Systems and methods for malware attack detection and identification

US 8,881,282 B1
Filed: 03/12/2007
Issued: 11/04/2014
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A malware detection and identification system, comprising:

a controller comprising an analysis environment including a virtual machine, the analysis environment being configured toreceive a copy of network data by the virtual machine of the analysis environment, flag input values associated with (i) the copy of the network data from one or more untrusted sources or (ii) the copy of the network data that comprises suspicious network data as determined prior to analysis by the virtual machine,monitor the flagged input values during execution by the virtual machine of one or more instructions that manipulate the flagged input values within the virtual machine,identify an outcome of the one or more instructions by tracking each of the one or more instructions, anddetermine whether the identified outcome of the one or more instructions comprises a redirection in control flow during execution by the virtual machine of the one or more instructions to (i) access a memory location containing the copy of the network data or (ii) a standard library function, the redirection in the control flow constituting an unauthorized activity.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exemplary systems and methods for malware attack detection and identification are provided. A malware detection and identification system can comprise a controller. The controller can comprise an analysis environment configured to transmit network data to a virtual machine, flag input values associated with the network data from untrusted sources, monitor the flagged input values within the virtual machine, identify an outcome of one or more instructions that manipulate the flagged input values, and determine if the outcome of the one or more instructions comprise an unauthorized activity.

597 Citations

66 Claims

1. A malware detection and identification system, comprising:
- a controller comprising an analysis environment including a virtual machine, the analysis environment being configured toreceive a copy of network data by the virtual machine of the analysis environment, flag input values associated with (i) the copy of the network data from one or more untrusted sources or (ii) the copy of the network data that comprises suspicious network data as determined prior to analysis by the virtual machine,monitor the flagged input values during execution by the virtual machine of one or more instructions that manipulate the flagged input values within the virtual machine,identify an outcome of the one or more instructions by tracking each of the one or more instructions, anddetermine whether the identified outcome of the one or more instructions comprises a redirection in control flow during execution by the virtual machine of the one or more instructions to (i) access a memory location containing the copy of the network data or (ii) a standard library function, the redirection in the control flow constituting an unauthorized activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The system of claim 1, wherein the analysis environment is further configured to analyze the copy of the network data with a heuristic to determine if the copy of the network data is suspicious prior to the copy of the network data being provided to the virtual machine.
  - 3. The system of claim 1, wherein the flagged input values associated with the copy of the network data is information within the copy of the network data.
  - 4. The system of claim 1, wherein the flagged input values associated with the copy of the network data comprise input values arithmetically derived from the copy of the network data.
  - 5. The system of claim 1, wherein the analysis environment is further configured to generate one or more unauthorized activity signatures based on the determination.
  - 6. The system of claim 5, wherein the unauthorized activity signature is utilized to block a malware attack vector.
  - 7. The system of claim 5, wherein the unauthorized activity signature is utilized to block a malware attack payload.
  - 8. The system of claim 5, wherein the unauthorized activity signature is utilized to block a class of malware attacks.
  - 9. The system of claim 5, wherein the controller further comprises a signature module configured to transmit the unauthorized activity signature to a digital device configured to enforce the unauthorized activity signature.
