Method of, and system for, heuristically detecting viruses in executable code

US 7,496,963 B2
Filed: 08/11/2003
Issued: 02/24/2009
Est. Priority Date: 08/14/2002
Status: Active Grant

First Claim

Patent Images

1. A method of detecting virus infection of an executable image, the method comprising:

determining a file type and an entry point of the executable image;

scanning the executable image, with reference to a database of start-up code characteristics including patterns characteristic of start-up code generated by known compilers used to create respective file types, for start-up code at a location other than said entry point generated by one of the compilers used to generate the determined file type; and

flagging the executable image as suspicious from the point of view of possibly containing a virus infection in response to determining during the scanning that the executable image contains said start-up code at a location other than said entry point.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of, and system for, virus detection has a database of known patterns of start-up code for executable images created using a collection of known compilers and uses examination of the start-up code of the image by reference to this database to determine whether or not the executable image is likely to have been subject to infection by viral code. In particular, the system seeks to determine whether the expected flow and execution of the image during start up has had viral code interjected into it. Various heuristics to assist in assessing the likely presence of viral code are disclosed.

56 Citations

View as Search Results

12 Claims

1. A method of detecting virus infection of an executable image, the method comprising:
- determining a file type and an entry point of the executable image;
  
  scanning the executable image, with reference to a database of start-up code characteristics including patterns characteristic of start-up code generated by known compilers used to create respective file types, for start-up code at a location other than said entry point generated by one of the compilers used to generate the determined file type; and
  
  flagging the executable image as suspicious from the point of view of possibly containing a virus infection in response to determining during the scanning that the executable image contains said start-up code at a location other than said entry point.
- View Dependent Claims (2, 3)
- - 2. A method according to claim 1, whereinthe database of start-up code characteristics includes records of data values associated with routines which form part of the start up code, andthe step of scanning the executable image for start-up code comprises identifying the data in the executable image corresponding to at least one such data value and comparing it with that value.
  - 3. A method according to claim 1, further comprising:
    - performing remedial action in respect of executable images flagged as suspicious from the point of view of possibly containing a virus infection.

4. A method of detecting virus infection of an executable image, the method comprising:
- determining a file type and an entry point of the executable image;
  
  determining, with reference to a database of start-up code characteristics including patterns characteristic of start-up code generated by known compilers used to create respective file types, whether the executable image has at said entry point code similar to start-up code generated by one of the compilers used to generate the determined file type but with the beginning of this code having been changed; and
  
  flagging the executable image as suspicious from the point of view of possibly containing a virus infection in response to determining that the executable image has said code at said entry point.
- View Dependent Claims (5, 6)
- - 5. A method according to claim 4, whereinthe database of start-up code characteristics includes records of data values associated with routines which form part of the start-up code, andthe step of determining whether the executable image has at said entry point code similar to start-up code generated by one of the compilers used to generate the determined file type but with the beginning of this code having been changed comprises identifying the data in the executable image corresponding to at least one such data value and comparing it with that value.
  - 6. A method according to claim 4, further comprising:
    - performing remedial action in respect of executable images flagged as suspicious from the point of view of possibly containing a virus infection.

7. A system implemented on a computer apparatus for detecting virus infection of an executable image, the system comprising:
- a file-type analyzer operative to determine a file type and an entry point of the executable image; and
  
  a start-up code searcher operative to scan the executable image, with reference to a database of start-up code characteristics including patterns characteristic of start-up code generated by known compilers used to create respective file types, for start-up code at a location other than said entry point generated by one of the compilers used to generate the determined file type,the system being operative to flag the executable image as suspicious from the point of view of possibly containing a virus infection in response to the start-up code searcher determining that the executable image contains said start-up code at a location other than said entry point.
- View Dependent Claims (8, 9)
- - 8. A system according to claim 7, whereinthe database of start-up code characteristics includes records of data values associated with routines which form part of the start-up code, andthe start-up code searcher is operative to identify the data in the executable image corresponding to at least one such data value and comparing it with that value.
  - 9. A system according to claim 7, wherein the system is operative to perform remedial action in respect of executable images flagged as suspicious from the point of view of possibly containing a virus infection.

10. A system implemented on a computer apparatus for detecting virus infection of an executable image, the system comprising:
- a file-type analyzer operative to determine a file type and an entry point of the executable image; and
  
  an entry point code analyzer operative to determine, with reference to a database of start-up code characteristics including patterns characteristic of start-up code generated by known compilers used to create respective file types, whether the executable image has at said entry point code similar to start-up code generated by one of the compilers used to generate the determined file type but with the beginning of this code having been changed,the system being operative to flag the executable image as suspicious from the point of view of possibly containing a virus infection in response to determining that the executable image has said code at said entry point.
- View Dependent Claims (11, 12)
- - 11. A system according to claim 10, whereinthe database of start-up code characteristics includes records of data values associated with routines which form part of the start-up code, andthe entry point code analyzer is operative to determine whether the executable image has at said entry point code similar to start-up code generated by one of the compilers used to generate the determined file type but with the beginning of this code having been changed is arranged to identify the data in the executable image corresponding to at least one such data value and comparing it with that value.
  - 12. A system according to claim 10, wherein the system is operative to perform remedial action in respect of executable images flagged as suspicious from the point of view of possibly containing a virus infection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Messagelabs Limited (Gen Digital Inc.)
Inventors
Shipp, Alexander
Primary Examiner(s)
Nalven; Andrew L

Application Number

US10/500,955
Publication Number

US 20050039029A1
Time in Patent Office

2,024 Days
Field of Search

726/24, 713/188, 713/187, 706/12
US Class Current

726/24
CPC Class Codes

G06F 21/563 by source code analysis

Method of, and system for, heuristically detecting viruses in executable code

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Method of, and system for, heuristically detecting viruses in executable code

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links