Systems and methods for malware detection and scanning

US 8,832,836 B2
Filed: 12/30/2010
Issued: 09/09/2014
Est. Priority Date: 12/30/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method operating in a computing device, the method comprising:

receiving, at the computing device, a malware scan request comprising a type and version of an internet browser and one or more parameters, the one or more parameters comprising target uniform resource (URIs), uniform resource locators (URLs), and/or uniform resource names (URNs) used to identify web pages upon which malware scanning is to be performed;

launching, in the computing device, a virtual machine in response to the received malware scan request;

launching, in the virtual machine of the computing device and in response to the received malware scan request, an internet browser of the type and version;

requesting, by the internet browser in the virtual machine and in response to the received malware scan request, data from the web page, over a network;

performing, in the virtual machine of the computing device, analysis on the web page using one or more analysis tools, wherein performing the analysis includes;

performing monitoring and recording of system application programming interface (API) calls,creating software objects associated with the web page,performing antivirus scanning of the software objects, andde-obfuscating code associated with the software objects; and

correlating data associated with the analysis that is performed to determine if the web page is a malicious web page.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for malware scanning and detection in a computing system. In one exemplary embodiment, the method includes launching, in a computing device of the computing system, a virtual machine, and launching, in the virtual machine of the computing device, an internet browser. The method also includes requesting, by the internet browser, data from a web page, and performing, using one or more analysis tools, analysis on the web page. In the method, performing analysis on the web page includes performing monitoring and recording of system application programming interface (API) calls, and creating software objects associated with the web page. The method also includes performing antivirus scanning of the software objects, de-obfuscating JavaScript associated with the software objects, and correlating data associated with the performed analysis to determine if the web page is a malicious web page.

62 Citations

View as Search Results

23 Claims

1. A computer-implemented method operating in a computing device, the method comprising:
- receiving, at the computing device, a malware scan request comprising a type and version of an internet browser and one or more parameters, the one or more parameters comprising target uniform resource (URIs), uniform resource locators (URLs), and/or uniform resource names (URNs) used to identify web pages upon which malware scanning is to be performed;
  
  launching, in the computing device, a virtual machine in response to the received malware scan request;
  
  launching, in the virtual machine of the computing device and in response to the received malware scan request, an internet browser of the type and version;
  
  requesting, by the internet browser in the virtual machine and in response to the received malware scan request, data from the web page, over a network;
  
  performing, in the virtual machine of the computing device, analysis on the web page using one or more analysis tools, wherein performing the analysis includes;
  
  performing monitoring and recording of system application programming interface (API) calls,creating software objects associated with the web page,performing antivirus scanning of the software objects, andde-obfuscating code associated with the software objects; and
  
  correlating data associated with the analysis that is performed to determine if the web page is a malicious web page.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, further including:
    - processing packet capture (pcap) files.
  - 3. The computer-implemented method of claim 1, further including:
    - emulating a document object model (DOM) tree corresponding to the software objects.
  - 4. The computer-implemented method of claim 1, further including:
    - comparing at least one of uniform resource identifier (URI), universal resource locator (URL) data, or uniform resource number (URN) data associated with the web page against one or more lists.
  - 5. The computer-implemented method of claim 1, further including:
    - reviewing raw network traffic between two systems to identify potential malware.
  - 6. The computer-implemented method of claim 5, wherein the potential malware includes one or more of obfuscated executable code and potential cross-site scripting attacks.
  - 7. The computer-implemented method of claim 1, further including:
    - matching a pattern of the web page with one or more other patterns known to be indicative of malware.
  - 8. The method of claim 1, further comprising:
    - launching, in the computing device, a plurality of virtual machines in response to the received malware scan request;
      
      launching, in each of the plurality of virtual machines of the computing device, an internet browser of the type and version if received in the malware scan request; and
      
      requesting, by the internet browser in each of the virtual machines, data from the web page over the network;
      
      wherein analysis on the web page is performed based on data received from each of the plurality of virtual machines.
  - 9. The method of claim 1, wherein the computing device is a thick spoke utilizing a diversity of IP addresses to perform web crawling.

