Methods for identifying malicious software

US 7,644,441 B2
Filed: 09/24/2004
Issued: 01/05/2010
Est. Priority Date: 09/26/2003
Status: Active Grant

First Claim

Patent Images

1. A method for identifying malicious software in an executable file, comprising:

dividing a portion of the executable file into a plurality of windows, each window of the plurality of windows comprising one or more bytes;

applying to the one or more bytes of the plurality of windows a transformation function that provides a numerically comparable value for the each window;

displaying graphically the numerically comparable value for the each window as a function of the each window;

determining if a given numerical comparable value is a statistical outlier with respect to other numerical comparable values; and

if the given numerical comparable value is a statistical outlier, identifying a window comprising the given numerical comparable value as the malicious software,wherein the statistical outlier has a value two standard deviations greater than the mean of the numerical comparable values.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malicious software is identified in an executable file by identifying malicious structural features, decryption code, and cryptographic functions. A malicious structural feature is identified by comparing a known malicious structural feature to one or more instructions of the executable file. A malicious structural feature is also identified by graphically and statistically comparing windows of bytes or instructions in a section of the executable file. Cryptography is an indicator of malicious software. Decryption code is identified in an executable file by identifying a tight loop around a reversible instruction that writes to random access memory. Cryptographic functions are identified in an executable file be obtaining a known cryptographic function and performing a string comparison of the numeric constants of the known cryptographic function with the executable file.

Citations

25 Claims

1. A method for identifying malicious software in an executable file, comprising:
- dividing a portion of the executable file into a plurality of windows, each window of the plurality of windows comprising one or more bytes;
  
  applying to the one or more bytes of the plurality of windows a transformation function that provides a numerically comparable value for the each window;
  
  displaying graphically the numerically comparable value for the each window as a function of the each window;
  
  determining if a given numerical comparable value is a statistical outlier with respect to other numerical comparable values; and
  
  if the given numerical comparable value is a statistical outlier, identifying a window comprising the given numerical comparable value as the malicious software,wherein the statistical outlier has a value two standard deviations greater than the mean of the numerical comparable values.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein each of the plurality of windows is the same size.
  - 3. The method of claim 1, wherein the transformation function comprises:
    - calculating a number of bytes in the each window that match a target byte-type; and
      
      using the number of bytes as the numerically comparable value.
  - 4. The method of claim 3, wherein the target byte-type comprises one of code, ASCII data, padding for alignment, and random byte values.
  - 5. The method of claim 1, wherein the transformation function comprises:
    - calculating a probability that the bytes in the each window are of a target byte-type; and
      
      using the probability as the numerically comparable value.
  - 6. The method of claim 5, wherein the target byte-type comprises one of code, ASCII data, padding for alignment, and random byte values.
  - 7. The method of claim 1, wherein the transformation function comprises:
    - selecting a register;
      
      disassembling the one or more bytes of the each window;
      
      locating an offset to the register in the each window; and
      
      using the offset as the numerically comparable value.
  - 8. The method of claim 1, wherein the transformation function comprises:
    - disassembling the one or more bytes of the each window;
      
      locating an offset for one of a jump instruction and a call instruction in the each window; and
      
      using the offset as the numerically comparable value.
  - 9. The method of claim 1, wherein the transformation function comprises:
    - selecting an instruction pattern;
      
      disassembling the one or more bytes of the each window;
      
      counting a number of occurrences of the instruction pattern in the each window; and
      
      using the number as the numerically comparable value.
  - 10. The method of claim 1, further comprising displaying an ASCII representation of the one or more bytes of the each window.
  - 11. The method of claim 1, further comprising displaying a disassembled representation of the one or more bytes of the each window.
  - 12. The method of claim 1, further comprising searching a plurality of graphically displayed numerically comparable values for an outlier and identifying the outlier as the malicious software.
  - 13. The method of claim 1, further comprising:
    - applying to the one or more bytes of the plurality of windows a transformation function that provides two or more numerically comparable values for the each window; and
      
      displaying graphically the numerically comparable values for the each window as a function of the each window.

