Systems and methods for automatically detecting backdoors
First Claim
1. A computer-implemented method for detecting a backdoor to a computer system, comprising:
- inspecting content comprising a malware candidate;
configuring a virtual machine provided by a controller, the virtual machine executing an operating system instance and a program instance;
executing the content comprising the malware candidate in the virtual machine;
detecting whether the content comprising the malware candidate is listening to a port in the virtual machine, and identifying a port number associated with the port at which the content comprising the malware candidate is listening;
determining whether the port number of the port at which the content comprising the malware candidate is listening is a black port by accessing a first repository that comprises a first data structure of port numbers of ports at which known malware has been detected as listening to determine whether the port number of the port is in the first data structure of the first repository, and initiating an access to a second repository that comprises a second data structure of port numbers of ports that are legally accessed by one or more programs including the program instance to determine whether the port number of the port is in the second data structure of the second repository;
in response to the port number of the port being present in the first data structure of the first repository, reporting the content comprising the malware candidate as including the backdoor.
5 Assignments
0 Petitions
Accused Products
Abstract
Techniques for detecting malicious attacks may monitor activities during execution of content (e.g., network downloads and email) to identify an instruction backdoor on a computer. An instruction backdoor is malware that opens a port for listening for instructions from a remote server. Such instructions may trigger activation of malicious activity. These techniques employ virtual machines that, in a controlled and monitored environment, permit content, when loaded and executed, to open ports. When those ports are not the authorized ones used for communications by known programs installed on the computer, an instruction backdoor is discovered.
746 Citations
39 Claims
-
1. A computer-implemented method for detecting a backdoor to a computer system, comprising:
-
inspecting content comprising a malware candidate; configuring a virtual machine provided by a controller, the virtual machine executing an operating system instance and a program instance; executing the content comprising the malware candidate in the virtual machine; detecting whether the content comprising the malware candidate is listening to a port in the virtual machine, and identifying a port number associated with the port at which the content comprising the malware candidate is listening; determining whether the port number of the port at which the content comprising the malware candidate is listening is a black port by accessing a first repository that comprises a first data structure of port numbers of ports at which known malware has been detected as listening to determine whether the port number of the port is in the first data structure of the first repository, and initiating an access to a second repository that comprises a second data structure of port numbers of ports that are legally accessed by one or more programs including the program instance to determine whether the port number of the port is in the second data structure of the second repository; in response to the port number of the port being present in the first data structure of the first repository, reporting the content comprising the malware candidate as including the backdoor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for detecting a backdoor to a computer system, comprising:
-
a controller comprising a processor and a memory coupled with the processor and configured to store a repository for content comprising a malware candidate, the controller further comprising a) a configurator adapted to inspect the content comprising the malware candidate and configure a virtual machine in response to the inspection, the virtual machine configured to execute an operating system instance and a program instance, b) a virtual machine configured to execute the content comprising the malware candidate, and c) a backdoor analyzer configured to (i) detect whether the content comprising the malware candidate is listening at a port in the virtual machine, (ii) identify a port number associated with the port at which the content comprising the malware candidate is listening, (iii) determine whether the port number of the port at which the content comprising the malware candidate is listening is a legal port by initiating an access a first repository comprising at least one data structure containing a plurality of port numbers of ports that are legally accessed by the program instance so as to determine whether the port number of the port corresponds to one of the plurality of port numbers in the first repository, and (iv) determine whether the port number of the port at which the content comprising the malware candidate is listening is an illegal port by accessing a second repository comprising at least one data structure containing a plurality of port numbers of ports at which known malware has been detected as listening and comparing the port number of the port to the port numbers in the second repository; and an event generator coupled with the controller and an output interface, and configured to generate an event indicating, if an illegal port, that the content comprising the malware candidate includes the backdoor and identifying that the malware candidate should be treated as comprising malware. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A system for discovering an instruction backdoor to a digital device to detect malware, the system comprising:
-
a controller comprising a memory and at least one virtual machine configured with a software profile which identifies at least one program and an operating system to mimic aspects of the digital device and, in a controlled and monitored environment, load and execute one or more objects; and a backdoor analyzer coupled for communication with the controller, a first repository and a second repository, the backdoor analyzer is configured to detect, during execution by the virtual machine of the one or more objects, a port opened by the one or more objects for listening for communications from an external system that is external to the digital device, wherein the backdoor analyzer is further configured to identify a port number for the port opened for listening, check whether the port number is associated with a black port by at least checking whether the port number for the opened port corresponds with an entry on a blacklist stored in the first repository of known malware, checking whether the port number for the opened port is absent from an entry on a whitelist stored in the second repository of ports used by the at least one program of the software profile, and responsive to the port number corresponding to the entry on the blacklist, reporting that the one or more objects include malware operating as the instruction backdoor. - View Dependent Claims (29, 30, 31, 32, 33, 34)
-
-
35. A non-transitory computer readable storage medium having stored thereon instructions executable by a processor for performing a method, the method comprising the steps of:
-
executing a program instance to process the content; detecting whether the program is listening to a port, and identifying a port number associated with the port; determining whether the port number of the port at which the program instance is listening is an authorized port, the determining comprises (i) accessing a blacklist repository that includes a first data structure of port numbers of ports at which known malware has been detected as listening, (ii) initiating an access of a whitelist repository that includes a second data structure of port numbers of ports that are legally accessed by programs, and (iii) determining whether the port number of the port is in the first data structure of the blacklist repository or is in the second data structure of the whitelist repository; and in response to (a) the port number of the port being within the first data structure of the blacklist repository or (b) the port number of the port being absent from the first data structure of the blacklist repository and the second data structure of the whitelist repository, reporting the content as containing a backdoor. - View Dependent Claims (36, 37, 38, 39)
-
Specification