System and method for detecting malware in executable scripts according to its functionality

US 7,707,634 B2
Filed: 01/30/2004
Issued: 04/27/2010
Est. Priority Date: 01/30/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented malware detection system for determining whether an executable script is malware according to functional variables and subroutines of the executable script, the malware detection system comprising:

a malware signature store including at least one known malware script signature, wherein each malware signature in the malware signature store is a normalized signature of a known malware script;

a normalization module that obtains an executable script and generates a normalized signature for the executable script, wherein generating a normalized signature for the executable script comprises normalizing variables and subroutines from the executable script into normalized variables and subroutines conforming to a common format suitable for comparison with that at least one malware signature in the malware signature store, the normalizing comprising renaming variables and subroutines from the executable script according to a common naming convention; and

a comparison module, wherein the comparison module compares the normalized signature of the executable script to the at least one normalized malware signature in the malware signature store;

wherein the malware detection system is configured to;

determine whether the comparison found a complete match between the normalized signature for the executable script and the at least one normalize malware signature, and if so, reporting that the executable script is malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware detection system and method for determining whether an executable script is malware is presented. The malware detection system determines whether the executable script is malware by comparing the functional contents of the executable script to the functional contents of known malware. In practice, the executable script is obtained. The executable script is normalized, thereby generating a script signature corresponding to the functionality of the executable script. The script signature is compared to known malware script signatures in a malware signature store to determine whether the executable script is malware. If a complete match is made, the executable script is considered to be malware. If a partial match is made, the executable script is considered to likely be malware. The malware detection system may perform two normalizations, each normalization generating a script signature which is compared to similarly normalized known malware script signatures in the malware signature store.

37 Citations

View as Search Results

14 Claims

1. A computer-implemented malware detection system for determining whether an executable script is malware according to functional variables and subroutines of the executable script, the malware detection system comprising:
- a malware signature store including at least one known malware script signature, wherein each malware signature in the malware signature store is a normalized signature of a known malware script;
  
  a normalization module that obtains an executable script and generates a normalized signature for the executable script, wherein generating a normalized signature for the executable script comprises normalizing variables and subroutines from the executable script into normalized variables and subroutines conforming to a common format suitable for comparison with that at least one malware signature in the malware signature store, the normalizing comprising renaming variables and subroutines from the executable script according to a common naming convention; and
  
  a comparison module, wherein the comparison module compares the normalized signature of the executable script to the at least one normalized malware signature in the malware signature store;
  
  wherein the malware detection system is configured to;
  
  determine whether the comparison found a complete match between the normalized signature for the executable script and the at least one normalize malware signature, and if so, reporting that the executable script is malware.
- View Dependent Claims (4, 5, 6)
- - 4. The malware detection system of claim 1, wherein comparing the normalized signature of the executable script to the at least one normalized malware signature in the malware signature store further comprises:
    - determining whether the comparison found a partial match between the normalized signature for the executable script and the at least one malware signature, and if so;
      
      generate a second normalized signature for the executable script, wherein generating a second normalized signature comprises normalizing variables and subroutines from the executable script into a second common format suitable for comparison with a second normalized malware signature of known malware in the malware signature store; and
      
      determine whether the executable script is malware according to a comparison between the second normalized signature and at least one second normalized signature in the malware signature store.
  - 5. The malware detection system of claim 4, wherein normalizing variables and subroutines from the executable script into a second common format suitable for comparison with a second normalized malware signature of known malware in the malware signature store comprises normalizing variables and subroutines of the executable script into a common name according to each variable or subroutine'"'"'s type.
  - 6. The malware detection system of claim 1, wherein generating a normalized signature for the executable script further comprises generating a set of normalized subroutines for each subroutine in the executable script.

2. A computer-implemented method for determining whether a computer-executable script is malware according to functional variables and subroutines of the computer-executable script, the method comprising:
- using one or more processors to perform the following computer-executable acts;
  
  obtaining an executable script;
  
  generating a first normalized signature for the executable script, wherein the first normalized signature comprises normalized variables and subroutines normalized from corresponding variables and subroutines in the executable script in a common format suitable for comparison to normalized signatures of known malware, and wherein the normalized variables and subroutines comprise variables and subroutines from the executable script that are renamed according to a common naming convention;
  
  comparing the first normalized signature to at least one normalized signature of known malware; and
  
  determining, based on the previous comparison, whether the executable script is malware, comprising determining if the first normalized signature for the executable script is a complete match with a normalized signature of known malware, and if so, reporting that the executable script is malware.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 2, wherein determining, based on the previous comparison, whether the executable script is malware further comprises:
    - determining if the first normalized signature for the executable script is a partial match with a normalized signature of known malware, and if so;
      
