System and method for malicious software detection in multiple protocols

US 8,321,936 B1
Filed: 05/30/2008
Issued: 11/27/2012
Est. Priority Date: 05/30/2007
Status: Active Grant

First Claim

Patent Images

1. An apparatus for identifying malicious content associated with an electronic message specifying a destination computing device, the apparatus comprising:

a processor;

a filtering module stored on a memory and executable by the processor, the filtering module for receiving the electronic message and content associated with the electronic message, determining whether the electronic message and the content associated with the electronic message include content known to be malicious by comparing the electronic message and the content associated with the electronic message with a database of content determined to be malicious and parsing the electronic message and the content associated with the electronic message into a plurality of components, the plurality of components including uniform resource locators that are formatted as plain text;

a network access module stored on the memory and executable by the processor, the network access module adapted to communicate with the filtering module, the network access module identifying a destination associated with the electronic message and the plurality of components;

a virtual machine stored on the memory and executable by the processor, the virtual machine adapted to communicate with the network access module, the virtual machine executing the plurality of components in an environment simulating a destination computing device environment, monitoring execution of the plurality of components for one or more malicious actions, generating a classification result associated with the electronic message and content associated with the electronic message responsive to monitoring execution of the plurality of components, storing a description of the electronic message and content associated with the electronic message in the database responsive to the classification result indicating the electronic message or content associated with the electronic message is malicious and modifying filtering rules for identifying the content known to be malicious based at least in part on the classification result;

an administration module stored on the memory and executable by the processor, the administration module adapted to communicate with the network access module for performing an action on the electronic message and content associated with the electronic message responsive to the classification result; and

a reporting module adapted to communicate with the administration module, the reporting module for appending a flag to the electronic message responsive to the electronic message or content associated with the electronic message including malicious content.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and a method for detecting malicious content associated with an electronic message are described. An electronic message, such as an e-mail, a chat request, a torrent file or a text message is initially received. The electronic message can then be compared to known viruses using pattern or signature matching techniques. The electronic message is then transmitted to a virtual machine which executes the electronic message in an environment simulating the destination computing system of the electronic message. The virtual machine monitors execution of the electronic message to identify one or more malicious actions and classifies the electronic message accordingly. For example, message component execution is monitored for attempts to access system files, attempts to access user information, attempts to transmit system configuration data or attempts to transmit user information.

Citations

19 Claims

1. An apparatus for identifying malicious content associated with an electronic message specifying a destination computing device, the apparatus comprising:
- a processor;
  
  a filtering module stored on a memory and executable by the processor, the filtering module for receiving the electronic message and content associated with the electronic message, determining whether the electronic message and the content associated with the electronic message include content known to be malicious by comparing the electronic message and the content associated with the electronic message with a database of content determined to be malicious and parsing the electronic message and the content associated with the electronic message into a plurality of components, the plurality of components including uniform resource locators that are formatted as plain text;
  
  a network access module stored on the memory and executable by the processor, the network access module adapted to communicate with the filtering module, the network access module identifying a destination associated with the electronic message and the plurality of components;
  
  a virtual machine stored on the memory and executable by the processor, the virtual machine adapted to communicate with the network access module, the virtual machine executing the plurality of components in an environment simulating a destination computing device environment, monitoring execution of the plurality of components for one or more malicious actions, generating a classification result associated with the electronic message and content associated with the electronic message responsive to monitoring execution of the plurality of components, storing a description of the electronic message and content associated with the electronic message in the database responsive to the classification result indicating the electronic message or content associated with the electronic message is malicious and modifying filtering rules for identifying the content known to be malicious based at least in part on the classification result;
  
  an administration module stored on the memory and executable by the processor, the administration module adapted to communicate with the network access module for performing an action on the electronic message and content associated with the electronic message responsive to the classification result; and
  
  a reporting module adapted to communicate with the administration module, the reporting module for appending a flag to the electronic message responsive to the electronic message or content associated with the electronic message including malicious content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein the action on the electronic message and content associated with the electronic message comprises:
    - deleting the electronic message and content associated with the electronic message, quarantining the electronic message and content associated with the electronic message or transmitting the electronic message and content associated with the electronic message to the destination computing device.
  - 3. The apparatus of claim 1, further comprising:
    - a quarantine store adapted to communicate with the administration module, the quarantine store for storing the electronic message and content associated with the electronic message responsive to the classification result.
  - 4. The apparatus of claim 1, wherein the classification result comprises a message that the electronic message or content associated with the electronic message is malicious or a message that the electronic message and content associated with the electronic message is not malicious.
  - 5. The apparatus of claim 1, wherein the one or more malicious actions comprise accesses to a configuration setting of the virtual machine environment, retrieval of configuration data for the virtual machine, replication of the electronic message or the content associated with the electronic message, transmitting e-mail or the content associated with the electronic message to a remote computing system, executing unauthorized disk reads or writes, accessing a system registry of the virtual machine, accessing an address list included in the virtual machine or alteration of a physical or logical parameter associated with the virtual machine.
  - 6. The apparatus of claim 1, wherein parsing the content associated with the electronic message into the plurality of components comprises:
    - comparing the content associated with the electronic message to one or more signatures, the one or more signatures associated with one or more content types.
  - 7. The apparatus of claim 1, wherein the plurality of components further comprises a file attached to the electronic message and executable content embedded in the electronic message or content associated with the electronic message.
  - 8. The apparatus of claim 1, wherein the network access module is further adapted to communicate with a network and communicates a subset of data from the virtual machine to the network.
  - 9. The apparatus of claim 1, wherein the filtering module receives the classification result from the virtual machine and stores a copy of the electronic message and content associated with the electronic message responsive to the classification result indicating the electronic message or content associated with the electronic message is malicious.
  - 10. The apparatus of claim 1, wherein the electronic message comprises an electronic mail message, a short message service (SMS) message, a multimedia messaging service (MMS) message, a text message, a chat message, a torrent file, a hypertext transport protocol (HTTP) requests, a HTTP response, a transmission control protocol/Internet protocol (TCP/IP) packet, a User Datagram Protocol (UDP) packets, a simple mail transfer protocol (SMTP) message or a file transfer protocol (FTP) request.

