System and method for proactive computer virus protection

US 7,376,970 B2
Filed: 02/20/2004
Issued: 05/20/2008
Est. Priority Date: 02/20/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implementable method for determining the behavior of an executable comprising:

selecting evaluation calls made by the executable to the interface of an operating system;

loading stubs into a virtual address space, the stubs;

mirroring the calls made to the interface of an operating system wherein mirroring the calls made to the interface of the operating system includes mirroring a set of full implemented DLLs; and

determining a behavior signature for the selected calls;

wherein the calls are included in dynamic link libraries (DLLs) and wherein loading stubs include loading stub DLLs into said virtual address space;

executing the selected calls inside of a virtual operating environment using the loaded stubs dynamically linked libraries; and

determining the behavior signatures resulting from said execution of the selected calls inside of a virtual operating environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer readable medium for the proactive detection of malware in operating systems that receive application programming interface (API) calls is provided. A virtual operating environment for simulating the execution of programs and determining if the programs are malware is created. The virtual operating environment confines potential malware so that the systems of the host operating environment will not be adversely effected. During simulation, a behavior signature is generated based on the API calls issued by potential malware. The behavior signature is suitable for analysis to determine whether the simulated executable is malware.

Citations

24 Claims

1. A computer-implementable method for determining the behavior of an executable comprising:
- selecting evaluation calls made by the executable to the interface of an operating system;
  
  loading stubs into a virtual address space, the stubs;
  
  mirroring the calls made to the interface of an operating system wherein mirroring the calls made to the interface of the operating system includes mirroring a set of full implemented DLLs; and
  
  determining a behavior signature for the selected calls;
  
  wherein the calls are included in dynamic link libraries (DLLs) and wherein loading stubs include loading stub DLLs into said virtual address space;
  
  executing the selected calls inside of a virtual operating environment using the loaded stubs dynamically linked libraries; and
  
  determining the behavior signatures resulting from said execution of the selected calls inside of a virtual operating environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the calls selected for evaluation are a subset of calls made by the executable to the interface of an operating system.
  - 3. The method as recited in claim 2, wherein selecting a subset of calls includes:
    - traversing the executable'"'"'s machine code and identifying calls that are directed to the interface of the operating system; and
      
      identifying calls that are potentially indicative of malware.
  - 4. The method as recited in claim 3, wherein identifying calls that are potentially indicative of malware includes:
    - comparing calls made in the executable with calls that exist in known malware; and
      
      if a call matches one that exists in known malware, determining that the call is potentially indicative of malware.
  - 5. The method as recited in claim 3, wherein identifying calls that are potentially indicative of malware includes:
    - comparing calls made in the executable with calls that are identified as a future security threat from malware; and
      
      if a call matches one that is identified as a future security threat from malware, determining that the call is potentially indicative of malware.
  - 6. The method as recited in claim 2, wherein selecting a subset of calls includes determining if each call requires execution by a stub.
  - 7. The method of claim 1 wherein the calls are application programming interface (API) calls.
  - 8. The method as recited in claim 1 further comprising writing the behavior signature of the selected calls to an output store.
  - 9. The method as recited in claim 8 wherein writing the behavior signature to an output media includes writing three parameters to the output media comprising:
    - a first parameter indicative of the call made to the operating system;
      
      a second parameter operative to store a variable of known data types; and
      
      a third parameter operative to store a variable of known data types.
  - 10. The method as recited in claim 1, wherein loading stubs is initiated by an event generated by the virtual operating environment.
  - 11. The method as recited in claim 1, wherein loading stubs is performed by a loader that copies the stubs from a storage media to a virtual address space.
  - 12. The method as recited in claim 1, wherein loading stubs includes determining the stubs that handle the selected calls.

13. A computer-readable medium bearing computer-executable instructions which, when executed, carry out a method for determining the behavior of an executable comprising:
- selecting evaluation calls made by the executable to the interface of an operating system;
  
  loading stubs into a virtual address space, the stubs;
  
  mirroring the calls made to the interface of an operating system wherein mirroring the calls made to the interface of the operating system includes mirroring a set of full implemented DLLs; and
  
  determining a behavior signature for the selected calls;
  
  wherein the calls are included in dynamic link libraries (DLLs) and wherein loading stubs include loading stub DLLs into said virtual address space;
  
  executing the selected calls inside of a virtual operating environment using the loaded stubs dynamically linked libraries; and
  
  determining the behavior signatures resulting from said execution of the selected calls inside of a virtual operating environment.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The computer-readable medium of claim 13 wherein the calls selected for evaluation are a subset of calls made by the executable to the interface of an operating system.
  - 15. The computer-readable medium of claim 14, wherein selecting a subset of calls includes:
    - traversing the executablet'"'"'s machine code and identifying calls that are directed to the interface of the operating system; and
      
      identifying calls that are potentially indicative of malware.
  - 16. The computer-readable medium of claim 14, wherein selecting a subset of calls includes determining if each call requires execution by a stub.
  - 17. The computer-readable medium of claim 15, wherein identifying calls that are potentially indicative of malware includes:
    - comparing calls made in the executable with calls that exist in known malware; and
      
      if a call matches one that exists in known malware, determining that the call is potentially indicative of malware.
  - 18. The computer-readable medium of claim 15, wherein identifying calls that are potentially indicative of malware includes:
    - comparing calls made in the executable with calls that are identified as a future security threat from malware; and
      
      if a call matches one that is identified as a future security threat from malware, determining that the call is potentially indicative of malware.
  - 19. The computer-readable medium of claim 13 wherein the calls are application programming interface (API) calls.
  - 20. The computer-readable medium of claim 13 further comprising writing the behavior signature of the selected calls to an output store.
  - 21. The computer-readable medium of claim 20 wherein writing the behavior signature to an output media includes writing three parameters to the output media comprising:
    - a first parameter indicative of the call made to the operating system;
      
      a second parameter operative to store a variable of known data types; and
      
      a third parameter operative to store a variable of known data types.
  - 22. The computer-readable medium of claim 13, wherein loading stubs is initiated by an event generated by the virtual operating environment.
  - 23. The computer-readable medium of claim 13, wherein loading stubs is performed by a loader that copies the stubs from a storage media to a virtual address space.
  - 24. The computer-readable medium of claim 13, wherein loading stubs includes determining the stubs that handle the selected calls.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Marinescu, Adrian M.
Primary Examiner(s)
Song; Hosuk

Application Number

US10/783,275
Publication Number

US 20050187740A1
Time in Patent Office

1,551 Days
Field of Search

726 22- 26, 713/188
US Class Current

726/22
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

System and method for proactive computer virus protection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for proactive computer virus protection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links