Method and apparatus for detecting malicious code in an information handling system

US 7,748,039 B2
Filed: 08/30/2002
Issued: 06/29/2010
Est. Priority Date: 08/30/2002
Status: Expired due to Fees

First Claim

Patent Images

1. One or more computer-readable media storing program instructions executable by an information handling system to:

while a first program is running on the information handling system in a manner that permits the first program to infect the information handling system, perform a plurality of detection routines to gather information relating to the first program, wherein the plurality of detection routines include a first set of malicious code detection routines and a second set of valid code detection routines;

calculate a first composite score and a second composite score based on results of the plurality of detection routines, wherein said first composite score is indicative of the likelihood that the first program is malicious and is calculated using weights associated with those detection routines within the first set of malicious code detection routines whose results are indicative of the first program being malicious code, and wherein said second composite score is indicative of the likelihood that the first program is valid and is calculated using weights associated with those detection routines within the second set of valid code detection routines whose results are indicative of the first program being valid code, and wherein the second composite score is calculated independently from the first composite score; and

use the first and/or second composite scores to categorize the first program with respect to the likelihood of the first program infecting the information handling system, including;

categorizing the first program as malicious code when the first composite score is above a malicious code threshold value and the second composite score is below a valid code threshold value; and

categorizing the first program as valid code when the second composite score is above the valid code threshold value.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting malicious code on an information handling system includes executing malicious code detection code (MCDC) on the information handling system. The malicious code detection code includes detection routines. The detection routines are applied to executable code under investigation running on the information handling system during the execution of the MCDC. The detection routines associate weights to respective executable code under investigation in response to detections of a valid program or malicious code as a function of respective detection routines. Lastly, executable code under investigation is determined a valid program or malicious code as a function of the weights associated by the detection routines. Computer-readable media and an information handling system are also disclosed.

51 Citations

View as Search Results

54 Claims

1. One or more computer-readable media storing program instructions executable by an information handling system to:
- while a first program is running on the information handling system in a manner that permits the first program to infect the information handling system, perform a plurality of detection routines to gather information relating to the first program, wherein the plurality of detection routines include a first set of malicious code detection routines and a second set of valid code detection routines;
  
  calculate a first composite score and a second composite score based on results of the plurality of detection routines, wherein said first composite score is indicative of the likelihood that the first program is malicious and is calculated using weights associated with those detection routines within the first set of malicious code detection routines whose results are indicative of the first program being malicious code, and wherein said second composite score is indicative of the likelihood that the first program is valid and is calculated using weights associated with those detection routines within the second set of valid code detection routines whose results are indicative of the first program being valid code, and wherein the second composite score is calculated independently from the first composite score; and
  
  use the first and/or second composite scores to categorize the first program with respect to the likelihood of the first program infecting the information handling system, including;
  
  categorizing the first program as malicious code when the first composite score is above a malicious code threshold value and the second composite score is below a valid code threshold value; and
  
