Identifying originators of malware

US 8,321,935 B1
Filed: 02/26/2009
Issued: 11/27/2012
Est. Priority Date: 02/26/2009
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for identifying originators of malware, the method comprising the steps of:

receiving information concerning malware infections proactively submitted from a plurality of sources, by a computer;

analyzing information concerning malware infections received from the plurality of sources, by a computer;

identifying malware infection activity at a developmental stage of its life cycle and that is associated with at least one source from the plurality of sources indicative of malware origination by the at least one source, by a computer; and

responsive to identifying a given threshold of malware infection activity associated with at the least one source indicative of malware origination, determining that the at least one source is an originator of malware, by a computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware analysis component receives information concerning malware infections on a large plurality of client computers, as detected by an anti-malware product or submitted directly by users. The malware analysis component analyzes this wide array of information, and identifies suspicious malware detection and submission activity associated with specific sources. Where identified suspicious patterns of malware detection and submission activity associated with a specific source meet a given threshold over time, the malware analysis component determines that the source is an originator of malware.

32 Citations

View as Search Results

20 Claims

1. A computer implemented method for identifying originators of malware, the method comprising the steps of:
- receiving information concerning malware infections proactively submitted from a plurality of sources, by a computer;
  
  analyzing information concerning malware infections received from the plurality of sources, by a computer;
  
  identifying malware infection activity at a developmental stage of its life cycle and that is associated with at least one source from the plurality of sources indicative of malware origination by the at least one source, by a computer; and
  
  responsive to identifying a given threshold of malware infection activity associated with at the least one source indicative of malware origination, determining that the at least one source is an originator of malware, by a computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein receiving information concerning malware infections from a plurality of sources further comprises performing at least one step from a group of steps consisting of:
    - receiving information concerning at least one detection of malware on at least one source, by a computer;
      
      receiving information concerning at least one detection of malware on at least one source, and determining additional information concerning the at least one detection from the receipt, by a computer;
      
      receiving at least one submission of suspected malware from at least one source, by a computer;
      
      receiving at least one submission of suspected malware from at least one source, and determining additional information concerning the at least one submission from the receipt, by a computer;
      
      receiving detected malware, by a computer; and
      
      receiving suspected malware, and determining the suspected malware comprises actual malware, by a computer.
  - 3. The method of claim 1 wherein analyzing information concerning malware infections further comprises performing at least one step from a group of steps consisting of:
    - analyzing information concerning at least one detection of malware, by a computer; and
      
      analyzing information concerning at least one submission of malware, by a computer.
  - 4. The method of claim 1 wherein identifying malware infection activity indicative of malware origination further comprises performing at least one step from a group of steps consisting of:
    - identifying detection of new malware, by a computer;
      
      identifying submission of new malware, by a computer;
      
      identifying detection of malware early in its life cycle, by a computer;
      
      identifying submission of malware early in its life cycle, by a computer;
      
      identifying detection of suspicious malware, by a computer;
      
      identifying submission of suspicious malware, by a computer;
      
      identifying multiple detections of new malware on a single source, by a computer;
      
      identifying multiple submissions of new malware by a single source, by a computer;
      
      identifying multiple detections, on a single source, of malware early in its life cycle, by a computer;
      
      identifying multiple submissions, by a single source, of malware early in its life cycle, by a computer;
      
      identifying multiple detections of suspicious malware on a single source, by a computer;
      
      identifying multiple submissions of suspicious malware by a single source, by a computer;
      
      identifying detections of multiple instances of malware with different hash values but a single signature on a single source, by a computer; and
      
      identifying submissions of multiple instances of malware with different hash values but a single signature by a single source, by a computer.
  - 5. The method of claim 1 further comprising:
    - determining a suspiciousness level of each receipt of information concerning a malware infection, by a computer.
  - 6. The method of claim 1 further comprising:
    - maintaining an ongoing suspiciousness level for each source of the plurality, by a computer.
  - 7. The method of claim 1 further comprising, responsive to determining that a source is an originator of malware, performing at least one additional step from a group of steps consisting of:
    - monitoring activity performed by the source, by a computer;
      
      performing a detailed analysis of all new binary files detected on the source, by a computer;
      
      performing a detailed analysis of all new binary files submitted by the source, by a computer;
      
      flagging all new binary files detected on the source as being malware, by a computer;
      
      flagging all new binary files submitted by the source as being malware, by a computer; and
      
      reporting information concerning the source to a remote entity, by a computer.

8. At least one non-transitory computer readable storage medium containing a computer program product for identifying originators of malware, the computer program product comprising:
- program code configured to receive information concerning malware infections proactively submitted from a plurality of sources;
  
  program code configured to analyze information concerning malware infections received from the plurality of sources;
  
  program code configured to identify malware infection activity at a developmental stage of its life cycle and that is associated with at least one source from the plurality of sources indicative of malware origination by the at least one source; and
  
  program code configured to determine, responsive to identifying a given threshold of malware infection activity associated with at the least one source indicative of malware origination, that the at least one source is an originator of malware.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8 wherein the program code configured to receive information concerning malware infections from a plurality of sources further comprises program code configured to perform at least one step from a group of steps consisting of:
    - receiving information concerning at least one detection of malware on at least one source;
      
      receiving information concerning at least one detection of malware on at least one source, and determining additional information concerning the at least one detection from the receipt;
      
