System and method for detecting malware targeting the boot process of a computer using boot process emulation

US 8,365,297 B1
Filed: 04/05/2012
Issued: 01/29/2013
Est. Priority Date: 12/28/2011
Status: Active Grant

First Claim

Patent Images

1. An automated computer-implemented method for investigating a presence of an unknown program on a target computer system that includes a processor, memory, and a basic input/output system (BIOS), and that further includes a bootable device that contains boot code at least partially defining a boot process for the target computer system, the method comprising:

obtaining, by an automated protection system, physical parameter data defining a storage arrangement structure of the bootable device;

emulating, by the automated protection system, the boot process of the target computer system based on the physical parameter data, wherein the emulating is carried out in a virtual environment representing the target computer system, and includes executing the boot code and obtaining boot process information in response to executing of the boot code;

generating, by the automated protection system, a data structure representing at least the boot process information; and

based on the data structure, obtaining a determination of whether the boot process information includes an unknown program.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and method for detecting malware on a target computer system having a bootable device. Boot process information stored on the bootable device that at least partially defines a boot process of the target computer system is obtained, along with physical parameter data defining a storage arrangement structure of the bootable device. The boot process of the target computer system is emulated based on the boot process information and on the physical parameter data. The emulation includes executing instructions of the boot process information and tracking data accessed from the bootable device. A data structure representing the data accessed from the bootable device is stored during the emulation of the boot process. The data structure can be analyzed for any presence of boot process malware.

330 Citations

25 Claims

1. An automated computer-implemented method for investigating a presence of an unknown program on a target computer system that includes a processor, memory, and a basic input/output system (BIOS), and that further includes a bootable device that contains boot code at least partially defining a boot process for the target computer system, the method comprising:
- obtaining, by an automated protection system, physical parameter data defining a storage arrangement structure of the bootable device;
  
  emulating, by the automated protection system, the boot process of the target computer system based on the physical parameter data, wherein the emulating is carried out in a virtual environment representing the target computer system, and includes executing the boot code and obtaining boot process information in response to executing of the boot code;
  
  generating, by the automated protection system, a data structure representing at least the boot process information; and
  
  based on the data structure, obtaining a determination of whether the boot process information includes an unknown program.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein obtaining the boot process information includes obtaining a master boot record (MBR) of the bootable device.
  - 3. The method of claim 1, wherein obtaining the boot process information includes obtaining program code called by a master boot record (MBR) of the bootable device.
  - 4. The method of claim 1, wherein obtaining the boot process information includes operating a rootkit-bypassing driver on the target computer system.
  - 5. The method of claim 1, wherein emulating the boot process is performed at an application layer on the target computer system.
  - 6. The method of claim 1, wherein emulating the boot process includes operating a virtual processor, a virtual memory, a virtual basic input-output system (BIOS) and a virtual startup device that represents the storage arrangement structure of the bootable device.
  - 7. The method of claim 1, wherein generating the data structure includes storing a container data structure including a first portion for storing a representation of the storage arrangement structure of the bootable device, and a second portion for storing contents of a plurality of sectors of the bootable device, the first portion and second portion being sufficiently complete to facilitate emulation of the boot process of the target computer system on a remotely located computer system.
  - 8. The method of claim 1, further comprising:
    - transmitting the data structure to a remotely located computer system.
  - 9. The method of claim 1, further comprising:
    - intercepting a command to write data to a start-up related section of the bootable device;
      
      initiating the emulating in response to the intercepting; and
      
      in response to a determination that the boot process information includes an unknown program, preventing execution of the command to write data to the start-up related section of the bootable device.
  - 10. The method of claim 1, wherein the determination of whether the boot process information includes an unknown program is generated by the automated protection system.
  - 11. The method of claim 1, wherein the determination of whether the boot process information includes an unknown program is obtained from a remotely located computer system.