  categorizing the first program as valid code when the second composite score is above the valid code threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 52)
- - 2. The computer-readable media of claim 1 wherein the program instructions are executable by the information handling system to categorize a second program running on the information handling system as a valid program based on its calculated first composite score not exceeding a first threshold and its calculated second composite score exceeding a second threshold, wherein the second program is running on the information handling system in a manner that permits the second program to infect the information handling system.
  - 3. The computer-readable media of claim 1, wherein the program instructions are executable by the information handling system to use the first and second composite scores to categorize the first program as a suspicious program.
  - 4. The computer-readable media of claim 1, wherein the program instructions are executable by the information handling system to categorize the first program as a suspicious program based on the neither the first nor second composite scores exceeding a first threshold and a second threshold, respectively.
  - 5. The computer-readable media of claim 1, wherein the program instructions are executable by the information handling system to categorize the first program as a suspicious program based on the first and second composite scores not being significantly different from one another.
  - 6. The computer-readable media of claim 1, wherein the information handling system is a computer system.
  - 7. The computer-readable media of claim 1, wherein the first and second composite scores are calculated using one or more detection routines that examine a binary image of the first program.
  - 8. The computer-readable media of claim 7, wherein the binary image is in a memory of the information handling system.
  - 9. The computer-readable media of claim 7, wherein the binary image is accessible to the information handling system.
  - 10. The computer-readable media of claim 1, wherein the first and second composite scores are calculated using one or more accesses to an operating system of the information handling system to determine information relating to the first program, wherein the accesses are made via one or more APIs.
  - 11. The computer-readable media of claim 1, wherein the first and second composite scores are calculated using one or more accesses to a memory of the information handling system to determine information relating to the first program.
  - 12. The computer-readable media of claim 1, wherein the first and second composite scores are calculated using one or more accesses to a network connection of the information handling system to determine information relating to the first program.
  - 13. The computer-readable media of claim 1, wherein the first and second composite scores are calculated by interfacing with an operating system kernel of the information handling system to determine information relating to the first program.
  - 14. The computer-readable media of claim 1, wherein the first and second composite scores are calculated by interfacing with a device driver of the information handling system to determine information relating to the first program.
  - 15. The computer-readable media of claim 1, wherein the plurality of detection routines include one or more detection routines executable to determine whether the first program is a Trojan horse.
  - 16. The computer-readable media of claim 1, wherein the plurality of detection routines include one or more detection routines executable to determine whether the first program is a keystroke logger.
  - 17. The computer-readable media of claim 1, wherein the plurality of detection routines include one or more detection routines executable to determine whether the first program is saving a screen view of the information handling system.
  - 18. The computer-readable media of claim 1, wherein the plurality of detection routines include one or more detection routines executable to determine whether the first program is uploading/downloading files from/to the information handling system.
  - 19. The computer-readable media of claim 1, wherein the plurality of detection routines include one or more detection routines executable to determine whether the first program is controlling a display screen of the information handling system.
  - 20. The computer-readable media of claim 1, wherein the plurality of detection routines include one or more detection routines executable to determine libraries used by the first program.
  - 21. The computer-readable media of claim 1, wherein the first program is a thread.
  - 22. The computer-readable media of claim 1, wherein the first program is a plugin.
  - 23. The computer-readable media of claim 1, wherein the first program is a device driver.
  - 24. The computer-readable media of claim 1, wherein the first program is running in a kernel memory of an operating system of the information handling system.
  - 52. The computer-readable media of claim 2, wherein the first and second programs are running on the information handling system concurrently.

25. One or more computer-readable media storing program instructions executable by an information handling system to:
- while a first program is running on an operating system of the information handling system in a manner that permits the first program to infect the information handling system, perform a plurality of detection routines including;
  
  a first set of two or more detection routines that examine one or more files corresponding to the first program; and
  
  a second set of two or more detection routines that search for information about the first program from resources of the information handling system other than the one or more files, wherein the second set of detection routines includes one or more routines that access the operating system via one or more application programming interfaces (APIs) to determine information relating to the first program; and
  
  use results of the plurality of detection routines, including results of the first set of detection routines and results of the second set of detection routines, to compute a first score and a second score, and to categorize the first program as to the likelihood of the first program infecting the information handling system based on either or both of the first and second scores, wherein the first score is indicative of the likelihood that the first program is malicious, and wherein the second score is indicative of the likelihood that the first program is valid;
  