  - 10. The system of claim 1, wherein the analysis environment configured to monitor the flagged input values comprises the analysis environment configured to monitor at least one byte of the flagged input values at the processor instruction level.
  - 11. The system of claim 1, wherein the copy of the network data includes the flagged input values and the one or more instructions.
  - 12. The system of claim 1, wherein the controller continuing to monitor flagged input values for a data flow until the unauthorized activity associated with a malware attack has completed.
  - 13. The system of claim 12, wherein the identified outcome being used to generate multiple signatures to block subsequent malware attacks.
  - 14. The system of claim 1, wherein the controller to determine whether the identified outcome of the one or more instructions comprises the redirection in the control flow that constitutes the unauthorized activity by determining whether the flagged input value corresponds to a jump target and the execution of the one or more instructions overwrites the jump target, the jump target being one of a return address, a function pointer or a function pointer offset.
  - 15. The system of claim 1, wherein the controller to determine whether the identified outcome of the one or more instructions comprises the direction in the control flow that constitutes the unauthorized activity by determining whether the flagged input value corresponds to a jump target and the execution of the one or more instructions attempts to overwrite the jump target to redirect a data flow including the network data.
  - 16. The system of claim 1, wherein the execution of the one or more instructions manipulates the flagged input values by affecting or using the flagged input values.
  - 17. The system of claim 1, wherein the redirection in the control flow during execution by the virtual machine of the one or more instructions is to access the memory location containing the copy of the network data.
  - 18. The system of claim 1, wherein the redirection in the control flow during execution by the virtual machine of the one or more instructions is an attempt to circumvent security checks.
  - 19. The system of claim 1, wherein the controller to determine whether the identified outcome of the one or more instructions comprises the redirection in the control flow by determining whether the flagged input value corresponds to a jump target and the execution of the one or more instructions attempts to overwrite the jump target to redirect control flow to another point in an application.
  - 20. The system of claim 1, wherein the controller to determine whether the identified outcome of the one or more instructions that comprises the redirection in the control flow constitutes unauthorized activity by providing a malicious format string to a program being executed by the virtual machine that either provides access to data or writes a value to a specific memory address.
  - 21. The system of claim 1, wherein the controller to determine whether the identified outcome of the one or more instructions that comprises the redirection in the control flow constitutes unauthorized activity by overwriting data to be subsequently used as an argument to a system call.
  - 22. The system of claim 1, wherein the controller further comprises a heuristic module that flags the input values associated with the copy of the network data that comprises suspicious network data as determined prior to analysis by the virtual machine.
  - 23. The system of claim 22, wherein the controller further comprises a policy engine that flags the input values associated with the copy of the network data from one or more untrusted sources.
  - 24. The system of claim 1, wherein a policy engine flags the input values associated with the copy of the network data that comprises suspicious network data based on a predetermined policy.
  - 25. The system of claim 24, wherein the predetermined policy comprises the policy engine flagging the one or more input values associated with the copy of the network data when the network data is transmitted from a device that does not normally transmit network data.
  - 26. The system of claim 1, wherein the controller is communicatively coupled to a router.
  - 27. The system of claim 26, wherein the controller transmits a signature to the router for use by the router in blocking one or more of a malware attack vector, a malware attack payload, or a class of malware attacks.
  - 28. The system of claim 27, wherein the signature transmitted by the controller to the router comprises a binary code pattern.

