Distinguishing legitimate modifications from malicious modifications during executable computer file modification analysis

US 7,373,519 B1
Filed: 04/09/2003
Issued: 05/13/2008
Est. Priority Date: 04/09/2003
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for distinguishing between a legitimate modification and a malicious modification of executable computer file, the method comprising the steps of:

prior to a modification of an executable file;

a modification analysis manager identifying a specified number of blocks of a specified size of contiguous substantive content from a specified section of the executable file; and

the modification analysis manager storing, for each identified block, a location of the block, and content-specific information concerning the block; and

after the modification of the executable file;

the modification analysis manager comparing, for each identified block, content at the location of the block after the modification of the executable file with content of the block prior to the modification of the executable file; and

the modification analysis manager determining a status of the modification of the executable file responsive to a result of the comparison and, responsive to determining that greater than a specified threshold percentage of the blocks has been modified, determining that the modification of the executable file comprises a legitimate modification.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Prior to a modification of an executable computer file (101), a modification analysis manager (111) stores (1101) content concerning a specified number of specified sized blocks (115) of a specified section of the executable file (101). After the modification of the executable file (101), the modification analysis manager (111) compares (1103), for each block (115), the content at the location of the block (115) after the modification of the executable file (101) with the content of the block (115) prior to the modification. The modification analysis manager (101) determines (1105) the status of the modification, responsive to a result of the comparison.

119 Citations

View as Search Results

24 Claims

1. A computer implemented method for distinguishing between a legitimate modification and a malicious modification of executable computer file, the method comprising the steps of:
- prior to a modification of an executable file;
  
  a modification analysis manager identifying a specified number of blocks of a specified size of contiguous substantive content from a specified section of the executable file; and
  
  the modification analysis manager storing, for each identified block, a location of the block, and content-specific information concerning the block; and
  
  after the modification of the executable file;
  
  the modification analysis manager comparing, for each identified block, content at the location of the block after the modification of the executable file with content of the block prior to the modification of the executable file; and
  
  the modification analysis manager determining a status of the modification of the executable file responsive to a result of the comparison and, responsive to determining that greater than a specified threshold percentage of the blocks has been modified, determining that the modification of the executable file comprises a legitimate modification.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein identifying a specified number of blocks of a specified size of contiguous substantive content from a specified section of the executable file further comprises:
    - the modification analysis manager scanning the specified section from end to beginning for blocks of a specified size of contiguous substantive content.
  - 3. The method of claim 1 wherein storing the location of a block further comprises:
    - the modification analysis manager storing an offset of the block from the beginning of the specified section.
  - 4. The method of claim 1 wherein storing content-specific information concerning a block further comprises:
    - the modification analysis manager computing a hash value of the content of the block; and
      
      the modification analysis manager storing the hash value.
  - 5. The method of claim 4 wherein comparing content at the location of the block after the modification of the executable file with content of the block prior to the modification of the executable file comprises:
    - the modification analysis manager computing a hash value of the content at the location of the block after the modification of the executable file; and
      
      the modification analysis manager comparing the hash value of the content at the location of the block after the modification of the executable file with the stored hash value of the content of the block prior to the modification of the executable file.
  - 6. The method of claim 1 wherein storing content-specific information concerning a block comprises:
    - the modification analysis manager storing the content of the block.
  - 7. The method of claim 6 wherein comparing content at the location of the block after the modification of the executable file with content of the block prior to the modification of the executable file comprises:
    - the modification analysis manager comparing the content at the location of the block after the modification of the executable file with the stored content of the block.
  - 8. The method of claim 1 further comprising:
    - the modification analysis manager reading the modified executable file in order to check for at least one additional factor concerning the status of the modification.
  - 9. The method of claim 1 further comprising:
    - the modification analysis manager intercepting a request to write to the executable file;
      
      prior to execution of the request to write to the executable file, the modification analysis manager performing the identifying and storing steps;
      
      the modification analysis manager allowing execution of the request to write to the executable file; and
      
      after execution of the request to write to the executable file, the modification analysis manager performing the comparing and determining steps.
  - 10. The method of claim 1 further comprising:
    - prior to the modification of the executable file, the modification analysis manager storing the location and content information in an integrity database; and
      
      after the modification of the executable file, the modification analysis manager reading the stored information from the integrity database.