14. A method for identifying malicious software in an executable file, comprising:
- disassembling a portion of the executable file into instructions;
  
  dividing the portion into a plurality of windows, each window of the plurality of windows comprising one or more instructions;
  
  applying to the one or more instructions of the plurality of windows a transformation function that provides a numerically comparable value for the each window and results in a list of numerically comparable values for the plurality of windows;
  
  determining if a value from the list is a statistical outlier with respect to other values from the list; and
  
  if the value is a statistical outlier, identifying a window comprising the value as the malicious software,wherein the statistical outlier has a value two standard deviations greater than the mean of the list.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The method of claim 14, wherein each of the plurality of windows is the same size.
  - 16. The method of claim 14, wherein the transformation function comprises:
    - calculating a number of bytes in the each window that match a target byte-type; and
      
      using the number of bytes as the numerically comparable value.
  - 17. The method of claim 16, wherein the target byte-type comprises one of code, ASCII data, padding for alignment, and random byte values.
  - 18. The method of claim 14, wherein the transformation function comprises:
    - calculating a probability that the bytes in the each window are of a target byte-type; and
      
      using the probability as the numerically comparable value.
  - 19. The method of claim 18, wherein the target byte-type comprises one of code, ASCII data, padding for alignment, and random byte values.
  - 20. The method of claim 14, wherein the transformation function comprises:
    - selecting a register;
      
      locating an offset to the register in the each window; and
      
      using the offset as the numerically comparable value.
  - 21. The method of claim 14, wherein the transformation function comprises:
    - locating an offset for one of a jump instruction and a call instruction in the each window; and
      
      using the offset as the numerically comparable value.
  - 22. The method of claim 14, wherein the transformation function comprises:
    - selecting one or more instructions;
      
      counting a number of occurrences of the one or more instructions in the each window; and
      
      using the number as the numerically comparable value.
  - 23. The method of claim 14, wherein the transformation function comprises:
    - selecting an instruction pattern;
      
      counting a number of occurrences of the instruction pattern in the each window; and
      
      using the number as the numerically comparable value.
  - 24. The method of claim 14, further comprisingcreating a second list of difference values by calculating the difference between adjacent values in the list;
    - determining if a difference value from the second list is a statistical outlier with respect to other difference values from the second list; and
      
      issuing a warning if the difference value is a statistical outlier.

25. A method for identifying malicious software in an executable file, comprising:
- dividing a portion of the executable file into a plurality of windows, each window containing one or more bytes;
  
  applying to the one or more bytes in the plurality of windows a transformation function that provides a numerically comparable value for the each window;
  
  using information resulting from the applying a transformation function to compute a probability that a given one of the one or more bytes is malicious softwaredetermining if a given numerical comparable value is a statistical outlier with respect to other numerical comparable values; and
  
  if the given numerical comparable value is a statistical outlier, identifying a window comprising the given numerical comparable value as the malicious software,wherein the statistical outlier has a value two standard deviations greater than the mean of the numerical comparable values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Black Duck Software, Inc. (Synopsys Incorporated)
Original Assignee
Cigital, Incorporated (Synopsys Incorporated)
Inventors
Weber, Michael, Geyer, David, Schmid, Matthew N., Haddox-Schatz, Michael
Primary Examiner(s)
Simitoski; Michael J

Application Number

US10/948,147
Publication Number

US 20050223238A1
Time in Patent Office

1,929 Days
Field of Search

726/24, 713/188, 714/38
US Class Current

726/24
CPC Class Codes

G06F 21/563   by source code analysis

H04L 2209/20   Manipulating the length of ...

H04L 9/0625   with splitting of the data ...

Methods for identifying malicious software

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for identifying malicious software

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links