Detecting polymorphic threats
First Claim
1. A computer implemented method for managing polymorphic malicious code, the method comprising the steps of:
- using a computer to perform steps comprising;
monitoring an incoming email stream;
identifying an incoming email message to which an executable file is attached;
characterizing the executable file according to at least one metric to produce a before characterization;
de-obfuscating the executable file according to at least one technique, the at least one technique comprising running the executable file in an emulator having a memory and dumping an image of the memory to produce the de-obfuscated executable file;
characterizing the de-obfuscated executable file according to the at least one metric to produce an after characterization;
comparing the before characterization of the executable file with the after characterization of the de-obfuscated executable file; and
determining whether the executable file is polymorphic based on the results of the comparing step, wherein the determining comprises concluding that the executable file is polymorphic responsive to the before characterization being different from the after characterization.
2 Assignments
0 Petitions
Accused Products
Abstract
A polymorphic threat manager monitors an incoming email stream, and identifies incoming email messages to which executable files are attached. The polymorphic threat manager characterizes incoming executable files according to at least one metric. For example, the polymorphic threat manager can decompose an executable file into fragments, hash some or all of these, and use the hashes as characterization metrics. The polymorphic threat manager subsequently de-obfuscates executable files, and creates corresponding characterization metrics for the de-obfuscated images. The characterizations of executable files before and after de-obfuscation are compared, and if they differ sufficiently, the polymorphic threat manager determines that the file in question is polymorphic. The characterization metrics of such an executable file after de-obfuscation can be used as a signature for that file.
265 Citations
21 Claims
-
1. A computer implemented method for managing polymorphic malicious code, the method comprising the steps of:
using a computer to perform steps comprising; monitoring an incoming email stream; identifying an incoming email message to which an executable file is attached; characterizing the executable file according to at least one metric to produce a before characterization; de-obfuscating the executable file according to at least one technique, the at least one technique comprising running the executable file in an emulator having a memory and dumping an image of the memory to produce the de-obfuscated executable file; characterizing the de-obfuscated executable file according to the at least one metric to produce an after characterization; comparing the before characterization of the executable file with the after characterization of the de-obfuscated executable file; and determining whether the executable file is polymorphic based on the results of the comparing step, wherein the determining comprises concluding that the executable file is polymorphic responsive to the before characterization being different from the after characterization. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
14. A computer readable storage medium containing an executable computer program product for managing polymorphic malicious code, the computer program product comprising:
-
program code for monitoring an incoming email stream; program code for identifying an incoming email message to which an executable file is attached; program code for characterizing the executable file according to at least one metric to produce a before characterization; program code for de-obfuscating the executable file according to at least one technique, the at least one technique comprising running the executable file in an emulator having a memory and dumping an image of the memory to produce the de-obfuscated executable file; program code for characterizing the de-obfuscated executable file according to the at least one metric to produce an after characterization; program code for comparing the before characterization of the executable file with the after characterization of the de-obfuscated executable; and program code for determining whether the executable file is polymorphic based on the results of the comparing step, wherein the determining comprises concluding that the file is polymorphic responsive to the before characterization being different from the after characterization. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
-
21. A computer system for managing polymorphic malicious code, the computer system product comprising:
a computer readable storage medium storing executable software portions comprising; a software portion configured to monitor an incoming email stream; a software portion configured to identify an incoming email message to which an executable file is attached; a software portion configured to characterize the executable file according to at least one metric to produce a before characteristic; a software portion configured to de-obfuscate the executable file according to at least one technique, the at least one technique comprising running the executable file in an emulator having a memory and dumping an image of the memory to produce the de-obfuscated executable file; a software portion configured to characterize the de-obfuscated executable file according to the at least one metric to produce an after characterization; a software portion configured to compare the before characterization of the executable file with the after characterization of the de-obfuscated executable file; and a software portion configured to determine whether the executable file is polymorphic based on the results of the comparing step, wherein the determining comprises concluding that the executable file is polymorphic responsive to the before characterization being different from the after characterization.
Specification