System and method for detecting malware targeting the boot process of a computer using boot process emulation
First Claim
1. An automated computer-implemented method for investigating a presence of an unknown program on a target computer system that includes a processor, memory, and a basic input/output system (BIOS), and that further includes a bootable device that contains boot code at least partially defining a boot process for the target computer system, the method comprising:
- obtaining, by an automated protection system, physical parameter data defining a storage arrangement structure of the bootable device;
emulating, by the automated protection system, the boot process of the target computer system based on the physical parameter data, wherein the emulating is carried out in a virtual environment representing the target computer system, and includes executing the boot code and obtaining boot process information in response to executing of the boot code;
generating, by the automated protection system, a data structure representing at least the boot process information; and
based on the data structure, obtaining a determination of whether the boot process information includes an unknown program.
2 Assignments
0 Petitions
Accused Products
Abstract
System and method for detecting malware on a target computer system having a bootable device. Boot process information stored on the bootable device that at least partially defines a boot process of the target computer system is obtained, along with physical parameter data defining a storage arrangement structure of the bootable device. The boot process of the target computer system is emulated based on the boot process information and on the physical parameter data. The emulation includes executing instructions of the boot process information and tracking data accessed from the bootable device. A data structure representing the data accessed from the bootable device is stored during the emulation of the boot process. The data structure can be analyzed for any presence of boot process malware.
330 Citations
25 Claims
-
1. An automated computer-implemented method for investigating a presence of an unknown program on a target computer system that includes a processor, memory, and a basic input/output system (BIOS), and that further includes a bootable device that contains boot code at least partially defining a boot process for the target computer system, the method comprising:
-
obtaining, by an automated protection system, physical parameter data defining a storage arrangement structure of the bootable device; emulating, by the automated protection system, the boot process of the target computer system based on the physical parameter data, wherein the emulating is carried out in a virtual environment representing the target computer system, and includes executing the boot code and obtaining boot process information in response to executing of the boot code; generating, by the automated protection system, a data structure representing at least the boot process information; and based on the data structure, obtaining a determination of whether the boot process information includes an unknown program. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An automated computer-implemented method for detecting an unknown program on a target computer system having a bootable device, the method comprising:
-
receiving, by an automated analysis system remotely located from the target computer system, a data structure containing; boot process information stored on the bootable device that at least partially defines a boot process of the target computer system; and physical parameter data defining a storage arrangement structure of the bootable device; analyzing, by the automated analysis system, whether the bootable device contains a suspicious program accessed by the boot process of the target computer system, the analyzing including emulating the boot process of the target computer system based on the data structure, wherein the emulating includes executing code of the boot process information in a virtualized computer system representing physical characteristics of the target computer system, and evaluating a result of the executing of that code. - View Dependent Claims (13, 14, 15)
-
-
16. A protection system for detecting an unknown program on a target computer system having a bootable device, protection system comprising:
-
a boot emulator module configured to; collect boot process information stored on the bootable device that at least partially defines a boot process of the target computer system and physical parameter data defining a storage arrangement structure of the bootable device; and perform an emulation of the boot process of the target computer system based on the boot process information and on the physical parameter data; wherein the boot emulator module is further configured to execute instructions of the boot process information and track data accessed from the bootable device in response to the instructions of the boot process information; and a detector module communicatively coupled with the boot emulator module, and configured to detect a presence of unknown programs based on the data accessed from the bootable device in the emulation of the boot process. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
-
Specification