10. A computing device for scanning and detection, the device comprising:
- at least one memory to store data and instructions; and
  
  at least one processor configured to access memory and to execute instructions to;
  
  receive, at the computing device, a malware scan request comprising a type and version of a browser and one or more parameters, the one or more parameters including target uniform resource (URIs), uniform resource locators (URLs) and/or uniform resource names (URNs) used to identify a web page upon which malware scanning is to be performed;
  
  launch, in the computing device, a virtual machine in response to the received malware scan request;
  
  launch, in the virtual machine, an internet browser of the type and version;
  
  request, by the internet browser in the virtual machine, data from the web page over a network; and
  
  perform, in the virtual machine of the computing apparatus, analysis on the determined web page using one or more analysis tools, wherein when the at least one processor is configured to perform the analysis, the at least one processor is further configured to;
  
  perform monitoring and recording of system application programming interface (API) calls,create software objects associated with the web page,perform antivirus scanning of the software objects,de-obfuscate code associated with the software objects, andcorrelate data associated with the analysis that is performed to determine if the web page is a malicious web page.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The computing device of claim 10, wherein the at least one processor is further configured to:
    - process packet capture (pcap) files.
  - 12. The computing device of claim 10, wherein the at least one processor is further configured to:
    - emulate a document object model (DOM) tree corresponding to the software objects.
  - 13. The computing device of claim 10, wherein the at least one processor is further configured to:
    - compare universal resource locator (URL) data associated with the web page against one or more lists.
  - 14. The computing device of claim 10, wherein the at least one processor is further configured to:
    - review raw network traffic between two systems to identify potential malware.
  - 15. The computing device of claim 14, wherein the potential malware includes one or more of obfuscated executable code and potential cross-site scripting attacks.
  - 16. The computing device of claim 10, wherein the at least one processor is further configured to:
    - match a pattern of the web page with one or more other patterns known to be indicative of malware.

17. A non-transitory computer-readable medium containing instructions that, when implemented by a computing device, cause the computing device to perform a method comprising:
- receiving, at the computing device, a malware scan request comprising a type and version of a browser and one or more parameters, the one or more parameters including target uniform resource (URIs), uniform resource locators (URLs) and/or uniform resource names (URNs) used to identify a web page upon which malware scanning is to be performed;
  
  launching, in the computing device, a virtual machine in response to the received malware scan request;
  
  launching, in the virtual machine of the computing device, an internet browser of the type and version;
  
  requesting, by the internet browser in the virtual machine, data from the web page over a network; and
  
  performing, in the virtual machine of the computing device, analysis on the web page using one or more analysis tools, wherein performing the analysis includes;
  
  performing monitoring and recording of system application programming interface (API) calls,creating software objects associated with the web page,performing antivirus scanning of the software objects, andde-obfuscating code associated with the software objects; and
  
  correlating data associated with the analysis that is performed to determine if the web page is a malicious web page.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the method further includes:
    - processing packet capture (pcap) files.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the method further includes:
    - emulating a document object model (DOM) tree corresponding to the software objects.
  - 20. The non-transitory computer-readable medium of claim 17, wherein the method further includes:
    - comparing at least one of uniform resource identifier (URI) data, universal resource locator (URL) data, or uniform resource number (URN) data associated with the web page against one or more lists.
  - 21. The non-transitory computer-readable medium of claim 17, wherein the method further includes:
    - reviewing raw network traffic between two systems to identify potential malware.
  - 22. The non-transitory computer-readable medium of claim 21, wherein the potential malware includes one or more of obfuscated executable code and potential cross-site scripting attacks.
  - 23. The non-transitory computer-readable medium of claim 17, wherein the method further includes:
    - matching a pattern of the web page with one or more other patterns known to be indicative of malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Thomas, Ralph, LaPilla, Michael, Tonn, Trevor, Sinclair, Gregory, Hartstein, Blake, Cote, Matthew
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
TRAN, TRI MINH

Application Number

US12/982,508
Publication Number

US 20120174224A1
Time in Patent Office

1,349 Days
Field of Search

726 24- 25
US Class Current

726/24
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

Systems and methods for malware detection and scanning

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

62 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for malware detection and scanning

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links