Detecting malware communication on an infected computing device

US 8,893,278 B1
Filed: 07/12/2011
Issued: 11/18/2014
Est. Priority Date: 07/12/2011
Status: Active Grant

First Claim

Patent Images

1. A gateway to couple a client device to a data source, the gateway comprising:

a behavior store including a rule identifying attributes associated with malicious data requests, the attributes including a User Agent field; and

a detection module to, upon receipt of a response to a data request previously received by the gateway, determine whether the data request is a malicious request by comparing a request attribute of the data request to the attributes associated with the malicious data requests, the detection module to, responsive to the identification of the malicious request, prevent transmission of the response to the malicious request, at least one of the behavior store and the detection module is implemented by hardware.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Rules describing attributes of malicious data requests, commonly generated by malware, are determined and stored. For example, a behavior server executes different types of malware and analyzes the data requests produced by the malware to identify attributes common to different malicious data requests. The rules describing malicious data request attributes are stored and subsequent data requests are compared to the stored rules to identify malicious data requests. If a data request has one or more attributes in common with attributes of malicious data requests, the data request is blocked. This allows attributes of a data request to be used to prevent malware executing on a client device from communicating with a malicious server.

Citations

30 Claims

1. A gateway to couple a client device to a data source, the gateway comprising:
- a behavior store including a rule identifying attributes associated with malicious data requests, the attributes including a User Agent field; and
  
  a detection module to, upon receipt of a response to a data request previously received by the gateway, determine whether the data request is a malicious request by comparing a request attribute of the data request to the attributes associated with the malicious data requests, the detection module to, responsive to the identification of the malicious request, prevent transmission of the response to the malicious request, at least one of the behavior store and the detection module is implemented by hardware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The gateway of claim 1, wherein the gateway is to transmit the data request to the data source and the detection module is to compare a response attribute of the response with stored attributes to determine whether the data request is the malicious request.
  - 3. The gateway of claim 2, wherein the gateway is to block data corresponding to the data request from the data source responsive to (a) the comparison of the request attribute to the attributes associated with the malicious data requests, and (b) a comparison of attributes of data received from the data source responsive to the data request to attributes of data received in response to the malicious data request.
  - 4. The gateway of claim 1, wherein the gateway is to compare the request attribute to the attributes associated with the malicious data requests by parsing the data request into parsed attributes and comparing the parsed attributes with respective ones of the attributes associated with the malicious data requests.
  - 5. The gateway of claim 1, wherein the request attribute further comprises at least one of:
    - a Media Access Control (MAC) address, an Internet Protocol (IP) address, a computer name, a uniform resource indicator (URI), a uniform resource locator (URL), or a file name.
  - 6. The gateway of claim 1, wherein the detection module is to identify the data request as malicious when the User Agent field is blank.
  - 7. The gateway of claim 1, wherein the detection module is to identify the data request as malicious when a content size of the response is below a first threshold.
  - 8. The gateway of claim 1, wherein the detection module is to identify the data request as malicious when the data request includes a payload that is encrypted and includes system configuration information.
  - 9. The gateway of claim 1, wherein the detection module is to identify the data request as malicious when a response code of the response is 200, and a content type of the response is a web page.
  - 10. The gateway of claim 1, wherein the detection module is to identify the data request as malicious based on an analysis of the response to the data request.
  - 11. The gateway of claim 1, wherein the detection module is to identify the data request as malicious when (1) the data request includes a payload that is encrypted, (2) the data request includes system configuration information, and (3) a content size of the response is below a content size threshold.
  - 12. The gateway of claim 1, wherein the detection module is to identify the data request as malicious when a uniform resource indicator (URI) of the request includes a media access control address.
  - 13. The gateway of claim 1, wherein the detection module is to identify the data request as malicious when a payload of the response is an executable, and a content size of the executable is less than a threshold file size.