11. A computer-implemented method for identifying malicious content associated with an electronic message specifying a destination computing device, comprising:
- filtering the electronic message and content associated with the electronic message for content previously known to be malicious by comparing the electronic message and content associated with the electronic message with a database of content determined to be malicious;
  
  parsing the electronic message and content associated with the electronic message into a plurality of components, the plurality of components including uniform resource locators that are formatted as plain text;
  
  associating the plurality of components with a virtual machine;
  
  executing the plurality of components in the virtual machine using an environment similar to an environment of the destination computing device;
  
  monitoring execution of the plurality of components for one or more actions associated with malicious content;
  
  generating a classification result associated with the plurality of components responsive to a result of monitoring execution;
  
  storing a description of the electronic message and content associated with the electronic message in the database responsive to the classification result indicating the electronic message or content associated with the electronic message is malicious;
  
  modifying filtering rules for identifying the content previously known to be malicious based at least in part on the classification result; and
  
  appending a flag to the electronic message responsive to the electronic message or content associated with the electronic message including malicious content.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The computer-implemented method of claim 11, further comprising:
    - responsive to the classification result, performing an action modifying transmission of the electronic message and content associated with the electronic message to the destination computing device.
  - 13. The computer-implemented method of claim 12, wherein the action modifying transmission of the electronic message comprises deleting the electronic message and content associated with the electronic message, quarantining the electronic message and content associated with the electronic message or transmitting the electronic message and content associated with the electronic message to the destination computing device.
  - 14. The computer-implemented method of claim 11, wherein modifying filtering rules comprises modifying signature or pattern matching methods.
  - 15. The computer-implemented method of claim 11 wherein the one or more actions comprise:
    - accesses to a configuration setting of the virtual machine environment, retrieval of configuration data for the virtual machine, replication of the electronic message or the content associated with the electronic message, transmitting e-mail or the content associated with the electronic message to a remote computing system, executing unauthorized disk reads or writes, accessing a system registry of the virtual machine, accessing an address list included in the virtual machine or alteration of a physical or logical parameter associated with the virtual machine.
  - 16. The computer-implemented method of claim 11, parsing the content associated with the electronic message into the plurality of components comprises:
    - comparing the content associated with the electronic message to one or more signatures, the one or more signatures associated with one or more content types.
  - 17. The computer-implemented method of claim 11, wherein the plurality of components further comprises:
    - a file attached to the electronic message and executable content embedded in the electronic message or content associated with the electronic message.
  - 18. The computer-implemented method of claim 11, wherein executing the plurality of components in the virtual machine using the environment similar to the environment of the destination computing device comprises:
    - separately executing each of the plurality of components in the virtual machine using the environment similar to the environment of the destination computing device.

19. A system for identifying malicious content associated with an electronic message specifying a destination computing device, the system comprising:
- an agent including;
  
  a processor;
  
  a filtering module stored on a memory and executable by the processor, the filtering module for receiving the electronic message and content associated with the electronic message and for determining whether electronic message and the content associated with the electronic message include content known to be malicious by comparing the electronic message and the content associated with the electronic message with a database of content determined to be malicious and parsing the electronic message and the content associated with the electronic message into a plurality of components, the plurality of components including uniform resource locators that are formatted as plain text; and
  
  a communication module stored on the memory and executable by the processor, the communication module adapted to communicate with the filtering module; and
  
  a simulation system remote from the agent, the simulation system including;
  
  a network access module adapted to communicate with the communication module, the network access module identifying a virtual machine associated with the electronic message and content associated with the electronic message;
  
  a plurality of virtual machines adapted to communicate with the network access module, an identified virtual machine executing the plurality of components in an environment simulating a destination computing device environment, monitoring execution of the plurality of components for one or more malicious actions, generating a classification result associated with the electronic message and content associated with the electronic message, the classification result transmitted to the communication module using the network access module, storing a description of the electronic message and content associated with the electronic message in the database responsive to the classification result indicating the electronic message or content associated with the electronic message is malicious and modifying filtering rules for identifying the content known to be malicious based at least in part on the classification result; and
  
  a reporting module adapted to communicate with the administration module, the reporting module for appending a flag to the electronic message responsive to the electronic message or content associated with the electronic message including malicious content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
M86 Security Incorporated (Singapore Telecommunications Limited)
Inventors
Green, David E., Payne, Richard, Kilmer, William
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
GUIRGUIS, MICHAEL M

Application Number

US12/130,634
Time in Patent Office

1,642 Days
Field of Search

726 22- 23, 718/1
US Class Current

726/23
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1416 Event detection, e.g. attac...

System and method for malicious software detection in multiple protocols

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for malicious software detection in multiple protocols

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links