Preventing malicious codes from performing malicious actions in a computer system

US 8,201,246 B1
Filed: 02/25/2008
Issued: 06/12/2012
Est. Priority Date: 02/25/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of preventing malicious codes from performing malicious actions in a computer, the method comprising:

intercepting a computer instruction issued by a computer program running in a computer, wherein the computer is not running a virtual machine;

determining if the computer instruction is a member of a set of computer instructions responded to differently in the computer depending on whether or not the virtual machine is running on the computer; and

responding to the computer instruction in accordance with convention of the virtual machine when the computer instruction is a member of the set of computer instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malicious codes may be prevented from performing malicious actions in a computer that does not have a virtual machine by simulating presence of the virtual machine. When a computer program performs an action in the computer, the action may be intercepted to determine if the computer program is malicious code probing the computer for presence of the virtual machine. A response to the action may be in accordance with convention of the virtual machine when the action is deemed to be for purposes of detecting the virtual machine. Otherwise, the action may be allowed to proceed.

Citations

14 Claims

1. A computer-implemented method of preventing malicious codes from performing malicious actions in a computer, the method comprising:
- intercepting a computer instruction issued by a computer program running in a computer, wherein the computer is not running a virtual machine;
  
  determining if the computer instruction is a member of a set of computer instructions responded to differently in the computer depending on whether or not the virtual machine is running on the computer; and
  
  responding to the computer instruction in accordance with convention of the virtual machine when the computer instruction is a member of the set of computer instructions.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1 further comprising:
    - allowing the computer instruction to be executed when the computer instruction is not a member of the set of computer instructions.
  - 3. The method of claim 1 further comprising:
    - maintaining in the computer a listing of computer instructions included in the set of computer instructions.

4. A computer with a memory and a processor, the memory comprising:
- a virtual machine presence simulator comprising computer-readable program code configured to simulate a presence of a virtual machine in the computer when the computer does not have the virtual machine to mislead a malicious code into assuming that it is running in the virtual machine; and
  
  an instruction list comprising a listing of computer instructions handled differently in the computer depending on whether or not the computer is running the virtual machine.
- View Dependent Claims (5, 6, 7)
- - 5. The computer of claim 4 wherein the presence simulator compares a computer instruction intercepted from a computer program to computer instructions in the instruction list.
  - 6. The computer of claim 5 wherein the presence simulator responds to the computer instruction in a way that the virtual machine would when the computer instruction is included in the instruction list.
  - 7. The computer of claim 5 wherein the presence simulator allows the computer instruction to be executed in the computer when the computer instruction is not included in the instruction list.

8. A computer-implemented method of preventing malicious codes from performing malicious actions in a computer, the method comprising:
- intercepting an action performed by a computer program in a computer that does not have a virtual machine;
  
  determining if the action is for purposes of detecting presence of the virtual machine in the computer; and
  
  deeming the computer program to be malicious code and responding to the malicious code in accordance with convention of the virtual machine when the action is deemed for detecting presence of the virtual machine to prevent the malicious code from performing malicious actions in the computer.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8 wherein the action performed by the computer program comprises issuing a computer instruction.
  - 10. The method of claim 9 wherein determining if the action is for purposes of detecting presence of the virtual machine comprises:
    - determining if the computer instruction is handled differently in the computer depending on whether or not the computer is running the virtual machine.
  - 11. The method of claim 9 wherein determining if the action is for purposes of detecting presence of the virtual machine comprises:
    - determining if the computer instruction is included in a listing of computer instructions that are handled differently in the computer depending on whether or not the computer is running the virtual machine.
  - 12. The method of claim 9 further comprising:
    - allowing the action to complete when the action is not deemed for detecting presence of the virtual machine.

13. A computer with a memory and a processor, the memory comprising:
- a virtual machine presence simulator comprising computer-readable program code configured to simulate a presence of a virtual machine in the computer when the computer does not have the virtual machine to mislead a malicious code into assuming that it is running in the virtual machine, wherein the virtual machine presence simulator is configured to intercept a computer instruction from a computer program and to determine if the computer instruction is for purposes of detecting for presence of the virtual machine in the computer.
- View Dependent Claims (14)
- - 14. The computer of claim 13 wherein the virtual machine presence simulator determines if the computer instruction is for purposes of detecting for presence of the virtual machine in the computer by comparing the computer instruction to those in a set of computer instructions handled differently in the computer depending on whether or not the computer is running the virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Wu, Handong, Genes, Raimund Alexander
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Fields, Courtney

Application Number

US12/072,292
Time in Patent Office

1,569 Days
Field of Search

726/22, 726/23, 726/24, 726/25, 726/26, 713/200, 703/23
US Class Current

726/22
CPC Class Codes

G06F 2009/45587 Isolation or security of vi...

G06F 21/554 involving event detection a...

Preventing malicious codes from performing malicious actions in a computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Preventing malicious codes from performing malicious actions in a computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links