Detecting polymorphic threats

US 7,739,740 B1
Filed: 09/22/2005
Issued: 06/15/2010
Est. Priority Date: 09/22/2005
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for managing polymorphic malicious code, the method comprising the steps of:

using a computer to perform steps comprising;

monitoring an incoming email stream;

identifying an incoming email message to which an executable file is attached;

characterizing the executable file according to at least one metric to produce a before characterization;

de-obfuscating the executable file according to at least one technique, the at least one technique comprising running the executable file in an emulator having a memory and dumping an image of the memory to produce the de-obfuscated executable file;

characterizing the de-obfuscated executable file according to the at least one metric to produce an after characterization;

comparing the before characterization of the executable file with the after characterization of the de-obfuscated executable file; and

determining whether the executable file is polymorphic based on the results of the comparing step, wherein the determining comprises concluding that the executable file is polymorphic responsive to the before characterization being different from the after characterization.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A polymorphic threat manager monitors an incoming email stream, and identifies incoming email messages to which executable files are attached. The polymorphic threat manager characterizes incoming executable files according to at least one metric. For example, the polymorphic threat manager can decompose an executable file into fragments, hash some or all of these, and use the hashes as characterization metrics. The polymorphic threat manager subsequently de-obfuscates executable files, and creates corresponding characterization metrics for the de-obfuscated images. The characterizations of executable files before and after de-obfuscation are compared, and if they differ sufficiently, the polymorphic threat manager determines that the file in question is polymorphic. The characterization metrics of such an executable file after de-obfuscation can be used as a signature for that file.

265 Citations

21 Claims

1. A computer implemented method for managing polymorphic malicious code, the method comprising the steps of:
- using a computer to perform steps comprising;
  
  monitoring an incoming email stream;
  
  identifying an incoming email message to which an executable file is attached;
  
  characterizing the executable file according to at least one metric to produce a before characterization;
  
  de-obfuscating the executable file according to at least one technique, the at least one technique comprising running the executable file in an emulator having a memory and dumping an image of the memory to produce the de-obfuscated executable file;
  
  characterizing the de-obfuscated executable file according to the at least one metric to produce an after characterization;
  
  comparing the before characterization of the executable file with the after characterization of the de-obfuscated executable file; and
  
  determining whether the executable file is polymorphic based on the results of the comparing step, wherein the determining comprises concluding that the executable file is polymorphic responsive to the before characterization being different from the after characterization.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein characterizing the executable file further comprises:
    - hashing at least a portion of the executable file.
  - 3. The method of claim 2 further comprising:
    - decomposing the executable file into fragments; and
      
      hashing at least some of the fragments of the executable file.
  - 4. The method of claim 1 further comprising:
    - comparing the before characterization of the executable file to signatures of known legitimate executable files; and
      
      responsive to the before characterization matching a signature of a known legitimate executable file, not further processing the executable file.
  - 5. The method of claim 1 wherein characterizing the executable file further comprises running the executable file and further performing at least one action from a group of actions consisting of:
    - tracking instruction usage;
      
      recording a control flow graph of at least one section;
      
      noting a size of at least a part of at least one section;
      
      noting a range of at least a part of at least one section;
      
      noting entropy of at least a part of at least one section;
      
      detecting a transformation of code;
      
      detecting a transformation of data; and
      
      detecting the execution of at least one instruction.
  - 6. The method of claim 1 wherein de-obfuscating the executable file further comprises performing at least one action from a group of actions consisting of:
    - unpacking the executable file;
      
      examining the memory image dump; and
      
      canonicalizing instructions in the executable file.
  - 7. The method of claim 1 further comprising:
    - comparing the after characterization of the de-obfuscated executable file to a characterization of a de-obfuscated state of a known malicious polymorphic entity; and
      
      responsive to the after characterization being similar to the characterization of the de-obfuscated state of the known malicious polymorphic entity, determining that the executable file comprises that malicious polymorphic entity.
  - 8. The method of claim 1 further comprising:
    - storing the after characterization of the de-obfuscated executable file if the file is found to be polymorphic.
  - 9. The method of claim 8 further comprising:
    - comparing the after characterization of the de-obfuscated executable file to a stored characterization of a stored de-obfuscated executable file known to be polymorphic; and
      
      responsive to the after characterization being similar to the stored characterization of the de-obfuscated executable file known to be polymorphic, concluding that the two executable files comprise different forms of a single polymorphic executable file.
  - 10. The method of claim 1 further comprising:
    - transmitting to a centralized component a portion of the after characterization of the de-obfuscated executable file if the executable file is found to be polymorphic.
  - 11. The method of claim 1, wherein the at least one technique dumps the image of the memory in response to detecting decryption of the executable file.
  - 12. The method of claim 1, wherein the at least one technique dumps the image of the memory after a fixed amount of time.
  - 13. The method of claim 1, wherein the at least one technique dumps the image of the memory after running the executable file in the emulator removes compression and/or encryption in the executable file.

