System and method for detection of complex malware

US 8,042,186 B1
Filed: 04/28/2011
Issued: 10/18/2011
Est. Priority Date: 04/28/2011
Status: Active Grant

First Claim

Patent Images

1. A method for detection of computer malware, the method comprising:

monitoring execution of processes or threads of one or more software objects;

determining if the one or more objects are trusted objects or non-trusted objects;

storing, in a plurality of separate object contexts, events of execution of the monitored processes or threads of each non-trusted object;

determining if the monitored processes or threads stored in separate object contexts are related to each other;

merging events stored in the object contexts of related processes or threads into a common context; and

analyzing the events of the monitored processes or threads stored both in the common context and in separate object contexts using malware behavior rules to identify malicious objects.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are systems, methods and computer program products for detection of malware with complex infection patterns. The system provides enhanced protection against malware by identifying potentially harmful software objects, monitoring execution of various processes and threads of potentially harmful objects, compiling contexts of events of execution of the monitored processes and threads, and merging contexts of related processes and threads. Based on the analysis of the individual and merged object contexts using malware behavior rules, the system allows detection of malicious objects that have simple and complex behavior patterns.

92 Citations

View as Search Results

20 Claims

1. A method for detection of computer malware, the method comprising:
- monitoring execution of processes or threads of one or more software objects;
  
  determining if the one or more objects are trusted objects or non-trusted objects;
  
  storing, in a plurality of separate object contexts, events of execution of the monitored processes or threads of each non-trusted object;
  
  determining if the monitored processes or threads stored in separate object contexts are related to each other;
  
  merging events stored in the object contexts of related processes or threads into a common context; and
  
  analyzing the events of the monitored processes or threads stored both in the common context and in separate object contexts using malware behavior rules to identify malicious objects.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - terminating execution of all processes and threads associated with a malicious object; and
      
      deleting, quarantining or repairing the malicious object.
  - 3. The method of claim 1 further comprising:
    - determining if the one or more objects are trusted objects by computing digital signatures of the objects and checking if the digital signatures are associated with a trusted object; and
      
      discontinuing monitoring of one or more processes or threads of a trusted object.
  - 4. The method of claim 3, wherein determining if an object is trusted comprises:
    - comparing the digital signature of the object with a local trusted object storage; and
      
      if the digital signature of the object is not found in the local trusted object storage, sending a query to a remote antivirus server containing a comprehensive database of signatures of known malicious and trusted objects.
  - 5. The method of claim 1, wherein determining if the object is trusted comprises:
    - computing a checksum of the object; and
      
      querying a remote antivirus server to determine if the checksum associated with a malicious or trusted object.
  - 6. The method of claim 1 further comprising:
    - transmitting a context of an object to a remote antivirus server; and
      
      receiving from the server new malware behavior rules based on the transmitted context.
  - 7. The method of claim 1 further comprising:
    - continuing monitoring a trusted object if a process of said trusted objected embedded a thread in a system process; and
      
      storing in a separate object context events of execution of said system process.

8. A system for detection of computer malware, comprising:
- a memory being configured to store a list of trusted software objects and malware behavior rules; and
  
  a processor coupled to the memory, the processor being configured to;
  
  monitor execution of processes or threads of one or more software objects;
  
  determine if the one or more objects are trusted objects or non-trusted objects;
  
  store, in a plurality of separate object contexts, events of execution of the monitored processes or threads of each non-trusted object;
  
  determine if the monitored processes or threads stored in separate object contexts are related to each other;
  
  merge events stored in the object contexts of related processes and threads into a common context;
  
  analyze the events of execution of the monitored processes or threads stored both in the common context and in separate object contexts using malware behavior rules to identify malicious objects.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the processor being further configured to:
    - terminating execution of all processes and threads associated with a malicious object; and
      
      deleting, quarantining or repairing the malicious object.
  - 10. The system of claim 8, wherein the processor being further configured to:
    - determine if the one or more objects are trusted objects by computing digital signatures of the objects and comparing the digital signatures with the list of trusted software objects stored in the memory; and
      
      discontinue monitoring of one or more processes or threads of a trusted object.
  - 11. The system of claim 10, wherein if the digital signature of the object is not found in the list of trusted software objects, the processor being further configured to:
    - send a query to a remote antivirus server containing a comprehensive database of signatures of known malicious and trusted objects.
  - 12. The system of claim 8, wherein to determine if the object is trusted, the computer being further configured to:
    - compute a checksum of the object; and
      
      query a remote antivirus server to determine if the checksum associated with a malicious or trusted object.
  - 13. The system of claim 8, wherein the processor being further configured to:
    - transmit a context of an object to a remote antivirus server; and
      
      receive from the server new malware behavior rules based on the transmitted context.
  - 14. The system of claim 8, wherein the processor being further configured to:
    - continue monitoring a trusted object if a process of said trusted objected embedded a thread in a system process; and
      
      store in a separate object context events of execution of said system process.

15. A computer program product embedded in a non-transitory computer-readable storage medium, the computer-readable storage medium comprising computer-executable instructions for detection of computer malware, the instructions for:
- monitoring execution of processes or threads of one or more software objects;
  
  determining if the one or more objects are trusted objects or non-trusted objects;
  
  storing in a plurality of separate object contexts events of execution of the monitored processes or threads of each non-trusted object;
  
  determining if the monitored processes or threads stored in separate object contexts are related to each other;
  
  merging events stored in the object contexts of related processes or threads into a common context; and
  
  analyzing the events of the monitored processes or threads stored both in the common context and in separate object contexts using malware behavior rules to identify malicious objects.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The medium of claim 15 further comprising instructions for:
    - determining if the one or more objects are trusted objects by computing digital signatures of the objects and checking if the digital signatures are associated with a trusted object; and
      
      discontinuing monitoring of one or more processes or threads of a trusted object.
  - 17. The medium of claim 16, wherein instructions for determining if an object is trusted further comprise instructions for:
    - comparing the digital signature of the object with a local trusted object storage; and
      
      if the digital signature of the object is not found in the local trusted object storage, sending a query to a remote antivirus server containing a comprehensive database of signatures of known malicious and trusted objects.
  - 18. The medium of claim 15, wherein instructions for determining if the object is trusted further comprise instructions for:
    - computing a checksum of the object; and
      
      querying a remote antivirus server to determine if the checksum associated with a malicious or trusted object.
  - 19. The medium of claim 15 further comprising instructions for:
    - transmitting a context of an object to a remote antivirus server; and
      
      receiving from the server new malware behavior rules based on the transmitted context.
  - 20. The medium of claim 15 further comprising instructions for:
    - continuing monitoring a trusted object if a process of said trusted objected embedded a thread in a system process; and
      
      storing in a separate object context events of execution of said system process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Polyakov, Alexey A., MARTYNENKO, VLADISLAV V., Slobodyanuk, Yuri G., NAZAROV, DENIS A., Pavlyushchik, Mikhail A.
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US13/096,227
Time in Patent Office

173 Days
Field of Search

726/22, 726/23, 726/24, 726/25
US Class Current

726/24
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/564 by virus signature recognition

System and method for detection of complex malware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

92 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detection of complex malware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links