Malicious content analysis using simulated user interaction without user involvement

US 9,104,867 B1
Filed: 03/13/2013
Issued: 08/11/2015
Est. Priority Date: 03/13/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious content, the method comprising:

monitoring, by a monitoring module executed by a processor, activities behaviors of a malicious content suspect executed within a sandboxed operating environment;

detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction;

in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating, by a user interaction module executed by the processor, the user interaction with the GUI without user intervention; and

analyzing, by an analysis module executed by the processor, behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious,wherein simulating the user interaction comprises automatically, without user intervention, sending a response representing an activation of a predetermined button of the dialog box for receipt by the malicious content suspect.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for detecting malicious content using simulated user interactions are described herein. In one embodiment, a monitoring module monitors activities of a malicious content suspect executed within a sandboxed operating environment. In response to detection of a predetermined event triggered by the malicious content suspect requesting a user action on a graphical user interface (GUI) presented by the malicious content suspect, simulating, a user interaction module simulates a user interaction with the GUI without user intervention. An analysis module analyzes activities of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious.

590 Citations

44 Claims

1. A computer-implemented method for detecting malicious content, the method comprising:
- monitoring, by a monitoring module executed by a processor, activities behaviors of a malicious content suspect executed within a sandboxed operating environment;
  
  detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction;
  
  in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating, by a user interaction module executed by the processor, the user interaction with the GUI without user intervention; and
  
  analyzing, by an analysis module executed by the processor, behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious,wherein simulating the user interaction comprises automatically, without user intervention, sending a response representing an activation of a predetermined button of the dialog box for receipt by the malicious content suspect.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the detecting the event comprises detecting a notification from an operating system that the malicious content suspect has initiated signaling to a GUI Application Programming Interface to display the dialog box.
  - 3. The method of claim 1, wherein the predetermined button when activated is to dismiss the dialog box.
  - 4. The method of claim 1, wherein the detecting of the event comprises intercepting a call by the malicious content suspect to an Application Programming Interface.
  - 5. The method of claim 1, wherein the monitoring of the behaviors of the malicious content suspect comprises registering a hook to a GUI Application Programming Interface of an operating system.
  - 6. The method of claim 5, wherein the detecting of the event comprises receiving a notification from the operating system of a communication from the malicious content suspect to the GUI Application Programming Interface to display the dialog box.
  - 7. The method of claim 1, wherein prior to sending the response, the simulating of the user interaction further comprises (i) building an internal data structure that represents content and layout of the dialog box, (ii) comparing the internal data structure to a library of dialogs stored in memory, and (iii) upon matching one of the dialogs, obtaining information associated with a matched dialog to dismiss the dialog box.
  - 8. The method of claim 1, wherein the analyzing of the behaviors of the malicious content suspect comprises analyzing information associated with the behaviors based on a set of rules to determine whether the malicious content suspect is considered to be malicious.
  - 9. The method of claim 1, wherein the simulating of the user interaction with the GUI operating as the dialog box is conducted without displaying the dialog box.

10. A computer-implemented method for detecting malicious content, the method comprising:
- monitoring, by a monitoring module executed by a processor, behaviors of a malicious content suspect executed within a sandboxed operating environment;
  
  detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompt for user interaction;
  
  in response to detecting the event to display the dialog box triggered by the malicious content suspect, simulating, by a user interaction module executed by the processor, the user interaction with the GUI without user intervention; and
  
  analyzing, by an analysis module executed by the processor, behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious,wherein simulating the user interaction comprises automatically, without user intervention, sending a command representing an activation of a predetermined button presented by the dialog box for receipt by the malicious content suspect, the command to represent execution or storage of an attached file.
- View Dependent Claims (11)
- - 11. The method of claim 10, further comprising monitoring activities of the malicious content suspect with respect to the attached file or execution of the attached file to determine whether the attached file is a malicious content related file.

12. A computer-implemented method for detecting malicious content, the method comprising:
- monitoring, by a monitoring module executed by a processor, behaviors of a malicious content suspect executed within a sandboxed operating environment;
  
  detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompt for user interaction;
  
  in response to detecting the event to display the dialog box triggered by the malicious content suspect, simulating, by a user interaction module executed by the processor, the user interaction with the GUI without user intervention; and
  
  analyzing, by an analysis module executed by the processor, behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious,wherein simulating the user interaction comprises intercepting a system call received from the malicious content suspect to an operating system for displaying the GUI, and returning a return code to the malicious content suspect without sending the system call to the operating system, the return code indicating a user action representing a CLOSE command to prevent the GUI from being displayed.

13. A computer-implemented method for detecting malicious content, the method comprising:
- monitoring, by a monitoring module executed by a processor, behaviors of a malicious content suspect executed within a sandboxed operating environment;
  
  detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompt for user interaction;
  
  in response to detecting the event to display the dialog box triggered by the malicious content suspect, simulating, by a user interaction module executed by the processor, the user interaction with the GUI without user intervention; and
  
  analyzing, by an analysis module executed by the processor, behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious,wherein simulating the user interaction comprises intercepting a system call received from the malicious content suspect to an operating system for displaying the GUI, forwarding the system call to the operating system to display the GUI, transmitting, without user intervention, a command to the operating system simulating a user activation of a CLOSE button of the GUI to terminating the GUI, and returning a return code received from the operating system to the malicious content suspect, the return code representing a status of executing the simulated CLOSE command by the operating system.

