Probabilistic shellcode detection

US 8,549,624 B2
Filed: 04/15/2008
Issued: 10/01/2013
Est. Priority Date: 04/14/2008
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine readable medium storing instructions that, when executed by a processor, cause the processor to:

receive at an anti-malware engine an arbitrary file, the arbitrary file including a plurality of data blocks;

determine where one or more candidate areas exist within the arbitrary file by scanning contents of the arbitrary file, wherein a given candidate area of the one or more candidate areas includes a subset of the plurality of data blocks of the arbitrary file, the subset of the plurality of data blocks including a first data block and one or more additional data blocks following the first data block up to and including a last data block of the given candidate area;

search at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, wherein a given nearby area includes either a predetermined number of data blocks immediately preceding the given candidate area within the arbitrary file or a predetermined number of data blocks immediately following the given candidate area within the arbitrary file; and

calculating for any such instruction candidate found in any of the at least one nearby areas a statistical probability based on a disassembly of instructions starting at a found offset location corresponding to the location of the such instruction candidate that the disassembled instructions are shellcode.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments include a method of detecting shell code in an arbitrary file comprising determining where one or more candidate areas exist within an arbitrary file, searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, and calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode.

Citations

22 Claims

1. A non-transitory machine readable medium storing instructions that, when executed by a processor, cause the processor to:
- receive at an anti-malware engine an arbitrary file, the arbitrary file including a plurality of data blocks;
  
  determine where one or more candidate areas exist within the arbitrary file by scanning contents of the arbitrary file, wherein a given candidate area of the one or more candidate areas includes a subset of the plurality of data blocks of the arbitrary file, the subset of the plurality of data blocks including a first data block and one or more additional data blocks following the first data block up to and including a last data block of the given candidate area;
  
  search at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, wherein a given nearby area includes either a predetermined number of data blocks immediately preceding the given candidate area within the arbitrary file or a predetermined number of data blocks immediately following the given candidate area within the arbitrary file; and
  
  calculating for any such instruction candidate found in any of the at least one nearby areas a statistical probability based on a disassembly of instructions starting at a found offset location corresponding to the location of the such instruction candidate that the disassembled instructions are shellcode.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The non-transitory machine readable medium of claim 1, further comprising instructions to cause the processor to classify the arbitrary file as containing shellcode if the statistical probability exceeds a probability threshold.
  - 3. The non-transitory machine readable medium of claim 1, wherein the instruction candidate at the found offset location is a code branching instruction or a function call.
  - 4. The non-transitory machine readable medium of claim 1, wherein the instruction candidate at the found offset location is similar to the start of a known characteristical shellcode sequence.
  - 5. The non-transitory machine readable medium of claim 1, wherein the instructions to cause the processor to determine where one or more candidate areas exist within the arbitrary file include instructions to cause the processor to scan the arbitrary file looking for at least one repetitive construct, the at least one repetitive construct having a potential of overflowing a buffer in a computer memory when the arbitrary file is parsed, rendered or executed.
  - 6. The non-transitory machine readable medium of claim 1, wherein the instructions to cause the processor to search at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file include instructions to cause the processor to configure a number of data blocks to be included in the at least one nearby area.
  - 7. The non-transitory machine readable medium of claim 1, wherein the instructions to cause the processor to calculate for any found offset the statistical probability based on a disassembly of instructions starting at the found offset location include instructions to cause the processor to disassemble instructions starting at the found offset by following branches and method calls dynamically.
  - 8. The non-transitory machine readable medium of claim 1, wherein the instructions to cause the processor to calculate the statistical probability based on a disassembly of instructions starting at the found offset location include instructions to cause the processor to:
    - for a given stream of instructions starting at a given found offset location, map an instruction-to-shellcode probability to each instruction in the given stream of instructions; and
      
      sum the mapped instruction-to-shellcode probability for each instruction using Bayes'"'"' formula to generate an overall probability.
  - 9. The non-transitory machine readable medium of claim 8, further including instructions to cause the processor to classify the arbitrary file as containing shellcode if the overall probability exceeds a threshold value.

10. A gateway comprising:
- an anti-malware engine, executing on a hardware processor, operable to scan a given arbitrary file, the given arbitrary file including a plurality of data blocks, and to determine if any candidate areas exist within the given arbitrary file by scanning contents of the arbitrary file, wherein a given candidate area includes a subset of the plurality of data blocks of the given arbitrary file, the subset of the plurality of data blocks including a first data block and one or more additional data blocks following the first data block up to and including a last data block of the given candidate area;
  
  for any given candidate area located within the given arbitrary file, search at least one nearby area surrounding the candidate area for instruction candidates, wherein a given nearby area includes either a predetermined number of data blocks immediately preceding the given candidate area within the given arbitrary file or a predetermined number of data blocks immediately following the given candidate area within the given arbitrary file; and
  
  for any such instruction candidates found in any of the at least one nearby areas, calculate a statistical probability based on one or more disassembled instructions starting at a found offset location corresponding to the location of the such instruction candidate to determine a likelihood that the given arbitrary file includes shellcode.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The gateway of claim 10, further including a configurations coupled to the anti-malware engine, the configurations operable to store one or more threshold values used by the anti-malware engine in at least one shellcode detection process.
  - 12. The gateway of claim 10, wherein the anti-malware engine is operable to output warning messages to an interface coupled to the anti-malware engine when the given arbitrary file is determined to include shellcode.
  - 13. The gateway of claim 10, wherein the gateway couples at least one protected device to the Internet.
  - 14. The gateway of claim 10, wherein the anti-malware engine is operable to access known characteristical shellcode sequences stored in a database coupled to the anti-malware engine, and to scan the given arbitrary file for the known characteristical shellcode sequences.

