Systems and methods for identifying polymorphic malware

US 8,479,291 B1
Filed: 10/28/2010
Issued: 07/02/2013
Est. Priority Date: 10/28/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for identifying polymorphic malware, the method comprising:

identifying a sample of a variant within a polymorphic malware strain;

identifying a set of filters for identifying the polymorphic malware strain;

determining that the set of filters incorrectly excludes the sample from being identified as within the polymorphic malware strain in response to at least one of;

determining that the set of filters excludes the sample from being identified as within the polymorphic malware strain and a proportion of filters within the set of filters identify the sample as within the polymorphic malware strain, and/orexamining how close the set of filters is to correctly categorizing the sample;

modifying the set of filters to not exclude the sample from being identified as within the polymorphic malware strain,wherein at least a portion of the method is being performed by a computing device comprising at least one processor.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for identifying polymorphic malware may include identifying a sample of a variant within a polymorphic malware strain. The computer-implemented method may also include identifying a set of filters for identifying the polymorphic malware strain. The computer-implemented method may further include determining that the set of filters incorrectly excludes the sample from being identified as within the polymorphic malware strain. The computer-implemented method may additionally include modifying the set of filters to not exclude the sample from being identified as within the polymorphic malware strain. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for identifying polymorphic malware, the method comprising:
- identifying a sample of a variant within a polymorphic malware strain;
  
  identifying a set of filters for identifying the polymorphic malware strain;
  
  determining that the set of filters incorrectly excludes the sample from being identified as within the polymorphic malware strain in response to at least one of;
  
  determining that the set of filters excludes the sample from being identified as within the polymorphic malware strain and a proportion of filters within the set of filters identify the sample as within the polymorphic malware strain, and/orexamining how close the set of filters is to correctly categorizing the sample;
  
  modifying the set of filters to not exclude the sample from being identified as within the polymorphic malware strain,wherein at least a portion of the method is being performed by a computing device comprising at least one processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein the polymorphic malware strain comprises a server-side polymorphic malware strain.
  - 3. The computer-implemented method of claim 1, wherein the set of filters comprises at least one filter based on a static file property of an executable file.
  - 4. The computer-implemented method of claim 3, wherein the static file property comprises at least one of:
    - the size of the executable file;
      
      a number of sections in the executable file;
      
      at least one characteristic of at least one section in the executable file;
      
      the number of exported components in the executable file.
  - 5. The computer-implemented method of claim 4, wherein determining that a filter based on executable file size incorrectly excludes the sample from being identified as within the polymorphic malware strain comprises determining that the size of the executable file of the sample is approximately within a range of sizes specified by the filter based on executable file size.
  - 6. The computer-implemented method of claim 1, wherein determining that the set of filters incorrectly excludes the sample comprises examining how close the set of filters is to correctly categorizing the sample.
  - 7. The computer-implemented method of claim 1, wherein determining that the set of filters incorrectly excludes the sample comprises determining that the set of filters excludes the sample from being identified as within the polymorphic malware strain and the proportion of filters within the set of filters correctly identify the sample as within the polymorphic malware strain.
  - 8. The computer-implemented method of claim 7, wherein determining that the proportion of filters within the set of filters correctly identify the sample comprises determining that a substantial proportion of filters within the set of filters correctly identify the sample.
  - 9. The computer-implemented method of claim 1, wherein modifying the set of filters to not exclude the sample comprises identifying a minimal change to the scope of the filters necessary to identify the sample as within the polymorphic malware strain.
  - 10. The computer-implemented method of claim 1, further comprising transmitting the modified set of filters to at least one client system.

11. A computer-implemented method for identifying polymorphic malware, the method comprising:
- identifying an executable file subject to a scan for polymorphic malware;
  
  identifying a set of initial filters to apply to the executable file, wherein the set of initial filters was modified after determining that the set of initial filters incorrectly excluded a sample from being identified as within a polymorphic malware strain in response to at least one of;
  
  determining that the set of filters excluded the sample from being identified as within the polymorphic malware strain and a proportion of filters within the set of filters identified the sample as within the polymorphic malware strain, and/orexamining how close the set of filters was to correctly categorizing the sample;
  
  applying the set of initial filters to the executable file;
  
  performing a security action on the executable file based at least in part on a result of applying the set of initial filters to the executable file,wherein at least a portion of the method is being performed by a computing device comprising at least one processor.
- View Dependent Claims (12)
- - 12. The computer-implemented method of claim 11, wherein the security action comprises performing a dispositive scan on the executable file.

13. A system for identifying polymorphic malware, the system comprising:
- an identification module programmed to;
  
  identify a sample of a variant within a polymorphic malware strain;
  
  identify a set of filters for identifying the polymorphic malware strain;
  
  a determination module programmed to determine that the set of filters incorrectly excludes the sample from being identified as within the polymorphic malware strain in response to at least one of;
  
  determining that the set of filters excludes the sample from being identified as within the polymorphic malware strain and a proportion of filters within the set of filters identify the sample as within the polymorphic malware strain, and/orexamining how close the set of filters is to correctly categorizing the sample;
  
  a modification module programmed to modify the set of filters to not exclude the sample from being identified as within the polymorphic malware strain;
  
  at least one hardware processor configured to execute the identification module, the determination module, and the modification module.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system of claim 13, wherein the polymorphic malware strain comprises a server-side polymorphic malware strain.
  - 15. The system of claim 13, wherein the set of filters comprises at least one filter based on a static file property of an executable file.
  - 16. The system of claim 15, wherein the static file property comprises at least one of:
    - the size of the executable file;
      
      a number of sections in the executable file;
      
      at least one characteristic of at least one section in the executable file;
      
      the number of exported components in the executable file.
  - 17. The system of claim 16, wherein:
    - the determination module is programmed to determine that a filter based on the size of the executable file size incorrectly excludes the sample from being identified as within the polymorphic malware strain, andthe size of the executable file of the sample is approximately within a range of sizes specified by the filter based on the executable file size.
  - 18. The system of claim 13, wherein the determination module is programmed to determine that the set of filters incorrectly excludes the sample by examining how close the set of filters is to correctly categorizing the sample.
  - 19. The system of claim 13, wherein the determination module is programmed to determine that the set of filters incorrectly excludes the sample by determining that the set of filters excludes the sample from being identified as within the polymorphic malware strain and the proportion of filters within the set of filters correctly identify the sample as within the polymorphic malware strain.
  - 20. The system of claim 13, wherein the modification module is programmed to modify the set of filters to not exclude the sample by identifying a minimal change to the scope of the filters necessary to identify the sample as within the polymorphic malware strain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bodke, Anand
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US12/914,984
Time in Patent Office

978 Days
Field of Search

726 22- 26, 713/188
US Class Current

726/23
CPC Class Codes

G06F 21/562 Static detection

Systems and methods for identifying polymorphic malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for identifying polymorphic malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links