14. A computer readable storage medium containing an executable computer program product for managing polymorphic malicious code, the computer program product comprising:
- program code for monitoring an incoming email stream;
  
  program code for identifying an incoming email message to which an executable file is attached;
  
  program code for characterizing the executable file according to at least one metric to produce a before characterization;
  
  program code for de-obfuscating the executable file according to at least one technique, the at least one technique comprising running the executable file in an emulator having a memory and dumping an image of the memory to produce the de-obfuscated executable file;
  
  program code for characterizing the de-obfuscated executable file according to the at least one metric to produce an after characterization;
  
  program code for comparing the before characterization of the executable file with the after characterization of the de-obfuscated executable; and
  
  program code for determining whether the executable file is polymorphic based on the results of the comparing step, wherein the determining comprises concluding that the file is polymorphic responsive to the before characterization being different from the after characterization.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer program product of claim 14 wherein the program code for characterizing the executable file further comprises:
    - program code for hashing at least a portion of the executable file.
  - 16. The computer program product of claim 15 further comprising:
    - program code for decomposing the executable file into fragments; and
      
      program code for hashing at least some of the fragments of the executable file.
  - 17. The computer program product of claim 14 wherein the program code for characterizing the executable file further comprises program code for running the executable file and further performing at least one action from a group of actions consisting of:
    - tracking instruction usage;
      
      recording a control flow graph of at least one section;
      
      noting a size of at least a part of at least one section;
      
      noting a range of at least a part of at least one section;
      
      noting entropy of at least a part of at least one section;
      
      detecting a transformation of code;
      
      detecting a transformation of data; and
      
      detecting the execution of at least one instruction.
  - 18. The computer program product of claim 14 wherein the program code for de-obfuscating the executable file further comprises program code for performing at least one action from a group of actions consisting of:
    - unpacking the executable file;
      
      examining the memory image dump; and
      
      canonicalizing instructions in the executable file.
  - 19. The computer program product of claim 14 further comprising:
    - program code for comparing the after characterization of the de-obfuscated executable file to a characterization of a de-obfuscated state of a known malicious polymorphic entity; and
      
      program code for, responsive to the after characterization being similar to the characterization of the de-obfuscated state of the known malicious polymorphic entity, determining that the executable file comprises that malicious polymorphic entity.
  - 20. The computer program product of claim 14 further comprising:
    - program code for storing the after characterization of the de-obfuscated executable file if the file is found to be polymorphic.

21. A computer system for managing polymorphic malicious code, the computer system product comprising:
- a computer readable storage medium storing executable software portions comprising;
  
  a software portion configured to monitor an incoming email stream;
  
  a software portion configured to identify an incoming email message to which an executable file is attached;
  
  a software portion configured to characterize the executable file according to at least one metric to produce a before characteristic;
  
  a software portion configured to de-obfuscate the executable file according to at least one technique, the at least one technique comprising running the executable file in an emulator having a memory and dumping an image of the memory to produce the de-obfuscated executable file;
  
  a software portion configured to characterize the de-obfuscated executable file according to the at least one metric to produce an after characterization;
  
  a software portion configured to compare the before characterization of the executable file with the after characterization of the de-obfuscated executable file; and
  
  a software portion configured to determine whether the executable file is polymorphic based on the results of the comparing step, wherein the determining comprises concluding that the executable file is polymorphic responsive to the before characterization being different from the after characterization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Wilhelm, Jeffrey, Nachenberg, Carey
Primary Examiner(s)
Henning; Matthew T

Application Number

US11/233,195
Time in Patent Office

1,727 Days
Field of Search

713/188
US Class Current

726/25
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Detecting polymorphic threats

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

265 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting polymorphic threats

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

265 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links