15. A non-transitory machine readable medium storing instructions that, when executed by a processor, cause the processor to:
- receive at an anti-malware engine an arbitrary file, the arbitrary the including a plurality of data blocks;
  
  scan contents of the arbitrary file to determine if any candidate areas exist within the arbitrary file, wherein a given candidate area of the one or more candidate areas includes a subset of the plurality of data blocks of the arbitrary file, the subset of the plurality of data blocks including a first data block and one or more additional data blocks following the first data block up to and including a last data block of the given candidate area;
  
  for any candidate areas found in the arbitrary file, first search the areas surrounding the any candidate areas to determine if any function calls or any code branching instructions exist in the areas surrounding the any candidate areas, wherein a given nearby area includes either a predetermined number of data blocks immediately preceding the given candidate area within the arbitrary file or a predetermined number of data blocks immediately following the given candidate area within the arbitrary file; and
  
  if no function calls and no code branching instructions are found, search the areas surrounding the any candidate areas for known characteristical shellcode sequences.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The non-transitory machine readable medium of claim 15, including instructions to cause the processor, if no known characteristical shellcode sequences are found, to scan the arbitrary file for data blocks with high information entropy compared to a threshold value.
  - 17. The non-transitory machine readable medium of claim 15, wherein the instructions to cause the processor to scan the arbitrary file include instructions to cause the processor to scan the arbitrary file for repeated constructs that include long sequences of repeated characters.
  - 18. The non-transitory machine readable medium of claim 17, wherein the instructions to cause the processor to scan for repeated constructs include instructions to cause the processor to:
    - take a first character a_Nat position N in the arbitrary file;
      
      search for a next occurrence of the first character, which is found at position M;
      
      use a sub-sequence (a_N, . . . , a_M−
      
      1) as a repetition pattern having a length L=M−
      
      N);
      
      compare the repetition pattern to the sub-sequence (a_M, . . . , a_M+L), and if equal, advance by L bytes and continue with this comparing until a comparison fans in order to determine a number of found repetitions; and
      
      if the number of found repetitions is below a given threshold, determine that no match is found.
  - 19. The non-transitory machine readable medium of claim 15, further comprising instructions, if any function calls or code branching instructions are found in the areas surrounding the any candidate areas, to:
    - disassemble a number of instructions starting at a resulting location of a found function call or code branching instruction, calculate a probability for each of the instructions disassembled;
      
      sum each of the calculated probabilities using Bayers'"'"' formula to generate an overall probability; and
      
      use the overall probability, determine that the arbitrary file includes shellcode when the overall probability exceeds an threshold value.

20. A computer network comprising:
- a gateway including an anti-malware engine, the anti-malware engine operable to;
  
  receive an arbitrary file, the arbitrary file including a plurality of data blocks;
  
  scan contents of the arbitrary file for a candidate area, the candidate area containing a subset of the plurality of data blocks from the arbitrary file and containing repetitive constructs that have a potential to overflow a buffer;
  
  determine if any function calls or any code branching instructions exist in an area surrounding the candidate area, wherein the area surrounding a given candidate area includes either a predetermined number of data blocks immediately preceding the candidate area or a predetermined number of data blocks immediately following the candidate area; and
  
  generating a statistical probability representing the likelihood that the arbitrary the includes shellcode by performing a statistical analysis of the instructions starting at a resulting location of at least one found function call or code branching instruction to generate an overall shellcode probability for the arbitrary file.
- View Dependent Claims (21, 22)
- - 21. The computer network of claim 20, further including a configurations coupled to the anti-malware engine, the configurations operable to store one or more probability threshold settings used by the anti-malware engine in determining whether a given statistical probability generated for the arbitrary file indicates that the arbitrary file includes shellcode.
  - 22. The computer network of claim 20, further including a database coupled to the gateway, the database including memory operable to store one or more known shellcode sequences and to provide the one or more known shellcode sequences to the anti-malware engine for comparison to instructions in the arbitrary file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Alme, Christoph
Primary Examiner(s)
Zele, Krista
Assistant Examiner(s)
VOSTAL, ONDREJ C

Application Number

US12/103,498
Publication Number

US 20100031359A1
Time in Patent Office

1,995 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 21/56 Computer malware detection ...

Probabilistic shellcode detection

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Probabilistic shellcode detection

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links