  wherein performing the plurality of detection routines does not prevent infection of the information handling system by the first program.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 26. The computer-readable media of claim 25, wherein the first set of detection routines include two or more routines that examine a binary image of the first program for one or more signatures.
  - 27. The computer-readable media of claim 26, wherein the binary image is in a memory of the information handling system or is accessible to the information handling system.
  - 28. The computer-readable media of claim 25, wherein the first set of detection routines include one or more routines that determine a signature associated with at least one of the one or more files and compare the determined signature to a plurality of known signatures.
  - 29. The computer-readable media of claim 25, wherein the second set of detection routines includes routines that determine whether the first program has characteristics and/or behaviors typically associated with a malicious program, and includes routines that determine whether the first program has characteristics and/or behaviors typically associated with a valid program.
  - 30. The computer-readable media of claim 25, wherein the program instructions are executable to categorize the first program as a malicious program or a valid program.
  - 31. The computer-readable media of claim 30, wherein the program instructions are executable to compute the first and second scores based on weighted results of various ones of the plurality of detection routines.
  - 32. The computer-readable media of claim 25, wherein the program instructions are executable to categorize the first program as a malicious program, a valid program, or a suspicious program.
  - 33. The computer-readable media of claim 25, wherein the second set of detection routines includes one or more detection routines that access a memory of the information handling system to determine information relating to the first program.
  - 34. The computer-readable media of claim 25, wherein the second set of detection routines includes one or more detection routines that access a network connection of the information handling system to determine information relating to the first program.
  - 35. The computer-readable media of claim 25, wherein the second set of detection routines includes one or more detection routines that interface with an operating system kernel of the information handling system to determine information relating to the first program.
  - 36. The computer-readable media of claim 25, wherein the second set of detection routines includes one or more detection routines that interface with a device driver of the information handling system to determine information relating to the first program.
  - 37. The computer-readable media of claim 25, wherein the plurality of detection routines include one or more detection routines to determine whether the first program is a Trojan horse.
  - 38. The computer-readable media of claim 25, wherein the plurality of detection routines include one or more detection routines to determine whether the first program is a keystroke logger.
  - 39. The computer-readable media of claim 25, wherein the plurality of detection routines include one or more detection routines to determine whether the first program is saving a screen view of the information handling system.
  - 40. The computer-readable media of claim 25, wherein the plurality of detection routines include one or more detection routines to determine whether the first program is uploading/downloading files from/to the information handling system.
  - 41. The computer-readable media of claim 25, wherein the plurality of detection routines include one or more detection routines to determine whether the first program is controlling a display of the information handling system.

42. A method, comprising:
- while a first program is running on an information handling system in a manner that permits the first program to infect the information handling system, independently calculating a first composite score and a second composite score, wherein said first composite score is indicative of the likelihood that the first program is malicious, and wherein said second composite score is indicative of the likelihood that the first program is valid; and
  
  categorizing the first program with respect to the likelihood of the first program infecting the information handling system, wherein said categorizing includes;
  
  categorizing the first program as malicious code when the first composite score is above a malicious code threshold value and the second composite score is below a valid code threshold value; and
  
  categorizing the first program as valid code when the second composite score is above the valid code threshold value;
  
  wherein the first composite score is calculated by using weighted results from a first set of detection routines for detecting characteristics and/or behaviors typically associated with malicious code, and wherein the second composite score is calculated using weighted results from a second set of detection routines for detecting characteristics and/or behaviors typically associated with valid code.
- View Dependent Claims (43, 53, 54)
- - 43. The method of claim 42, wherein said categorizing includes:
    - categorizing the first program as a suspicious program based on
      
      1) the first nor second composite scores not exceeding the malicious code threshold value and the valid code threshold value, respectively, and/or
      
      2) the first and second composite scores not being significantly different from one another.
  - 53. The method of claim 42, wherein, for a second program running on the information handling system in a manner that permits the second program to infect the information handling system, the method further comprising:
    - independently calculating a first composite score and a second composite score for the second program, wherein said first composite score for the second program is indicative of the likelihood that the second program is malicious, and wherein said second composite score is indicative of the likelihood that the second program is valid;
      
      categorizing the second program with respect to the likelihood of the second program infecting the information handling system, wherein said categorizing the second program includes categorizing the second program as valid code when the first composite score for the second program is below the malicious code threshold value and the second composite score for the second program is above the valid code threshold value.
  - 54. The method of claim 53, wherein the first and second programs are running concurrently on the information handling system.

