Collecting and analyzing malware data
First Claim
1. A computer-implemented method for tracking malware execution on a client computer, the method comprising:
- detecting at the client computer a potential malware application;
collecting at the client computer threat information about the potential malware application, wherein the threat information includes executable code of the potential malware application itself and environment information describing configuration settings of the client to allow recreating the client environment at an analysis server and executing the potential malware application for analysis in an environment that reproduces at a server the specific environment in which the potential malware application would execute on the client computer including the collected configuration settings of the client from which the executable code of the potential malware application was collected, and wherein the threat information also includes historical data from the client computer that indicates how the potential malware application initiated each action, such that the server, upon collecting potential malware applications from two different clients A and B will execute the malware two separate times in two separate environments;
1) the recreated environment of client A, and
2) the recreated environment of client B based on the specific configuration settings collected from A and B;
submitting from the client computer the threat information to a back-end service for further analysis;
receiving at the client computer a threat signature and mitigation information from the back-end service, wherein the signature includes data for detecting a threat confirmed by the back-end service; and
applying on the client computer one or more mitigation actions to the detected potential malware application based on the signature received from the back-end service.
2 Assignments
0 Petitions
Accused Products
Abstract
A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior.
63 Citations
20 Claims
-
1. A computer-implemented method for tracking malware execution on a client computer, the method comprising:
-
detecting at the client computer a potential malware application; collecting at the client computer threat information about the potential malware application, wherein the threat information includes executable code of the potential malware application itself and environment information describing configuration settings of the client to allow recreating the client environment at an analysis server and executing the potential malware application for analysis in an environment that reproduces at a server the specific environment in which the potential malware application would execute on the client computer including the collected configuration settings of the client from which the executable code of the potential malware application was collected, and wherein the threat information also includes historical data from the client computer that indicates how the potential malware application initiated each action, such that the server, upon collecting potential malware applications from two different clients A and B will execute the malware two separate times in two separate environments;
1) the recreated environment of client A, and
2) the recreated environment of client B based on the specific configuration settings collected from A and B;submitting from the client computer the threat information to a back-end service for further analysis; receiving at the client computer a threat signature and mitigation information from the back-end service, wherein the signature includes data for detecting a threat confirmed by the back-end service; and applying on the client computer one or more mitigation actions to the detected potential malware application based on the signature received from the back-end service. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer system for detecting and removing malicious applications, the system comprising:
-
a threat detection component configured to detect events on a client computer that indicate a potential malicious application; an information collection component configured to collect at the client computer information about the potential malicious application, wherein the collected information includes executable code of the potential malicious application itself and environment information describing configuration settings of the client to allow recreating the client environment and executing the potential malicious application for analysis in an environment that reproduces at a server the specific environment in which the potential malicious application would execute on the client computer including the collected configuration settings of the client from which the executable code of the potential malicious application was collected, and wherein the collected information also includes historical data from the client computer that indicates how the potential malicious application initiated each action, such that the server, upon collecting potential malware applications from two different clients A and B will execute the malware two separate times in two separate environments;
1) the recreated environment of client A, and
2) the recreated environment of client B based on the specific configuration settings collected from A and B;a communication component configured to communicate threat reports from the client computer to a back-end service and signatures for detecting malicious applications from the back-end service to the client computer; a threat data store configured to store information about potential malicious applications reported by client computers, a queue of potential malicious applications waiting to be analyzed, signatures for detecting malicious applications, and mitigation instructions for removing malicious applications from client computers; a threat analysis component configured to analyze received threat reports by recreating a specific client environment based on information collected from at least one client computer and executing the potential malicious application in a manner that the potential malicious application would execute on the client computer; a signature builder component configured to receive information about analyzed threats from the threat analysis component and create a signature for detecting instances of the threat; and a mitigation component configured to apply signatures and mitigation instructions to identify known threats and carry out mitigation actions in response to identified threat instances. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer-readable storage device encoded with instructions for controlling a computer system providing a back-end service to collect and analyze malware threats reported by client computers, by a method comprising:
-
receiving a threat report from a client computer that identifies a malware threat, wherein the threat report includes executable code associated with the malware threat and environment information describing configuration settings of the client to allow recreating the client environment and executing the executable code for analysis in an environment that reproduces at a server the specific environment in which the executable code would execute on the client computer including the collected configuration settings of the client from which the executable code of the malware threat was collected, and wherein the threat report also includes historical data from the client computer that indicates how the malware threat initiated each action, such that the server, upon collecting potential malware applications from two different clients A and B will execute the malware two separate times in two separate environments;
1) the recreated environment of client A, and
2) the recreated environment of client B based on the specific configuration settings collected from A and B;
classifying the malware threat based on previously analyzed threats;building a signature for detecting the malware threat; determining mitigation actions for neutralizing the malware threat and producing a mitigation script based on the mitigation actions; and providing the signature and mitigation script to the client computer. - View Dependent Claims (17, 18, 19, 20)
-
Specification