11. A computer implemented method for distinguishing between a legitimate modification and a malicious modification of an executable computer file that comprises at least two data sections, by analyzing a first data section of the executable computer file, the method comprising the steps of:
- prior to a modification of the executable file;
  
  a modification analysis manager storing content information concerning a specific number of blocks of a specified size of contiguous content from the first data section wherein the modification analysis manager stores content information concerning a first block of a specified size that starts at the beginning of the first data section, and stores the location of and content information concerning a second block of a specified size that terminates at the end of the first data section; and
  
  after the modification of the executable file;
  
  the modification analysis manager comparing, for each block, content at the location of the block after the modification of the executable file with content of the block prior to the modification of the executable file; and
  
  responsive to no block of the first data section having been modified, the modification analysis manager determining that the modification of the executable file comprises a malicious modification.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11 wherein storing the location of the second block comprises:
    - the modification analysis manager storing an offset of the second block.
  - 13. The method of claim 11 wherein storing content-information concerning a block of the specified number of blocks of a specified size comprises:
    - the modification analysis manager computing a hash value of the content of the block; and
      
      the modification analysis manager storing the hash value.
  - 14. The method of claim 13 wherein comparing content at the location of the block after the modification of the executable file with content of the block prior to the modification of the executable file comprises:
    - the modification analysis manager computing a hash value of the content at the location of the block after the modification of the executable file; and
      
      the modification analysis comparing the hash value of the content at the location of the block after the modification of the executable file with the stored hash value of the content of the block prior to the modification of the executable file.
  - 15. The method of claim 11 wherein storing content-specific information concerning a block of the specified number of blocks of a specified size comprises:
    - the modification analysis manager storing the content of the block.
  - 16. The method of claim 15 wherein comparing content at the location of the block after the modification of the executable file with content of the block prior to the modification of the executable file comprises:
    - the modification analysis manager comparing the content at the location of the block after the modification of the executable file with the stored content of the block.
  - 17. The method of claim 11 further comprising:
    - the modification analysis manager intercepting a request to write to the executable file;
      
      prior to execution of the request to write to the executable file, the modification analysis manager performing the storing step;
      
      the modification analysis manager allowing execution of the request to write to the executable file; and
      
      after execution of the request to write to the executable file, the modification analysis manager performing the comparing and determining steps.
  - 18. The method of claim 11 further comprising:
    - prior to the modification of the executable file, the modification analysis manager storing the location and content information in an integrity database; and
      
      after the modification of the executable file, the modification analysis manager reading the stored information from the integrity database.

19. A computer readable medium containing a computer program product for distinguishing between a legitimate modification and a malicious modification of a code section of an executable computer file, the computer program product comprising:
- program code for identifying a specified number of blocks of a specified size of contiguous substantive content from a specified section of an executable file, prior to a modification of the executable file;
  
  program code for storing, for each identified block, a location of the block, and content-specific information concerning the block, prior to the modification of the executable file;
  
  program code for, after the modification of the executable file, comparing, for each identified block, content at the location of the block after the modification of the executable file with content of the block prior to the modification of the executable file; and
  
  program code for determining a status of the modification of the executable file responsive to a result of the comparison, after the modification of the executable file and for, responsive to determining that greater than a specified threshold percentage of the blocks has been modified, determining that the modification of the executable file comprises a legitimate modification.
- View Dependent Claims (20)
- - 20. The computer program product of claim 19 further comprising:
    - program code for scanning the specified section from end to beginning for blocks of a specified size of contiguous substantive content.

21. A computer readable medium containing a computer program product for distinguishing between a legitimate modification and a malicious modification of an executable computer file that comprises at least two data sections by analyzing a first data section of an executable computer file, the computer program product comprising:
- program code for storing content information concerning a specified number of blocks of a specified size of contiguous content from the first data section, and for storing content information concerning a first block of a specified size that starts at the beginning of the first data section, and for storing the location of and content information concerning a second block of a specified size that terminates at the end of the first data section, prior to a modification of an executable file;
  
  program code for, after the modification of the executable file, comparing, for each block, content at the location of the block after the modification of the executable file with content of the block prior to the modification of the executable file; and
  
  program code for, responsive to no block of the first data section having been modified, the modification analysis manager determining that the modification of the executable file comprises a malicious modification.
- View Dependent Claims (22)
- - 22. The computer program product of claim 21 further comprising program code for storing an offset of the first block.

23. A computer system for distinguishing between a legitimate modification and a malicious modification of an executable computer file that comprises at least two data sections by analyzing a first data section of the executable computer file, the computer system comprising:
- a storage module storing content information concerning a specified number of blocks of a specified size of contiguous content from the data section wherein the storage module stores content information concerning a first block of a specified size that starts at the beginning of the first data section, and stores the location of and content information concerning a second block of a specified size that terminates at the end of the first data section, prior to a modification of an executable file;
  
  a comparison module comparing, for each block, after the modification of the executable file, content at the location of the block after the modification of the executable file, the comparison module being communicatively coupled to the storage module; and
  
  a determination module determining that the modification of the executable file comprises a malicious modification, responsive to no block of the first data section having been modified, the determination module being communicatively coupled to the comparison module.
- View Dependent Claims (24)
- - 24. The computer system of claim 23 wherein:
    - the storage module is further adapted to store an offset of the first block.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey, Perriot, Frederic
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
GEE, JASON KAI YIN

Application Number

US10/411,572
Time in Patent Office

1,861 Days
Field of Search

714/38, 713187-188, 726 23- 26, 726/22
US Class Current

713/187
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

Distinguishing legitimate modifications from malicious modifications during executable computer file modification analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Distinguishing legitimate modifications from malicious modifications during executable computer file modification analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links