14. A computer-implemented method for detecting malicious content, the method comprising:
- monitoring, by a monitoring module executed by a processor, behaviors of a malicious content suspect executed within a sandboxed operating environment;
  
  detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompt for user interaction;
  
  in response to detecting the event to display the dialog box triggered by the malicious content suspect, simulating, by a user interaction module executed by the processor, the user interaction with the GUI without user intervention; and
  
  analyzing, by an analysis module executed by the processor, behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious,wherein simulating the user interaction comprises intercepting a system call received from the malicious content suspect to an operating system for displaying the GUI, the GUI prompting a user to select a file for access, (ii) automatically, without user intervention, selecting a file based on a type of the file being requested based on the system call, and (iii) populating and returning a returning structure of selecting the file without sending the system call to the operating system.

15. A computer-implemented method for detecting malicious content, the method comprising:
- monitoring, by a monitoring module executed by a processor, behaviors of a malicious content suspect executed within a sandboxed operating environment;
  
  detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompt for user interaction;
  
  in response to detecting the event to display the dialog box triggered by the malicious content suspect, simulating, by a user interaction module executed by the processor, the user interaction with the GUI without user intervention; and
  
  analyzing, by an analysis module executed by the processor, behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious,wherein simulating the user interaction comprises invoking an automated scripting environment to simulate user interaction on the GUI.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, wherein the monitoring of the behaviors of the malicious content comprises executing the malicious content suspect within the automated scripting environment and, upon detecting the request, the monitoring module provides executable instructions to the user interaction module.
  - 17. The method of claim 16, wherein the simulating of the user interaction comprises processing the executable instructions by the user interaction module and, during the processing of the executable instructions, a command is provided to the automated scripting environment so as to simulate the user interaction.
  - 18. The method of claim 15, wherein the detecting of the event comprises providing a script to the user interaction module.
  - 19. The method of claim 15, wherein the simulating of the user interaction comprises executing one or more instructions to return a command to the malicious content suspect to simulate the user interaction.

20. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations comprising:
- monitoring behaviors of a malicious content suspect executed within a sandboxed operating environment;
  
  detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction;
  
  in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating the user interaction with the GUI without user intervention; and
  
  analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious,wherein simulating the user interaction comprises automatically, without user intervention, sending a response representing an activation of a predetermined button of the dialog box for receipt by the malicious content suspect.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The medium of claim 20, wherein the detecting the request comprises detecting a notification from an operating system that the malicious content suspect has initiated signaling to a GUI Application Programming Interface to display the dialog box.
  - 22. The medium of claim 20, wherein the predetermined button when activated is to dismiss the dialog box.
  - 23. The medium of claim 20, wherein the detecting of the event, conducted in response to execution of the stored instructions by the processor, comprises intercepting a call initiated by the malicious content suspect to an Application Programming Interface.
  - 24. The medium of claim 20, wherein the monitoring of the behaviors of the malicious content suspect, conducted in response to execution of the stored instructions by the processor, comprises registering a hook to a GUI Application Programming Interface of an operating system.
  - 25. The medium of claim 24, wherein the detecting of the event comprises receiving a notification from the operating system of a communication initiated by the malicious content suspect to the GUI Application Programming Interface to display the dialog box.
  - 26. The medium of claim 20, wherein prior to sending the response, the simulating of the user interaction, conducted in response to execution of the stored instructions by the processor, further comprises (i) building an internal data structure that represents content and layout of the dialog box, (ii) comparing the internal data structure to a library of dialogs stored in memory, and (iii) upon matching one of the dialogs, obtaining information associated with a matched dialog to dismiss the dialog box.
  - 27. The medium of claim 20, wherein the analyzing of the behaviors of the malicious content suspect, conducted in response to execution of the stored instructions by the processor, comprises analyzing information associated with the behaviors based on a set of rules to determine whether the malicious content suspect is considered to be malicious.
  - 28. The medium of claim 20, wherein the simulating of the user interaction with the GUI operating as the dialog box is conducted without displaying the dialog box.

29. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations comprising:
- monitoring behaviors of a malicious content suspect executed within a sandboxed operating environment;
  
  detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction;
  
  in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating the user interaction with the GUI without user intervention; and
  
  analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious,wherein simulating the user interaction comprises automatically, without user intervention, sending a command representing an activation of a predetermined button presented by the GUI for receipt by the malicious content suspect, the commend to represent execution or storage of an attached file.
- View Dependent Claims (30)
- - 30. The medium of claim 29, wherein the processor performs further operations comprising monitoring activities of the malicious content suspect with respect to the attached file or execution of the attached file to determine whether the attached file is a malicious content related file.

31. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations comprising:
- monitoring behaviors of a malicious content suspect executed within a sandboxed operating environment;
  
  detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction;
  
  in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating the user interaction with the GUI without user intervention; and
  
  analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious,wherein simulating the user interaction comprises intercepting a system call received from the malicious content suspect to an operating system for displaying the GUI, and returning a return code to the malicious content suspect without sending the system call to the operating system, the return code indicating a user action representing a CLOSE command to prevent the GUI from being displayed.

32. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations comprising:
- monitoring behaviors of a malicious content suspect executed within a sandboxed operating environment;
  
  detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction;
  
  in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating the user interaction with the GUI without user intervention; and
  
  analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious,wherein simulating the user interaction comprises intercepting a system call received from the malicious content suspect to an operating system for displaying the GUI, forwarding the system call to the operating system to display the GUI, transmitting without user intervention a command to the operating system simulating a user activation of a CLOSE button of the GUI to terminating the GUI, and returning a return code received from the operating system to the malicious content suspect, the return code representing a status of executing the simulated CLOSE command by the operating system.

33. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations comprising:
- monitoring behaviors of a malicious content suspect executed within a sandboxed operating environment;
  
  detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction;
  
  in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating the user interaction with the GUI without user intervention; and
  
  analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious,wherein simulating the user interaction comprises intercepting a system call received from the malicious content suspect to an operating system for displaying the GUI, the GUI prompting a user to select a file for access, automatically, without user intervention, selecting a file based on a type of the file being requested based on the system call, and populating and returning a returning structure of selecting the file without sending the system call to the operating system.

34. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations comprising:
- monitoring behaviors of a malicious content suspect executed within a sandboxed operating environment;
  
  detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction;
  
  in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating the user interaction with the GUI without user intervention; and
  
  analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious,wherein simulating the user interaction comprises invoking an automated scripting environment to simulate user interactions on the GUI.

35. A malicious content detection system, comprising:
- a processor; and
  
  a memory coupled to the processor, the memory to storea monitoring module that, when executed by the processor, (i) monitors behaviors of a malicious content suspect executed within a sandboxed operating environment and (ii) detects, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction,a user interaction module in communication with the monitoring module that, when executed by the processor and in response to detecting the event to display the GUI triggered by the malicious content suspect, simulates the user interaction with the GUI without user intervention by automatically, without user intervention, sending a response representing an activation of a predetermined button of the dialog box for receipt by the malicious content suspect, andan analysis module to analyze behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42)
- - 36. The system of claim 35, wherein the predetermined button when activated is to dismiss the dialog box.
  - 37. The system of claim 35, wherein detecting of the event by the monitoring module comprises intercepting a call initiated by the malicious content suspect to an Application Programming Interface.
  - 38. The system of claim 35, wherein monitoring of the behaviors of the malicious content suspect by the monitoring modules comprises registering a hook to a GUI Application Programming Interface of an operating system.
  - 39. The system of claim 38, wherein detecting of the event by the monitoring module comprises receiving a notification from the operating system of a communication from the malicious content suspect to the GUI Application Programming Interface to display the dialog box.
  - 40. The system of claim 35, wherein prior to sending the response, the user interaction module, when executed by the processor, further (i) builds an internal data structure that represents content and layout of the dialog box, (ii) compares the internal data structure to a library of dialogs stored in memory, and (iii) upon matching one of the dialogs, obtains information associated with a matched dialog to dismiss the dialog box.
  - 41. The system of claim 35, wherein the analysis module, when executed by the processor, analyzes the behaviors of the malicious content suspect by at least analyzing information associated with the behaviors based on a set of rules to determine whether the malicious content suspect is considered to be malicious.
  - 42. The system of claim 35, wherein the simulating of the user interaction with the GUI operating as the dialog box is conducted without displaying the dialog box.

43. A malicious content detection system comprising:
- a processor; and
  
  a memory coupled to the processor, the memory to storea monitoring module that, when executed by the processor, (i) monitors behaviors of a malicious content suspect executed within a sandboxed operating environment and (ii) detects, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction,a user interaction module in communication with the monitoring module that, when executed by the processor and in response to detecting the event to display the GUI triggered by the malicious content suspect, simulates the user interaction with the GUI without user intervention by automatically, without user intervention, sending a response representing an activation of a predetermined button of dialog box for receipt by the malicious content suspect, andan analysis module to analyze behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious,wherein the user interaction module is configured to automatically, without user intervention, send a command representing an activation of a predetermined button presented by the GUI for receipt by the malicious content suspect, the command to represent to conduct an execution or a storage of an attached file.
- View Dependent Claims (44)
- - 44. The system of claim 43, wherein the monitoring module is further configured to monitor activities of the malicious content suspect with respect to the attached file or execution of the attached file to determine whether the attached file is a malicious content related file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Amin, Muhammad, Thioux, Emmanuel, Kindlund, Darien, Pilipenko, Alex, Vincent, Michael
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Murphy, J. Brant

Application Number

US13/801,532
Time in Patent Office

881 Days
Field of Search

726/24
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Malicious content analysis using simulated user interaction without user involvement

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

590 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Malicious content analysis using simulated user interaction without user involvement

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

590 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links