method common to each of the macro virus definition data files associated with one such index.
  - 12. A system according to claim 10, further comprising:
    - the macro virus checker designating a minimum length of commonly shared string constants.

13. A method for identifying a macro virus family using a macro virus definitions database, comprising:
- maintaining a macro virus definitions database comprising a set of indices and associated macro virus definition data files, further comprising;
  
  referencing one or more of the macro virus definition data files by the associated index with each macro virus definition data file defining macro virus attributes for known macro viruses that are each comprised of at least one macro;
  
  organizing the sets of the indices and the macro virus definition data files into a hierarchy according to macro virus families based on a type of application to which the macro applies;
  
  parsing a suspect file into tokens comprising one of individual string constants and source code text and storing the tokens as strings into a hierarchical parse tree;
  
  comparing the strings to the macro virus attributes defined in the one or more macro virus definition data files for each macro virus family in the macro virus definitions database;
  
  determining the macro virus family to which the suspect file belongs from the indices for each of the macro virus definition data files at least partially containing the suspect file;
  
  parsing macro virus attributes from one or more file objects and analyzing the macro virus definition data files by index for each macro virus family; and
  
  iteratively retrieving each macro virus definition data file using the index for each macro virus family and providing the macro virus attributes defined in the retrieved macro virus definition data file;
  
  wherein the macro virus definitions database stores at least one of string constants and source code text common to each macro virus family in the macro virus attributes for the macro virus definition data files; and
  
  a comparison is performed between a suspect string and the at least one of string constants and source code text in the one or more macro virus definition data files for each macro virus family;
  
  wherein a parameter is utilized for specifying a threshold to matches of commonly shared at least one of string constants and source code text;
  
  wherein the macro virus definition data files are indexed into the macro virus families categorized by a replication method employed;
  
  wherein the suspect string comprises part of the suspect file, the suspect file comprising a plurality of individual suspect strings;
  
  wherein the replication method common to the plurality of the individual suspect strings in the suspect file is identified;
  
  wherein further included is an identification of the macro virus family by which the common replication method is indexed.
- View Dependent Claims (14, 15, 16)
- - 14. A method according to claim 13, further comprising:
    - defining each macro virus family according to the replication method common to each of the macro virus definition data files associated with one such index.
  - 15. A method according to claim 13, further comprising:
    - designating a minimum length of commonly shared string constants.
  - 16. A computer-readable storage medium holding code for performing the method according to claims 13, or 14.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Gryaznov, Dmitry O., Muttik, Igor, Peternev, Viatcheslav
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
COLIN, CARL G

Application Number

US09/846,103
Time in Patent Office

2,185 Days
Field of Search

713/200, 713/201, 395/183, 395/575
US Class Current

713/188
CPC Class Codes

G06F 21/56 Computer malware detection ...

System and method for identifying a macro virus family using a macro virus definitions database

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for identifying a macro virus family using a macro virus definitions database

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links