Non-signature malware detection system and method for mobile platforms
First Claim
Patent Images
1. A method of detecting malware on a mobile platform, the method comprising:
- selecting an executable on the mobile platform as a selected executable;
obtaining a malware-free checksum for the selected executable;
computing a recomputed checksum for the selected executable in response to the selection, wherein computing the recomputed checksum comprises deriving the recomputed checksum from a plurality of checksum parameters including a sum of all 32-bit values in a code section and an import section of the executable, a byte sequence at an entry point in the executable, a size descriptor of an import table, and a size descriptor of the import section;
comparing the recomputed checksum with the malware-free checksum for the selected executable; and
preventing execution of the executable following the selection when the recomputed checksum does not match the malware-free checksum, based on the comparison.
15 Assignments
0 Petitions
Accused Products
Abstract
A system and method for detecting malware on a mobile platform in a mobile network. The system and method verifies that an executable is malware-free by computing the checksum of the executable and comparing that checksum with a checksum obtained from a malware-free copy of the executable. The checksum is a sum of all 32-bit values in a code section and an import section of said executable, a byte sequence at an entry point in said executable, a size descriptor of an import table, a size descriptor of said import section, a cyclic redundancy check of said executable, or a combination thereof.
-
Citations
19 Claims
-
1. A method of detecting malware on a mobile platform, the method comprising:
-
selecting an executable on the mobile platform as a selected executable; obtaining a malware-free checksum for the selected executable; computing a recomputed checksum for the selected executable in response to the selection, wherein computing the recomputed checksum comprises deriving the recomputed checksum from a plurality of checksum parameters including a sum of all 32-bit values in a code section and an import section of the executable, a byte sequence at an entry point in the executable, a size descriptor of an import table, and a size descriptor of the import section; comparing the recomputed checksum with the malware-free checksum for the selected executable; and preventing execution of the executable following the selection when the recomputed checksum does not match the malware-free checksum, based on the comparison. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
- 10. A system for detecting malware on a mobile platform, comprising one or more hardware-based processors configured to receive a selection of an executable on the mobile platform as a selected executable, obtain a malware-free checksum for the selected executable, compute a recomputed checksum for the selected executable in response to the selection, wherein to compute the checksum, the one or more hardware-based processors are configured to derive the recomputed checksum from a plurality of checksum parameters including a sum of all 32-bit values in a code section and an import section of the executable, a byte sequence at an entry point in the executable, a size descriptor of an import table, and a size descriptor of the import section, compare the recomputed checksum with the malware-free checksum, and prevent the selected executable from executing following the selection when the recomputed checksum does not match the malware-free checksum of the selected executable.
-
19. A non-transitory computer-readable storage medium comprising instructions that, when executed, cause a processor of a mobile platform to:
-
select an executable on the mobile platform as a selected executable; obtain a malware-free checksum for the selected executable; compute a recomputed checksum for the selected executable in response to the selection, wherein the instructions that cause the processor to compute the recomputed checksum comprise instructions that cause the processor to derive the recomputed checksum from a plurality of checksum parameters including a sum of all 32-bit values in a code section and an import section of the executable, a byte sequence at an entry point in the executable, a size descriptor of an import table, and a size descriptor of the import section; compare the recomputed checksum with the malware-free checksum for the selected executable; and prevent execution of the executable following the selection when the recomputed checksum does not match the malware-free checksum, based on the comparison.
-
Specification