Monitoring for problems and detecting malware

US 9,154,364 B1
Filed: 04/15/2010
Issued: 10/06/2015
Est. Priority Date: 04/25/2009
Status: Active Grant

First Claim

Patent Images

1. A system for detecting malware, comprising:

a computer processor;

a detection engine executing on the computer processor and configured to;

emulate presentation of a web page comprising a plurality of structural elements, the structural elements comprising a body node and a script node;

create a structure indicating relationships among the structural elements of the web page;

identify a dynamic element created in response to executing the script node in a scripting engine while emulating presentation of the web page;

modify the structure to reference the dynamic element, the structure identifying the body node as a parent of the dynamic element;

determine that the dynamic element is associated with malware;

determine a dynamic lineage of the dynamic element based on a stack that tracks entry and exit from the scripting engine, the stack including a pointer to the script node that indicates that the script node is a dynamic parent of the dynamic element; and

a quarantine engine configured to;

transmit a quarantine instruction based on the dynamic lineage and the signal.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting a suspicious element in a web page is disclosed. The page is analyzed, such as through static analysis and/or dynamic analysis techniques. A suspicious element in the page is detected. A report that includes a copy of at least a portion of the suspicious element is provided as output.

64 Citations

View as Search Results

21 Claims

1. A system for detecting malware, comprising:
- a computer processor;
  
  a detection engine executing on the computer processor and configured to;
  
  emulate presentation of a web page comprising a plurality of structural elements, the structural elements comprising a body node and a script node;
  
  create a structure indicating relationships among the structural elements of the web page;
  
  identify a dynamic element created in response to executing the script node in a scripting engine while emulating presentation of the web page;
  
  modify the structure to reference the dynamic element, the structure identifying the body node as a parent of the dynamic element;
  
  determine that the dynamic element is associated with malware;
  
  determine a dynamic lineage of the dynamic element based on a stack that tracks entry and exit from the scripting engine, the stack including a pointer to the script node that indicates that the script node is a dynamic parent of the dynamic element; and
  
  a quarantine engine configured to;
  
  transmit a quarantine instruction based on the dynamic lineage and the signal.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein emulating presentation of the web page involves loading a first instance of the web page in a first virtual machine and loading a second instance of the web page in a second virtual machine, wherein the first virtual machine and the second virtual machine emulate different environments for presenting the web page.
  - 3. The system of claim 1, wherein the dynamic element comprises one selected from a group consisting of an iframe, a script tag, an advertisement tag, an object tag, an embed tag, and an applet tag.
  - 4. The system of claim 1, wherein the detection engine is further configured to:
    - log, in the structure, redirected requests for content of the dynamic element;
      
      determine that the dynamic element comprises malware; and
      
      analyze the redirected requests to determine a source of the malware.
  - 5. The system of claim 1, wherein the detection engine is configured with a hook into a scripting engine, and wherein determining a dynamic lineage of the dynamic element comprises:
    - adding the script node to the structure;
      
      pushing a pointer to the script node onto the stack in response to detecting that the scripting engine is entered;
      
      adding a new node to the structure while the pointer is on the stack, wherein the new node comprises a dynamic parent pointer pointing back to the script node; and
      
      popping the pointer off the stack in response to detecting that the scripting engine is exited.
  - 6. The system of claim 1, wherein the signal is a hard signal indicating that the dynamic element comprises malware and additional analysis need not be performed to confirm that the dynamic element comprises malware.
  - 7. The system of claim 1, wherein the signal is a soft signal indicating that the dynamic element potentially comprises the malware and additional analysis should be performed to confirm that the dynamic element comprises malware.
  - 8. The system of claim 1, wherein the execution of a script included in the script node causes the dynamic element to be created.

