Collecting and analyzing malware data

US 8,667,583 B2
Filed: 09/22/2008
Issued: 03/04/2014
Est. Priority Date: 09/22/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for tracking malware execution on a client computer, the method comprising:

detecting at the client computer a potential malware application;

collecting at the client computer threat information about the potential malware application, wherein the threat information includes executable code of the potential malware application itself and environment information describing configuration settings of the client to allow recreating the client environment at an analysis server and executing the potential malware application for analysis in an environment that reproduces at a server the specific environment in which the potential malware application would execute on the client computer including the collected configuration settings of the client from which the executable code of the potential malware application was collected, and wherein the threat information also includes historical data from the client computer that indicates how the potential malware application initiated each action, such that the server, upon collecting potential malware applications from two different clients A and B will execute the malware two separate times in two separate environments;

1) the recreated environment of client A, and

2) the recreated environment of client B based on the specific configuration settings collected from A and B;

submitting from the client computer the threat information to a back-end service for further analysis;

receiving at the client computer a threat signature and mitigation information from the back-end service, wherein the signature includes data for detecting a threat confirmed by the back-end service; and

applying on the client computer one or more mitigation actions to the detected potential malware application based on the signature received from the back-end service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior.

63 Citations

View as Search Results

20 Claims

1. A computer-implemented method for tracking malware execution on a client computer, the method comprising:
- detecting at the client computer a potential malware application;
  
  collecting at the client computer threat information about the potential malware application, wherein the threat information includes executable code of the potential malware application itself and environment information describing configuration settings of the client to allow recreating the client environment at an analysis server and executing the potential malware application for analysis in an environment that reproduces at a server the specific environment in which the potential malware application would execute on the client computer including the collected configuration settings of the client from which the executable code of the potential malware application was collected, and wherein the threat information also includes historical data from the client computer that indicates how the potential malware application initiated each action, such that the server, upon collecting potential malware applications from two different clients A and B will execute the malware two separate times in two separate environments;
  
  1) the recreated environment of client A, and
  
  2) the recreated environment of client B based on the specific configuration settings collected from A and B;
  
  submitting from the client computer the threat information to a back-end service for further analysis;
  
  receiving at the client computer a threat signature and mitigation information from the back-end service, wherein the signature includes data for detecting a threat confirmed by the back-end service; and
  
  applying on the client computer one or more mitigation actions to the detected potential malware application based on the signature received from the back-end service.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein detecting a potential malware application comprises detecting a request to connect to a known malicious URL.
  - 3. The method of claim 1 wherein detecting a potential malware application comprises detecting an attempt to access an operating system file.
  - 4. The method of claim 1 wherein collecting threat information comprises collecting information about at least one of a file, directory, registry key, and network port accessed by the potential malware application.
  - 5. The method of claim 1 wherein the threat signature identifies a particular file associated with the malware application.
  - 6. The method of claim 1 wherein the mitigation actions include deleting a file associated with the potential malware application from the client computer.
  - 7. The method of claim 1 further comprising providing information to the back-end service about a threat detected based on the received signature, so that the back-end can collect statistical information about the occurrence of particular threats to improve the threat mitigation process.

8. A computer system for detecting and removing malicious applications, the system comprising:
- a threat detection component configured to detect events on a client computer that indicate a potential malicious application;
  
  an information collection component configured to collect at the client computer information about the potential malicious application, wherein the collected information includes executable code of the potential malicious application itself and environment information describing configuration settings of the client to allow recreating the client environment and executing the potential malicious application for analysis in an environment that reproduces at a server the specific environment in which the potential malicious application would execute on the client computer including the collected configuration settings of the client from which the executable code of the potential malicious application was collected, and wherein the collected information also includes historical data from the client computer that indicates how the potential malicious application initiated each action, such that the server, upon collecting potential malware applications from two different clients A and B will execute the malware two separate times in two separate environments;
  