12. An automated computer-implemented method for detecting an unknown program on a target computer system having a bootable device, the method comprising:
- receiving, by an automated analysis system remotely located from the target computer system, a data structure containing;
  
  boot process information stored on the bootable device that at least partially defines a boot process of the target computer system; and
  
  physical parameter data defining a storage arrangement structure of the bootable device;
  
  analyzing, by the automated analysis system, whether the bootable device contains a suspicious program accessed by the boot process of the target computer system, the analyzing including emulating the boot process of the target computer system based on the data structure, wherein the emulating includes executing code of the boot process information in a virtualized computer system representing physical characteristics of the target computer system, and evaluating a result of the executing of that code.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12, wherein the analyzing includes finding a copy of an original master boot record (MBR) of the bootable device along with a modified MBR.
  - 14. The method of claim 12, wherein evaluating the result of the executing of the code of the boot process includes observing functionality of programs called in the emulation to detect a presence of malware.
  - 15. The method of claim 12, further comprising:
    - updating a database of malware signatures based on the analyzing.

16. A protection system for detecting an unknown program on a target computer system having a bootable device, protection system comprising:
- a boot emulator module configured to;
  
  collect boot process information stored on the bootable device that at least partially defines a boot process of the target computer system and physical parameter data defining a storage arrangement structure of the bootable device; and
  
  perform an emulation of the boot process of the target computer system based on the boot process information and on the physical parameter data;
  
  wherein the boot emulator module is further configured to execute instructions of the boot process information and track data accessed from the bootable device in response to the instructions of the boot process information; and
  
  a detector module communicatively coupled with the boot emulator module, and configured to detect a presence of unknown programs based on the data accessed from the bootable device in the emulation of the boot process.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The protection system of claim 16, wherein the boot emulator module is further configured to store the data accessed from the bootable device in a container data structure.
  - 18. The protection system of claim 17, wherein the data accessed from the bootable device includes data purporting to be a master boot record (MBR) and bootkit infection data, including unauthorized instructions.
  - 19. The protection system of claim 17, wherein the data accessed from the bootable device includes data representing contents of an original master boot record (MBR) of the bootable device prior to malware infection of the bootable device.
  - 20. The protection system of claim 17, wherein the container data structure further stores a representation of the storage arrangement structure of the bootable device.
  - 21. The protection system of claim 16, wherein the detector module is configured to search for a copy of an original master boot record (MBR) of the bootable device at a location other than a location of an actual MBR.
  - 22. The protection system of claim 16, wherein the detector module is located remotely from the target computer system.
  - 23. The protection system of claim 16, wherein the detector module is implemented in the target computer system.
  - 24. The protection system of claim 16, wherein the detector module is configured to analyze functionality of programs called during operation of the boot emulator module to detect a presence of malware.
  - 25. The protection system of claim 16, wherein the boot emulator module includes a plurality of virtual modules implemented at an application layer comprising:
    - a virtual bootable device module adapted to represent physical and logical states of the actual bootable device including a master boot record and any malware infection of the actual bootable device;
      
      a virtual processor module operatively coupled with the virtual bootable device module, the virtual processor module adapted to execute the instructions of the boot process information that include the master boot record of the virtual bootable device;
      
      a virtual memory module operatively coupled with the virtual processor module and adapted to emulate functionality of physical memory of the target computer system; and
      
      a virtual basic input-output system (BIOS) module operatively coupled with the virtual processor module and adapted to emulate functionality of actual BIOS of the target computer system; and
      
      wherein the protection system further comprises a disk operations recorder module configured to record all calls made to the bootable device during operation of the boot emulator module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Kaspersky Lab ZAO
Inventors
Parshin, Yury G., Pintiysky, Vladislav V.
Primary Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US13/440,442
Time in Patent Office

299 Days
Field of Search

None
US Class Current

726/26
CPC Class Codes

G06F 21/53 by executing in a restricte...

G06F 21/575 Secure boot

System and method for detecting malware targeting the boot process of a computer using boot process emulation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

330 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

System and method for detecting malware targeting the boot process of a computer using boot process emulation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

330 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others