System and method for locating malware
First Claim
Patent Images
1. A method for identifying Web sites that may include malware, the method comprising:
- receiving an initial Uniform Resource Locator (URL) associated with a Web site;
downloading content associated with the initial URL, the content including Hyper Text Markup Language (HTML), a script program, and code related to a button-click event that executes a function;
searching the HTML in the downloaded content for an embedded URL;
identifying a non-obfuscated URL in the script program;
identifying an obfuscated URL in the script program;
executing the function corresponding to the button-click event;
receiving a new URL as a result of executing the function;
adding the embedded URL, the non-obfuscated URL and the new URL to a URL database; and
adding a high-priority indicator to the URL database, the high-priority indicator corresponding to the obfuscated URL.
9 Assignments
0 Petitions
Accused Products
Abstract
A system and method for managing malware is described. One embodiment is designed to receive an initial URL associated with a Web site; download content from that Web site; identify any obfuscation techniques used to hide malware or pointers to malware; interpret those obfuscation techniques; identify a new URL as a result of interpreting the obfuscation techniques; and add the new URL to a URL database.
87 Citations
12 Claims
-
1. A method for identifying Web sites that may include malware, the method comprising:
-
receiving an initial Uniform Resource Locator (URL) associated with a Web site; downloading content associated with the initial URL, the content including Hyper Text Markup Language (HTML), a script program, and code related to a button-click event that executes a function; searching the HTML in the downloaded content for an embedded URL; identifying a non-obfuscated URL in the script program; identifying an obfuscated URL in the script program; executing the function corresponding to the button-click event; receiving a new URL as a result of executing the function; adding the embedded URL, the non-obfuscated URL and the new URL to a URL database; and adding a high-priority indicator to the URL database, the high-priority indicator corresponding to the obfuscated URL. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for identifying malware, the method comprising:
-
receiving an initial Uniform Resource Locator (URL) associated with a Web site; downloading content associated with the initial URL, the content including a script program; identifying obfuscation techniques in the script program; interpreting the obfuscation techniques; identifying a new URL as a result of interpreting the obfuscation techniques; adding the new URL to a URL database; and adding a high-priority indicator to the URL database, the high-priority indicator corresponding to the new URL and the high-priority indicator indicating that the new URL is likely to be associated with malware. - View Dependent Claims (7, 8)
-
-
9. A method for identifying malware, the method comprising:
-
downloading content associated with an initial Uniform Resource Locator (URL), the content including an object and an embedded URL; extracting the embedded URL from the content; adding the extracted URL to a URL database; determining whether the object can be verified through text searching; responsive to the object not being verifiable through text searching, passing the object to an active browser configured to execute the object automatically and to record configuration changes to a computer system on which the active browser operates that occur as a result of executing the object; and examining the configuration changes to determine whether the object is malware. - View Dependent Claims (10, 11, 12)
-
Specification