14. A method for identifying malicious data requests, the method comprising:
- upon receipt of a response to a forwarded data request;
  
  identifying attributes of the data request, the attributes of the data request including a User Agent;
  
  determining, with a processor, whether the data request is malicious by comparing the attributes of the data request to a rule identifying attributes associated with malicious data requests, the processor to identify the data request as malicious when a User Agent field includes at least one of a blank user agent, an unknown user agent, or a browser user agent; and
  
  responsive to determining the data request is malicious, blocking transmission of the response.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 15. The method of claim 14, wherein the attributes of the data request further comprise at least one of a Media Access Control (MAC) address, an Internet Protocol (IP) address, a uniform resource indicator (URI), a uniform resource locator (URL), or a file name.
  - 16. The method of claim 15, wherein determining whether the data request is malicious comprises determining that the data request is malicious when the User Agent field of the data request matches a user agent associated with a malicious data request.
  - 17. The method of claim 15, wherein determining whether the data request is malicious comprises determining that the data request is malicious when a file name attribute of the data request matches a file name associated with a malicious data request.
  - 18. The method of claim 15, wherein determining whether the data request is malicious comprises determining that the data request is malicious when a uniform resource indicator (URI) of the data request includes a media access control address.
  - 19. The method of claim 14, further comprising, upon receipt of the response, analyzing the response to the data request.
  - 20. The method of claim 14, further comprising comparing attributes of the data received from the data source responsive to the data request with attributes of data received in response to a malicious data request.
  - 21. The method of claim 14, wherein determining whether the data request is malicious comprises determining that the data request is malicious when a length of the response is below a threshold length.
  - 22. The method of claim 14, wherein determining whether the data request is malicious comprises determining that the request is malicious when the User Agent field is blank.
  - 23. The method of claim 14, wherein determining whether the data request is malicious comprises determining that the data request is malicious when a content size of the response is below a threshold length, a response code of the response is 200, and a content type of the response is a web page.
  - 24. The method of claim 14, wherein determining whether the data request is malicious comprises determining that the request is malicious when the data request includes a payload that is encrypted and includes system configuration information.
  - 25. The method of claim 14, wherein determining whether the data request is malicious comprises determining that the data request is malicious when:
    - the User Agent field is a browser user agent;
      
      a uniform resource locator of the request includes a file name;
      
      a response code of the response is 200;
      
      a content size of the response is less than a threshold; and
      
      a content type of the response is a web page.
  - 26. The method of claim 14, wherein determining whether the data request is malicious comprises determining that the data request is malicious when:
    - the User Agent field is a browser user agent;
      
      a uniform resource locator of the data request includes a file name; and
      
      no response is received responsive to the data request.
  - 27. The method of claim 14, wherein determining whether the data request is malicious comprises determining that the data request is malicious when:
    - the User Agent field is a browser user agent;
      
      the request includes a payload that is encoded;
      
      the request includes an internal system configuration;
      
      a response code of the response is 200;
      
      a content size of the response is less than a content size threshold; and
      
      a content type of the response is a web page.
  - 28. The method of claim 14, wherein determining whether the data request is malicious comprises determining that the data request is malicious when:
    - a uniform resource identifier of the data request includes a Media Access Control (MAC) address; and
      
      a content type of the request is a web page.
  - 29. The method of claim 14, wherein determining whether the data request is malicious comprises determining that the data request is malicious when a payload of the response is an executable, and a content size of the executable is less than a threshold file size.

30. A tangible computer-readable storage disc or storage device comprising instructions which, when executed, cause a machine to at least:
- identify attributes of a received data request, the identified attributes including a User Agent field;
  
  determine whether the data request is malicious by comparing the attributes of the received data request to a rule identifying attributes associated with malicious data requests, the received data request identified as malicious when (1) the User Agent field includes at least one of a blank user agent, an unknown user agent, or a browser user agent, and (2) the received data request includes a payload that is encrypted and includes system configuration information; and
  
  responsive to determining the received data request is malicious, block transmission of the response message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Chechik, Daniel
Primary Examiner(s)
Lemma, Samson

Application Number

US13/181,106
Time in Patent Office

1,225 Days
Field of Search

726/22, 726/23, 726/24, 726/25, 713/188
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/0236   Filtering by address, proto...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Detecting malware communication on an infected computing device

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malware communication on an infected computing device

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links