Malware detection using external call characteristics
First Claim
Patent Images
1. A computer program product embodied on a non-transitory tangible computer readable medium and configured to:
- search a computer program for external call instructions;
compare the external call instructions within the computer program with at least one predetermined external call instruction characteristic corresponding to known malware, wherein the at least one predetermined external call characteristic comprises relative position information specifying relative positions of at least one external call instruction with respect to another external call instruction within the computer program; and
identify the computer program as containing malware if the external call instructions within the computer program match the at least one predetermined external call instruction characteristic corresponding to known malware; and
perform at least one action if the computer program is identified as containing malware.
9 Assignments
0 Petitions
Accused Products
Abstract
A malware scanner 2, for malware such as computer viruses, worms, Trojans and the like, utilizes the external call characteristics associated with known items of malware to identify the presence of malware within a computer file. Malware written in a high level language when compiled can take a variety of different forms as object code, but these different object code forms will usually share external call characteristics to a sufficient degree to allow the presence of such external call characteristics to properly and accurately generically identify different compiled variants of the source code malware.
118 Citations
21 Claims
-
1. A computer program product embodied on a non-transitory tangible computer readable medium and configured to:
-
search a computer program for external call instructions; compare the external call instructions within the computer program with at least one predetermined external call instruction characteristic corresponding to known malware, wherein the at least one predetermined external call characteristic comprises relative position information specifying relative positions of at least one external call instruction with respect to another external call instruction within the computer program; and identify the computer program as containing malware if the external call instructions within the computer program match the at least one predetermined external call instruction characteristic corresponding to known malware; and perform at least one action if the computer program is identified as containing malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of detecting a computer program containing malware, comprising:
-
searching the computer program for external call instructions; comparing the external call instructions within the computer program with at least one predetermined external call instruction characteristic corresponding to known malware, wherein the at least one predetermined external call characteristic comprises relative position information specifying relative positions of at least one external call instruction with respect to another external call instruction within the computer program; and identifying the computer program as containing malware if the external call instructions within the computer program match the at least one predetermined external call instruction characteristic corresponding to known malware; and performing at least one action if the computer program is identified as containing malware. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. An apparatus for detecting a computer program containing malware, comprising:
-
a processor; and a memory, the apparatus configured to; search the computer program for external call instructions; compare the external call instructions within the computer program with at least one predetermined external call instruction characteristic corresponding to known malware, wherein the at least one predetermined external call characteristic comprises relative position information specifying relative positions of at least one external call instruction with respect to another external call instruction within the computer program; and identify the computer program as containing malware if the external call instructions within the computer program match the at least one predetermined external call instruction characteristic corresponding to known malware; and perform at least one action if the computer program is identified as containing malware.
-
Specification