Malware detection using external call characteristics

US 8,549,635 B2
Filed: 04/01/2012
Issued: 10/01/2013
Est. Priority Date: 04/01/2003
Status: Expired due to Term

First Claim

Patent Images

1. A computer program product embodied on a non-transitory tangible computer readable medium and configured to:

search a computer program for external call instructions;

compare the external call instructions within the computer program with at least one predetermined external call instruction characteristic corresponding to known malware, wherein the at least one predetermined external call characteristic comprises relative position information specifying relative positions of at least one external call instruction with respect to another external call instruction within the computer program; and

identify the computer program as containing malware if the external call instructions within the computer program match the at least one predetermined external call instruction characteristic corresponding to known malware; and

perform at least one action if the computer program is identified as containing malware.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware scanner 2, for malware such as computer viruses, worms, Trojans and the like, utilizes the external call characteristics associated with known items of malware to identify the presence of malware within a computer file. Malware written in a high level language when compiled can take a variety of different forms as object code, but these different object code forms will usually share external call characteristics to a sufficient degree to allow the presence of such external call characteristics to properly and accurately generically identify different compiled variants of the source code malware.

118 Citations

View as Search Results

21 Claims

1. A computer program product embodied on a non-transitory tangible computer readable medium and configured to:
- search a computer program for external call instructions;
  
  compare the external call instructions within the computer program with at least one predetermined external call instruction characteristic corresponding to known malware, wherein the at least one predetermined external call characteristic comprises relative position information specifying relative positions of at least one external call instruction with respect to another external call instruction within the computer program; and
  
  identify the computer program as containing malware if the external call instructions within the computer program match the at least one predetermined external call instruction characteristic corresponding to known malware; and
  
  perform at least one action if the computer program is identified as containing malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer program product of claim 1, wherein the at least one predetermined external call instruction characteristic comprises predetermined sets characterizing external calls, and wherein at least one of the predetermined sets characterizing external calls includes at least one wildcard external call marker that provides a match to any external call within a particular range within the computer program.
  - 3. The computer program product of claim 2, wherein at least one of the predetermined sets characterizing external calls includes at least one parameterized characterizing external call associated with a characterizing parameter value, the parameterized characterizing external call matching with an external call within the computer program if the characterizing parameter value also matches a corresponding parameter value associated with the external call within the computer program.
  - 4. The computer program product of claim 3, wherein the characterizing parameter value has associated relative position information specifying a relative position to the parameterized characterizing external call within which a matching parameter value must be found.
  - 5. The computer program product of claim 1, wherein performing the at least one action includes at least one of deleting one or more files associated with known malware, quarantining one or more files associated with known malware, denying access to one or more files associated with known malware, and generating an alert message.
  - 6. The computer program product of claim 1, wherein the search includes searching for all external calls within the computer program.
  - 7. The computer program product of claim 1, wherein the computer program product is further configured to analyze the computer program to determine identifying characteristics of external calls prior to the searching.
  - 8. The computer program product of claim 7, wherein the analysis includes one or more of:
    - analyzing link information associated with the computer program; and
      
      analyzing a location of the computer program within a file to identify a boundary between the computer program and a joined run-time library.
  - 9. The computer program product of claim 1, wherein the malware is one or more of:
    - a computer virus;
      
      a worm; and
      
      a Trojan.
  - 10. The computer program product of claim 1, wherein the external call instructions that are subject to the comparison comprise at least one of a call to an operating system, a call to a dynamic link library associated with the computer program, and a call to a run-time library joined with the computer program.

11. A method of detecting a computer program containing malware, comprising:
- searching the computer program for external call instructions;
  
  comparing the external call instructions within the computer program with at least one predetermined external call instruction characteristic corresponding to known malware, wherein the at least one predetermined external call characteristic comprises relative position information specifying relative positions of at least one external call instruction with respect to another external call instruction within the computer program; and
  
  identifying the computer program as containing malware if the external call instructions within the computer program match the at least one predetermined external call instruction characteristic corresponding to known malware; and
  
  performing at least one action if the computer program is identified as containing malware.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the at least one predetermined external call instruction characteristic comprises predetermined sets characterizing external calls, and wherein at least one of the predetermined sets characterizing external calls includes at least one wildcard external call marker that provides a match to any external call within a particular range within the computer program.
  - 13. The method of claim 12, wherein at least one of the predetermined sets characterizing external calls includes at least one parameterized characterizing external call associated with a characterizing parameter value, the parameterized characterizing external call matching with an external call within the computer program if the characterizing parameter value also matches a corresponding parameter value associated with the external call within the computer program.
  - 14. The method of claim 13, wherein the characterizing parameter value has associated relative position information specifying a relative position to the parameterized characterizing external call within which a matching parameter value must be found.
  - 15. The method of claim 11, wherein performing the at least one action includes at least one of deleting one or more files associated with known malware, quarantining one or more files associated with known malware, denying access to one or more files associated with known malware, and generating an alert message.
  - 16. The method of claim 11, wherein the searching the computer program includes searching for all external calls within the computer program.
  - 17. The method of claim 11, further comprising analyzing the computer program to determine identifying characteristics of external calls prior to the searching.
  - 18. The method of claim 17, wherein the analyzing includes one or more of:
    - analyzing link information associated with the computer program; and
      
      analyzing a location of the computer program within a file to identify a boundary between the computer program and a joined run-time library.
  - 19. The method of claim 11, wherein the malware is one or more of a computer virus, a worm, and a Trojan.
  - 20. The method of claim 11, wherein the external call instructions that are subject to the comparison comprise at least one of a call to an operating system, a call to a dynamic link library associated with the computer program, and a call to a run-time library joined with the computer program.

21. An apparatus for detecting a computer program containing malware, comprising:
- a processor; and
  
  a memory, the apparatus configured to;
  
  search the computer program for external call instructions;
  
  compare the external call instructions within the computer program with at least one predetermined external call instruction characteristic corresponding to known malware, wherein the at least one predetermined external call characteristic comprises relative position information specifying relative positions of at least one external call instruction with respect to another external call instruction within the computer program; and
  
  identify the computer program as containing malware if the external call instructions within the computer program match the at least one predetermined external call instruction characteristic corresponding to known malware; and
  
  perform at least one action if the computer program is identified as containing malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Muttik, Igor Garrievich, Teblyashkin, Ivan Alexandrovich
Primary Examiner(s)
Reza, Mohammad W

Application Number

US13/436,964
Publication Number

US 20120192279A1
Time in Patent Office

548 Days
Field of Search

726 22- 25, 713/188
US Class Current

726/22
CPC Class Codes

G06F 21/564 by virus signature recognition

Malware detection using external call characteristics

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

118 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection using external call characteristics

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links