29. A malware detection and identification method comprising:
- transmitting a copy of the network data to a virtual machine;
  
  flagging input values associated with (i) the copy of the network data from one or more untrusted sources or (ii) the copy of the network data that comprises suspicious network data as determined prior to analysis by the virtual machine;
  
  monitoring the flagged input values during execution of one or more instructions associated with the network data by the virtual machine to determine if execution of the one or more instructions manipulate the flagged input values;
  
  identifying an outcome of the one or more instructions that manipulate the flagged input values by tracking each of the one or more instructions; and
  
  determining whether the identified outcome of the one or more instructions comprises a redirection in control flow during execution by the virtual machine of the one or more instructions to (i) access a memory location containing the copy of the network data or (ii) a standard library function, the redirection in the control flow constituting an unauthorized activity.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 30. The method of claim 29, wherein prior to transmitting the copy of the network data to the virtual machine, the method further comprising analyzing the copy of the network data with a heuristic to determine if the copy of the network data is suspicious.
  - 31. The method of claim 29, wherein the flagged input values associated with the copy of the network data is information within the copy of the network data.
  - 32. The method of claim 29, wherein the flagged input values associated with the copy of the network data comprise input values arithmetically derived from the copy of the network data.
  - 33. The method of claim 29, further comprising generating one or more unauthorized activity signatures based on the determination.
  - 34. The method of claim 33, wherein the unauthorized activity signature is utilized to block a malware attack vector.
  - 35. The method of claim 33, wherein the unauthorized activity signature is utilized to block a malware attack payload.
  - 36. The method of claim 33, wherein the unauthorized activity signature is utilized to block a class of malware attacks.
  - 37. The method of claim 33, further comprising transmitted the unauthorized activity signature to a digital device configured to enforce the unauthorized activity signature.
  - 38. The method of claim 29, wherein monitoring the flagged input values comprises monitoring at least one byte of the flagged input values at the processor instruction level.
  - 39. The method of claim 29, wherein the execution by the virtual machine of the one or more instructions manipulates the flagged input values by affecting or using the flagged input values.
  - 40. The method of claim 29, wherein the redirection in the control flow during execution by the virtual machine of the one or more instructions is to access the memory location containing the copy of the network data.
  - 41. The method of claim 29, wherein the redirection in the control flow during execution by the virtual machine of the one or more instructions is an attempt to circumvent security checks.
  - 42. The method of claim 29, wherein the determining whether the identified outcome of the one or more instructions comprises the redirection in the control flow by determining whether the flagged input value corresponds to a jump target and the execution of the one or more instructions attempts to overwrite the jump target to redirect control flow to another point in an application.
  - 43. The method of claim 29, wherein the determining whether the identified outcome of the one or more instructions constitutes unauthorized activity comprises providing a malicious format string to a program being executed by the virtual machine that either provides access to data or writes a value to a specific memory address.
  - 44. The method of claim 29, wherein the determining whether the identified outcome of the one or more instructions constitutes unauthorized activity comprises overwriting data to be subsequently used as an argument to a system call.
  - 45. The method of claim 29, wherein the flagging of the input values associated with the copy of the network data from the one or more untrusted sources is conducted by a policy engine.
  - 46. The method of claim 45, wherein the flagging of the input values associated with the copy of the network data is performed by the policy engine when the network data is transmitted from a device that does not normally transmit network data.
  - 47. The method of claim 29, wherein the flagging of the input values associated with the copy of the network data that comprises suspicious network data is conducted by a heuristic engine prior to analysis by the virtual machine.

48. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor for performing a malware determination and identification method of operation, comprising:
- transmitting a copy of the network data to a virtual machine;
  
  flagging input values associated with (i) the copy of the network data from one or more trusted sources or (ii) the copy of the network data that comprises suspicious network data as determined prior to analysis by the virtual machine;
  
  monitoring the flagged input values during execution of one or more instructions associated with the network data by the virtual machine to determine if execution of the one or more instructions manipulate the flagged input values;
  
  identifying an outcome of the one or more instructions by tracking each of the one or more instructions; and
  
  determining whether the identified outcome of the one or more instructions comprises a redirection in control flow during execution by the virtual machine of the one or more instructions to (i) access a memory location containing the copy of the network data or (ii) a standard library function, the redirection in the control flow constituting an unauthorized activity.
- View Dependent Claims (49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
- - 49. The non-transitory machine readable medium of claim 48, wherein the processor to further perform an operation that comprises analyzing the copy of the network data with a heuristic to determine if the network data is suspicious prior to transmitting the copy of the network data to the virtual machine.
  - 50. The non-transitory machine readable medium of claim 48, wherein the input values associated with the copy of the network data comprises information within the copy of the network data.
  - 51. The non-transitory machine readable medium of claim 48, wherein the input values associated with the copy of the network data comprise input values arithmetically derived from the copy of the network data.
  - 52. The non-transitory machine readable medium of claim 48, wherein the processor to perform the execution by the virtual machine of the one or more instructions that manipulates the flagged input values to affect or use the flagged input values.
  - 53. The non-transitory machine readable medium of claim 48, wherein the processor to perform the redirection in the control flow during execution by the virtual machine of the one or more instructions to access the memory location containing the copy of the network data.
  - 54. The non-transitory machine readable medium of claim 48, wherein the redirection in the control flow during execution by the virtual machine of the one or more instructions is an attempt to circumvent security checks.
  - 55. The non-transitory machine readable medium of claim 48, wherein the processor to perform an operation of determining whether the identified outcome of the one or more instructions comprises the redirection in the control flow by at least determining whether the flagged input value corresponds to a jump target and the execution of the one or more instructions attempts to overwrite the jump target to redirect control flow to another point in an application.
  - 56. The non-transitory machine readable medium of claim 48, wherein the flagging of the input values associated with the copy of the network data from the one or more untrusted sources is conducted by a policy engine.
  - 57. The non-transitory machine readable medium of claim 48, wherein the flagging of the input values associated with the copy of the network data is performed by a policy engine when the network data is transmitted from a device that does not normally transmit network data.
  - 58. The non-transitory machine readable medium of claim 48, wherein the flagging of the input values associated with the copy of the network data that comprises suspicious network data is conducted by a heuristic engine prior to analysis by the virtual machine.

59. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor for performing a malware determination and identification method of operation comprising:
- providing network data to a virtual machine, the network data including information associated with input values and one or more instructions;
  
  flagging input values associated with (i) the network data from one or more untrusted sources or (ii) the network data that comprises suspicious network data as determined prior to analysis by the virtual machine;
  
  monitoring the flagged input values during execution of the one or more instructions associated with the network data by the virtual machine to determine if execution of the one or more instructions alter the flagged input values; and
  
  determining whether execution of the one or more instructions within the virtual machine altered the flagged input values, and if so, whether the altered flagged input values indicate unauthorized activity by a redirection in control flow during execution by the virtual machine of the one or more instructions to (i) access a memory location containing the network data or (ii) a standard library function.
- View Dependent Claims (60, 61, 62, 63, 64, 65, 66)
- - 60. The non-transitory machine readable medium of claim 59, wherein the input values associated with the network data is information within the network data.
  - 61. The non-transitory machine readable medium of claim 59, wherein the input values associated with the network data comprise input values arithmetically derived from the network data.
  - 62. The non-transitory machine readable medium of claim 59, wherein the redirection in the control flow during execution by the virtual machine of the one or more instructions is to access the memory location containing the network data.
  - 63. The non-transitory machine readable medium of claim 59, wherein the redirection in the control flow during execution by the virtual machine of the one or more instructions is an attempt to circumvent security checks.
  - 64. The non-transitory machine readable medium of claim 59, wherein the processor to perform an operation of determining whether the identified outcome of the one or more instructions comprises the redirection in the control flow by at least determining whether the flagged input value corresponds to a jump target and the execution of the one or more instructions attempts to overwrite the jump target to redirect control flow to another point in an application.
  - 65. The non-transitory machine readable medium of claim 59, wherein the flagging of the input values associated with the network data that comprises suspicious network data as determined prior to analysis by the virtual machine is conducted, at least in part, by a heuristic module prior to providing the network data and the flagged input values to the virtual machine.
  - 66. The non-transitory machine readable medium of claim 65, wherein the flagging of the input values associated with the network data from one or more untrusted sources is conducted, at least in part, by a policy engine communicatively coupled to the heuristic engine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar, Lai, Wei-Lung, Manni, Jayaraman
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Woldemariam, Nega

Application Number

US11/717,476
Time in Patent Office

2,794 Days
Field of Search

380/270, 380/255, 380/247, 713/150, 713/100, 713/182, 713/188, 713/189, 726/26, 726/27, 726/28, 726/29, 726/30, 709/201, 709/212, 709/213, 709/220, 709/223, 709/200
US Class Current

726/24
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/561   Virus type analysis

G06F 2221/034   Test or assess a computer o...

G06F 9/00   Arrangements for program co...

G06F 9/455   Emulation; Interpretation; ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Systems and methods for malware attack detection and identification

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

597 Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for malware attack detection and identification

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

597 Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links