      generating a second normalized malware signature for the executable script, the second normalized signature comprising variables and subroutines from the executable script normalized into a second common format suitable for comparison with second normalized malware signatures of known malware; and
      
      comparing the second normalized signature for the executable script to second normalized signatures of known malware to determine whether the second normalized signature for the executable script is a complete match to a second normalized signature of known malware, and if so, reporting that the executable script is malware.
  - 8. The method of claim 7, wherein normalizing variables and subroutines from the executable script into a second common format suitable for comparison with second normalized malware signatures of known malware comprises normalizing variables and subroutines of the executable script into a common name according to each variable or subroutine'"'"'s type.
  - 9. The method of claim 7 further comprising comparing the second normalized signature for the executable script to second normalized signatures of known malware to determine whether the second normalized signature for the executable script is a partial match to a second normalized signature of known malware, and if so, reporting that the executable script is potential malware.

3. A tangible computer-readable medium bearing computer executable instructions which, when executed on a computing device, carry out a method for determining whether a computer-executable script is malware according to functional variables and subroutines of the computer-executable script, comprising:
- obtaining an executable script;
  
  generating a first normalized signature for the executable script, wherein the first normalized signature comprises normalized variables and subroutines normalized from corresponding functional variables and subroutines in the executable script in a common format suitable for comparison to normalized signatures of known malware, and wherein the normalized variables and subroutines comprise variables and subroutines from the executable script that are renamed according to a common naming convention;
  
  comparing the first normalized signature to at least one normalized signature of known malware scripts; and
  
  determining, based on the previous comparison, whether the executable script is malware, comprising determining if the first normalized signature for the executable script is a complete match with a normalized signature of known malware, and if so, reporting that the executable script is malware.
- View Dependent Claims (10, 11, 12)
- - 10. The computer-readable medium of claim 3, wherein determining, based on the previous comparison, whether the executable script is malware further comprises:
    - determining if the first normalized signature for the executable script is a partial match with a normalized signature of known malware, and if so;
      
      generating a second normalized malware signature for the executable script, the second normalized signature comprising variables and subroutines from the executable script normalized into a second common format suitable for comparison with second normalized malware signatures of known malware; and
      
      comparing the second normalized signature for the executable script to second normalized signatures of known malware to determine whether the second normalized signature for the executable script is a complete match to a second normalized signature of known malware, and if so, reporting that the executable script is malware.
  - 11. The computer-readable medium of claim 10, wherein normalizing variables and subroutines from the executable script into a second common format suitable for comparison with second normalized malware signatures of known malware comprises normalizing variables and subroutines of the executable script into a common name according to each variable or subroutine'"'"'s type.
  - 12. The computer-readable medium of claim 11, wherein the method further comprises comparing the second normalized signature for the executable script to second normalized signatures of known malware to determine whether the second normalized signature for the executable script is a partial match to a second normalized signature of known malware, and if so, reporting that the executable script is potential malware.

13. A computer-implemented method for determining whether a computer-executable script is malware according to functional variables and subroutines of the computer-executable script, the method comprising:
- using one or more processors to perform the following computer-executable acts;
  
  obtaining an executable script;
  
  generating a first normalized signature for the executable script, wherein the first normalized signature comprises normalized variables and subroutines normalized from corresponding variables and subroutines in the executable script in a format suitable for comparison to normalized signatures of known malware;
  
  comparing the first normalized signature to at least one normalized signature of known malware; and
  
  determining, based on the previous comparison, whether the executable script is malware, comprising;
  
  determining if the first normalized signature for the executable script is a complete match with a normalized signature of known malware, and if so, reporting that the executable script is malware; and
  
  determining if the first normalized signature for the executable script is a partial match with a normalized signature of known malware, and if so;
  
  generating a second normalized malware signature for the executable script, the second normalized signature comprising variables and subroutines from the executable script normalized into a second common format suitable for comparison with second normalized malware signatures of known malware; and
  
  comparing the second normalized signature for the executable script to second normalized signatures of known malware to determine whether the second normalized signature for the executable script is a complete match to a second normalized signature of known malware, and if so, reporting that the executable script is malware.
- View Dependent Claims (14)
- - 14. The method of claim 13, wherein normalizing variables and subroutines from the executable script into a second common format suitable for comparison with second normalized malware signatures of known malware in the malware signature store means comprises normalizing variables and subroutines of the executable script into a common name according to each variable or subroutine'"'"'s type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Sandu, Catalin D., Marinescu, Adrian M.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Hailu; Teshome

Application Number

US10/769,104
Publication Number

US 20050172338A1
Time in Patent Office

2,279 Days
Field of Search

726 22- 25
US Class Current

726/24
CPC Class Codes

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

System and method for detecting malware in executable scripts according to its functionality

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

System and method for detecting malware in executable scripts according to its functionality

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others