44. A method, comprising:
- while a first program is running on an operating system of an information handling system in a manner that permits the first program to infect the information handling system, performing a plurality of detection routines including;
  
  a first set of two or more detection routines that examine an image of one or more files corresponding to the first program;
  
  a second set of two or more detection routines that search for information about the first program from resources of the information handling system other than the one or more files, wherein the second set of detection routines includes one or more routines that access the operating system to determine information relating to the first program; and
  
  categorizing, using either or both of first and second scores computed from results of the first and second sets of detection routines, the first program as to the likelihood of the first program infecting the information handling system;
  
  wherein the first score is indicative of the likelihood that the first program is malicious, and wherein the second score is indicative of the likelihood that the first program is valid, and wherein performing the plurality of detection routines does not prevent infection of the information handling system by the first program.
- View Dependent Claims (45, 46, 47)
- - 45. The method of claim 44, wherein said resources include a network connection of the information handling system.
  - 46. The method of claim 44, wherein said resources include a device driver of said information handling system.
  - 47. The method of claim 44, wherein the accesses to the operating system are via documented application programming interfaces (APIs) of the operating system.

48. An information handling system, comprising:
- a central processing unit (CPU);
  
  a memory storing program instructions executable by the CPU to;
  
  while a first program is running on the information handling system in a manner that permits the first program to infect the information handling system, perform a plurality of detection routines and use the results to independently calculate a first composite score and a second composite score, wherein the first composite score is indicative of the likelihood that the first program is malicious, and wherein the second composite score is indicative of the likelihood that the first program is valid; and
  
  use the first and/or second composite scores to categorize the first program with respect to the likelihood of the first program compromising the security of the information handling system, including;
  
  categorizing the first program as malicious when the first composite score is above a first threshold value and the second composite score is below a second threshold value; and
  
  categorizing the first program as valid when the second composite score is above the second threshold value;
  
  wherein the first composite score is calculated using weighted results of a first set of detection routines for detecting characteristics and/or behaviors typically associated with malicious code, and wherein the second composite score is calculated using weighted results of a second set of detection routines for detecting characteristics and/or behaviors typically associated with valid code.

49. An information handling system, comprising:
- a central processing unit (CPU);
  
  a memory storing program instructions executable by the CPU to;
  
  while a first program is running on an operating system of the information handling system in a manner that permits the first program to infect the information handling system, perform a plurality of detection routines including;
  
  a first set of two or more detection routines that examine an image of one or more files corresponding to the first program for one or more signatures;
  
  a second set of two or more detection routines that search for information about the first program from resources of the information handling system other than the one or more files, wherein the second set of detection routines includes one or more routines that access the operating system running on the information handling system in order to determine information relating to the first program; and
  
  use results of the plurality of detection routines, including results of the first set of detection routines and results of the second set of detection routines, to compute a first score and a second score, and to categorize, based on either or both of the first and second scores, the first program as to the likelihood of the first program compromising the security of the information handling system, wherein the first score is indicative of the likelihood that the first program is malicious, and wherein the second score is indicative of the likelihood that the first program is valid;
  
  wherein performing the plurality of detection routines does not prevent infection of the information handling system by the first program.
- View Dependent Claims (50, 51)
- - 50. The information handling system of claim 49, wherein the one or more files corresponding to the first program are in the memory of the information handling system.
  - 51. The information handling system of claim 50, wherein the one or more routines in the second set of detection routines that access the operating system running on the information handling system do so via one or more APIs, and wherein the second set of detection routines includes routines that determine whether the first program has characteristics and/or behaviors typically associated with a malicious program, and includes routines that determine whether the first program has characteristics and/or behaviors typically associated with a valid program;
    - wherein the program instructions are executable by the CPU to categorize the first program as a malicious program or a valid program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Alagna, Michael Tony, Obrecht, Mark, Payne, Andy
Primary Examiner(s)
Lanier; Benjamin E

Application Number

US10/231,557
Publication Number

US 20040054917A1
Time in Patent Office

2,860 Days
Field of Search

726/22, 726/24, 726/25, 713/188, 713/187, 713/164, 705/51, 705/52
US Class Current

726/25
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Method and apparatus for detecting malicious code in an information handling system

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting malicious code in an information handling system

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links