Non-signature malware detection system and method for mobile platforms

US 8,312,545 B2
Filed: 04/06/2007
Issued: 11/13/2012
Est. Priority Date: 04/06/2006
Status: Active Grant

First Claim

Patent Images

1. A method of detecting malware on a mobile platform, the method comprising:

selecting an executable on the mobile platform as a selected executable;

obtaining a malware-free checksum for the selected executable;

computing a recomputed checksum for the selected executable in response to the selection, wherein computing the recomputed checksum comprises deriving the recomputed checksum from a plurality of checksum parameters including a sum of all 32-bit values in a code section and an import section of the executable, a byte sequence at an entry point in the executable, a size descriptor of an import table, and a size descriptor of the import section;

comparing the recomputed checksum with the malware-free checksum for the selected executable; and

preventing execution of the executable following the selection when the recomputed checksum does not match the malware-free checksum, based on the comparison.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting malware on a mobile platform in a mobile network. The system and method verifies that an executable is malware-free by computing the checksum of the executable and comparing that checksum with a checksum obtained from a malware-free copy of the executable. The checksum is a sum of all 32-bit values in a code section and an import section of said executable, a byte sequence at an entry point in said executable, a size descriptor of an import table, a size descriptor of said import section, a cyclic redundancy check of said executable, or a combination thereof.

Citations

19 Claims

1. A method of detecting malware on a mobile platform, the method comprising:
- selecting an executable on the mobile platform as a selected executable;
  
  obtaining a malware-free checksum for the selected executable;
  
  computing a recomputed checksum for the selected executable in response to the selection, wherein computing the recomputed checksum comprises deriving the recomputed checksum from a plurality of checksum parameters including a sum of all 32-bit values in a code section and an import section of the executable, a byte sequence at an entry point in the executable, a size descriptor of an import table, and a size descriptor of the import section;
  
  comparing the recomputed checksum with the malware-free checksum for the selected executable; and
  
  preventing execution of the executable following the selection when the recomputed checksum does not match the malware-free checksum, based on the comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising pre-loading a set of pre-defined malware-free checksums for a known configuration of executables onto the mobile platform, and wherein obtaining the malware-free checksum comprises obtaining the malware-free checksum from the set of pre-defined malware-free checksums.
  - 3. The method of claim 1, further comprising:
    - before receiving the selection of the executable, loading the executable on the mobile platform; and
      
      when the executable is loaded on the mobile platform, computing the malware-free checksum for the executable.
  - 4. The method of claim 1, wherein selecting of an executable occurs when the mobile platform executes the executable.
  - 5. The method of claim 1, wherein the selecting of an executable occurs when an operating system of the mobile platform detects a change to the executable.
  - 6. The method of claim 5, wherein detecting the change to the executable comprises:
    - constructing a tree structure of information detailing a directory structure for a file system of the operating system, the file system comprising one or more directory folders, each of the directory folders containing a respective set of one or more files;
      
      creating, for each directory folder, a monitor that actively monitors the operating system for a change in the file system; and
      
      ,for each of the monitors;
      
      scanning the directory folder for one or more changes to the set of files when the operating system indicates the change in the file system;
      
      updating the tree structure of information if one or more changes to the set of files is detected; and
      
      ,selecting a changed file when the changed file is an executable as the selected executable.
  - 7. The method of claim 1, further comprising:
    - reporting the selected executable to an operational support system if the recomputed checksum does not match the malware-free checksum.
  - 8. The method of claim 1, wherein the malware-free checksum is derived from a plurality of checksum parameters including a sum of all 32-bit values in a code section and an import section of a malware-free version of the executable, a byte sequence at an entry point in the malware-free version of the executable, a size descriptor of an import table of the malware-free version of the executable, and a size descriptor of the import section of the malware-free version of the executable.
  - 9. The method of claim 1, wherein the mobile platform is selected from a group consisting of:
    - a mobile telephone, a smart phone, a mobile computing device, a smart handheld device, and a network element.

10. A system for detecting malware on a mobile platform, comprising one or more hardware-based processors configured to receive a selection of an executable on the mobile platform as a selected executable, obtain a malware-free checksum for the selected executable, compute a recomputed checksum for the selected executable in response to the selection, wherein to compute the checksum, the one or more hardware-based processors are configured to derive the recomputed checksum from a plurality of checksum parameters including a sum of all 32-bit values in a code section and an import section of the executable, a byte sequence at an entry point in the executable, a size descriptor of an import table, and a size descriptor of the import section, compare the recomputed checksum with the malware-free checksum, and prevent the selected executable from executing following the selection when the recomputed checksum does not match the malware-free checksum of the selected executable.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, further comprising a memory storing a preloaded set of malware-free checksums for a known configuration of executables.
  - 12. The system of claim 10, wherein the one or more processors are configured to compute the malware-free checksum when the selected executable is initially loaded onto the mobile platform.
  - 13. The system of claim 10, wherein the selected executable is an executable for which an operating system on the mobile platform has initiated execution.
  - 14. The system of claim 10, wherein the selected executable is an executable for which an operating system on the mobile platform has detected a file system change.
  - 15. The system of claim 14, wherein the one or more processors are configured to construct a tree structure of information detailing a directory structure for a file system of the operating system, the file system comprising one or more directory folders, the directory folder containing a subtended set of files, create, for each directory folder, a monitor that actively monitors the operating system for a change in the file system, and, for each of the monitors, scan the directory folder for one or more changes to the set of subtended set of files when the operating system indicates the change in the file system, update the tree structure of information if one or more changes to the set of subtended set of files is detected, and select a changed file when the changed file is an executable.
  - 16. The system of claim 10, wherein the one or more processors are configured to report the selected executable to an operational support system if the recomputed checksum does not match the malware-free checksum of the selected executable.
  - 17. The system of claim 10, wherein the malware-free checksum is derived from a plurality of checksum parameters including a sum of all 32-bit values in a code section and an import section of a malware-free version of the executable, a byte sequence at an entry point in the malware-free version of the executable, a size descriptor of an import table of the malware-free version of the executable, and a size descriptor of the import section of the malware-free version of the executable.
  - 18. The system of claim 10, wherein the mobile platform is selected from a group consisting of a mobile telephone, a smart phone, a mobile computing device, a smart handheld device, and a network element.

19. A non-transitory computer-readable storage medium comprising instructions that, when executed, cause a processor of a mobile platform to:
- select an executable on the mobile platform as a selected executable;
  
  obtain a malware-free checksum for the selected executable;
  
  compute a recomputed checksum for the selected executable in response to the selection, wherein the instructions that cause the processor to compute the recomputed checksum comprise instructions that cause the processor to derive the recomputed checksum from a plurality of checksum parameters including a sum of all 32-bit values in a code section and an import section of the executable, a byte sequence at an entry point in the executable, a size descriptor of an import table, and a size descriptor of the import section;
  
  compare the recomputed checksum with the malware-free checksum for the selected executable; and
  
  prevent execution of the executable following the selection when the recomputed checksum does not match the malware-free checksum, based on the comparison.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Juniper Networks Incorporated
Inventors
Tuvell, George, Venugopal, Deepak, Pfefferle, Matthew
Primary Examiner(s)
PEARSON, DAVID J

Application Number

US11/697,668
Publication Number

US 20070240221A1
Time in Patent Office

2,048 Days
Field of Search

726/22, 726/23, 726/24, 713/188, 714/E11.207
US Class Current

726/24
CPC Class Codes

G06F 16/245   Query processing

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04W 12/10   Integrity

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Non-signature malware detection system and method for mobile platforms

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Non-signature malware detection system and method for mobile platforms

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links