9. A method for detecting malware, comprising:
- emulating presentation of a web page comprising a plurality of structural elements, the structural elements comprising a body node and a script node;
  
  creating a structure indicating relationships among the structural elements of the web page;
  
  identifying a dynamic element created in response to executing the script node in a scripting engine while emulating presentation of the web page;
  
  modifying the structure to reference the dynamic element, the structure identifying the body node as a parent of the dynamic element;
  
  determining that the dynamic element is associated with malware;
  
  determining a dynamic lineage of the dynamic element based on a stack that tracks entry and exit from the scripting engine, the stack including a pointer to the script node that indicates that the script node is a dynamic parent of the dynamic element;
  
  generating a signal indicating that the dynamic element is associated with malware; and
  
  transmitting a quarantine instruction based on the dynamic lineage and the signal.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein emulating presentation of the web page involves loading a first instance of the web page in a first virtual machine and loading a second instance of the web page in a second virtual machine.
  - 11. The method of claim 9, further comprising:
    - logging, in the structure, redirected requests for content of the dynamic element;
      
      determining that the dynamic element comprises malware; and
      
      analyzing the redirected requests to determine a source of the malware.
  - 12. The method of claim 9, wherein determining a dynamic lineage of the dynamic element comprises:
    - adding the script node to the structure;
      
      pushing a pointer to the script node onto the stack in response to detecting that the scripting engine is entered;
      
      adding a new node to the structure while the pointer is on the stack, wherein the new node comprises a dynamic parent pointer pointing back to the script node; and
      
      popping the pointer off the stack in response to detecting that the scripting engine is exited.
  - 13. The method of claim 9, wherein the signal is a hard signal indicating that the dynamic element comprises malware and additional analysis need not be performed to confirm that the web page comprises malware.
  - 14. The method of claim 9, wherein the signal is a soft signal indicating that the dynamic element potentially comprises malware and additional analysis should be performed to confirm that the web page comprises malware.
  - 15. The method of claim 9, wherein the execution of a script included in the script node causes the dynamic element to be created.

16. A non-transitory computer readable storage medium comprising a plurality of instructions for detecting malware, the plurality of instructions, when executed by at least one processor, comprising functionality to:
- emulate presentation of a web page comprising a plurality of structural elements, the structural elements comprising a body node and a script node;
  
  create a structure indicating relationships among the structural elements of the web page;
  
  identify a dynamic element created in response to executing the script node in a scripting engine while emulating presentation of the web page;
  
  modify the structure to reference the dynamic element, the structure identifying the body node as a parent of the dynamic element;
  
  determine that the dynamic element is associated with malware;
  
  determine a dynamic lineage of the dynamic element based on a stack that tracks entry and exit from the scripting engine, the stack including a pointer to the script node that indicates that the script node is a dynamic parent of the dynamic element;
  
  generate a signal indicating that the dynamic element is associated with malware; and
  
  transmit a quarantine instruction based on the dynamic lineage and the signal.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The non-transitory computer readable storage medium of claim 16, wherein the instructions, when executed by the processor, further comprise functionality to:
    - log, in the structure, redirected requests for content of the dynamic element;
      
      determine that the dynamic element comprises malware; and
      
      analyze the redirected requests to determine a source of the malware.
  - 18. The non-transitory computer readable storage medium of claim 16, wherein determining a dynamic lineage of the dynamic element comprises:
    - adding the script node to the structure;
      
      pushing a pointer to the script node onto the stack in response to detecting that the scripting engine is entered;
      
      adding a new node to the structure while the pointer is on the stack, wherein the new node comprises a dynamic parent pointer pointing back to the script node; and
      
      popping the pointer off the stack in response to detecting that the scripting engine is exited.
  - 19. The non-transitory computer readable storage medium of claim 16, wherein emulating presentation of the web page involves loading a first instance of the web page in a first virtual machine and loading a second instance of the web page in a second virtual machine, wherein the first virtual machine and the second virtual machine emulate different environments for presenting the web page.
  - 20. The non-transitory computer readable storage medium of claim 16, wherein the signal is a hard signal indicating that the web page comprises malware and additional analysis need not be performed to confirm that the web page comprises malware.
  - 21. The non-transitory computer readable storage medium of claim 16, wherein the execution of a script included in the script node causes the dynamic element to be created.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dasient, Inc. (X Holdings Corp.)
Original Assignee
Dasient, Inc. (X Holdings Corp.)
Inventors
Daswani, Neilkumar Murli, Ranadive, Ameet, Rizvi, Shariq
Primary Examiner(s)
Edwards, Linglan
Assistant Examiner(s)
GRACIA, GARY S

Application Number

US12/761,336
Time in Patent Office

2,000 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/556   involving covert channels, ...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2149   Restricted operating enviro...

H04L 63/14   for detecting or protecting...

H04L 63/145   the attack involving the pr...

Monitoring for problems and detecting malware

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Monitoring for problems and detecting malware

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links