      receiving at least one submission of suspected malware from at least one source;
      
      receiving at least one submission of suspected malware from at least one source, and determining additional information concerning the at least one submission from the receipt;
      
      receiving detected malware; and
      
      receiving suspected malware, and determining the suspected malware comprises actual malware.
  - 10. The computer program product of claim 8 wherein the program code configured to analyze information concerning malware infections further comprises program code configured to perform at least one step from a group of steps consisting of:
    - analyzing information concerning at least one detection of malware; and
      
      analyzing information concerning at least one submission of malware.
  - 11. The computer program product of claim 8 wherein the program code configured to identify malware infection activity indicative of malware origination further comprises program code configured to perform at least one step from a group of steps consisting of:
    - identifying detection of new malware;
      
      identifying submission of new malware;
      
      identifying detection of malware early in its life cycle;
      
      identifying submission of malware early in its life cycle;
      
      identifying detection of suspicious malware;
      
      identifying submission of suspicious malware;
      
      identifying multiple detections of new malware on a single source;
      
      identifying multiple submissions of new malware by a single source;
      
      identifying multiple detections, on a single source, of malware early in its life cycle;
      
      identifying multiple submissions, by a single source, of malware early in its life cycle;
      
      identifying multiple detections of suspicious malware on a single source;
      
      identifying multiple submissions of suspicious malware by a single source;
      
      identifying detections of multiple instances of malware with different hash values but a single signature on a single source; and
      
      identifying submissions of multiple instances of malware with different hash values but a single signature by a single source.
  - 12. The computer program product of claim 8 further comprising:
    - program code configured to determine a suspiciousness level of each receipt of information concerning a malware infection.
  - 13. The computer program product of claim 8 further comprising:
    - program code configured to maintain an ongoing suspiciousness level for each source of the plurality.
  - 14. The computer program product of claim 8 further comprising program code configured to perform, responsive to determining that a source is an originator of malware, at least one additional step from a group of steps consisting of:
    - monitoring activity performed by the source;
      
      performing a detailed analysis of all new binary files detected on the source;
      
      performing a detailed analysis of all new binary files submitted by the source;
      
      flagging all new binary files detected on the source as being malware;
      
      flagging all new binary files submitted by the source as being malware; and
      
      reporting information concerning the source to a remote entity.

15. A computer system, at least partially implemented in hardware, for identifying originators of malware, the computer system comprising:
- a processor;
  
  computer memory;
  
  an interface configured to receive information concerning malware infections proactively submitted from a plurality of sources; and
  
  a malware analysis component configured to analyze information concerning malware infections received from the plurality of sources, to identify malware infection activity at a developmental stage of its life cycle and that is associated with at least one source from the plurality of sources indicative of malware origination by the at least one source, and to determine, responsive to identifying a given threshold of malware infection activity associated with the at least one source indicative of malware origination, that the at least one source is an originator of malware.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer system of claim 15 wherein the interface configured to receive information concerning malware infections from a plurality of sources is further configured to perform at least one step from a group of steps consisting of:
    - receiving information concerning at least one detection of malware on at least one source;
      
      receiving information concerning at least one detection of malware on at least one source, and determining additional information concerning the at least one detection from the receipt;
      
      receiving at least one submission of suspected malware from at least one source;
      
      receiving at least one submission of suspected malware from at least one source, and determining additional information concerning the at least one submission from the receipt;
      
      receiving detected malware; and
      
      receiving suspected malware, and determining the suspected malware comprises actual malware.
  - 17. The computer system of claim 15 wherein the malware analysis component is further configured to perform at least one step from a group of steps consisting of:
    - analyzing information concerning at least one detection of malware; and
      
      analyzing information concerning at least one submission of malware.
  - 18. The computer system of claim 15 wherein the malware analysis component is further configured to perform at least one step from a group of steps consisting of:
    - identifying detection of new malware;
      
      identifying submission of new malware;
      
      identifying detection of malware early in its life cycle;
      
      identifying submission of malware early in its life cycle;
      
      identifying detection of suspicious malware;
      
      identifying submission of suspicious malware;
      
      identifying multiple detections of new malware on a single source;
      
      identifying multiple submissions of new malware by a single source;
      
      identifying multiple detections, on a single source, of malware early in its life cycle;
      
      identifying multiple submissions, by a single source, of malware early in its life cycle;
      
      identifying multiple detections of suspicious malware on a single source;
      
      identifying multiple submissions of suspicious malware by a single source;
      
      identifying detections of multiple instances of malware with different hash values but a single signature on a single source; and
      
      identifying submissions of multiple instances of malware with different hash values but a single signature by a single source.
  - 19. The computer system of claim 15 wherein the malware analysis component is further configured to determine a suspiciousness level of each receipt of information concerning a malware infection.
  - 20. The computer system of claim 15 wherein the malware analysis component is further configured to maintain an ongoing suspiciousness level for each source of the plurality.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Chen, Joseph H., Peterson, Christopher, Conrad, Robert
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
KAPLAN, BENJAMIN A

Application Number

US12/393,957
Time in Patent Office

1,370 Days
Field of Search

726/22, 726/23
US Class Current

726/22
CPC Class Codes

G06F 21/56 Computer malware detection ...

Identifying originators of malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying originators of malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links