  1) the recreated environment of client A, and
  
  2) the recreated environment of client B based on the specific configuration settings collected from A and B;
  
  a communication component configured to communicate threat reports from the client computer to a back-end service and signatures for detecting malicious applications from the back-end service to the client computer;
  
  a threat data store configured to store information about potential malicious applications reported by client computers, a queue of potential malicious applications waiting to be analyzed, signatures for detecting malicious applications, and mitigation instructions for removing malicious applications from client computers;
  
  a threat analysis component configured to analyze received threat reports by recreating a specific client environment based on information collected from at least one client computer and executing the potential malicious application in a manner that the potential malicious application would execute on the client computer;
  
  a signature builder component configured to receive information about analyzed threats from the threat analysis component and create a signature for detecting instances of the threat; and
  
  a mitigation component configured to apply signatures and mitigation instructions to identify known threats and carry out mitigation actions in response to identified threat instances.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8 wherein the threat detection component comprises a kernel-mode driver that collects information about the potential malicious applications'"'"' execution.
  - 10. The system of claim 8 wherein the information collection component stores a browsing history of a user of the client computer.
  - 11. The system of claim 8 wherein the threat analysis component is further configured to reproduce an execution environment for received threat reports, execute received potential malicious applications, and classify the potential malicious applications.
  - 12. The system of claim 8 wherein the mitigation component is further configured to receive signature updates from the back-end service, scan the client computer for each signature received, and carry out mitigation actions for any detected threat.
  - 13. The system of claim 8 wherein the mitigation component is further configured to gather additional information about the potential malicious application based on a request received from the back-end service.
  - 14. The system of claim 8 further comprising a feedback component configured to provide threat detection information from the client computer to the back-end service and to prioritize threat report analysis on the back-end service.
  - 15. The system of claim 8 further comprising a user interface component configured to provide an interface for a technician to guide threat analysis.

16. A computer-readable storage device encoded with instructions for controlling a computer system providing a back-end service to collect and analyze malware threats reported by client computers, by a method comprising:
- receiving a threat report from a client computer that identifies a malware threat, wherein the threat report includes executable code associated with the malware threat and environment information describing configuration settings of the client to allow recreating the client environment and executing the executable code for analysis in an environment that reproduces at a server the specific environment in which the executable code would execute on the client computer including the collected configuration settings of the client from which the executable code of the malware threat was collected, and wherein the threat report also includes historical data from the client computer that indicates how the malware threat initiated each action, such that the server, upon collecting potential malware applications from two different clients A and B will execute the malware two separate times in two separate environments;
  
  1) the recreated environment of client A, and
  
  2) the recreated environment of client B based on the specific configuration settings collected from A and B;
  
  classifying the malware threat based on previously analyzed threats;
  
  building a signature for detecting the malware threat;
  
  determining mitigation actions for neutralizing the malware threat and producing a mitigation script based on the mitigation actions; and
  
  providing the signature and mitigation script to the client computer.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The device of claim 16 wherein the received threat report includes historical execution information related to the malware threat.
  - 18. The device of claim 16 further comprising configuring an execution environment to reproduce the malware threat and executing the malware threat to gather additional information about the malware threat.
  - 19. The device of claim 16 wherein classifying the malware threat comprises identifying a family of malware that contains malware with matching characteristics to the malware threat.
  - 20. The device of claim 16 wherein providing the signature and mitigation script to the client computer comprises responding to a periodic request of the client computer for updated signature information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Polyakov, Alexey, Seinfeld, Marc, Mody, Jigar J., Sun, Ning, Lee, Tony, Chu, Chengyun
Primary Examiner(s)
SHAIFER HARRIMAN, DANT B

Application Number

US12/234,717
Publication Number

US 20100077481A1
Time in Patent Office

1,989 Days
Field of Search

713/188, 726/1, 726 3- 15, 726 22- 25, 726 27- 30, 726/17, 726/21
US Class Current

726/22
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/568 eliminating virus, restorin...

Collecting and analyzing malware data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Collecting and analyzing malware data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links