Systems and methods for scanning packed programs in response to detecting suspicious behaviors

US 9,171,154 B2
Filed: 02/12/2014
Issued: 10/27/2015
Est. Priority Date: 02/12/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for scanning packed programs in response to detecting suspicious behaviors, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

executing a packed program that comprises;

malicious code that has been obfuscated within the packed program;

unpacking code that deobfuscates and executes the malicious code when the packed program is executed;

receiving scanning criteria that specifies at least one suspicious behavior that will trigger scanning of a portion of memory of the packed program for at least one malware signature that is associated with the at least one suspicious behavior, wherein the at least one suspicious behavior indicates that the unpacking code has deobfuscated and executed the malicious code;

monitoring, while the packed program is executing, how the packed program behaves;

detecting, while monitoring how the packed program behaves, the at least one suspicious behavior;

scanning, in response to detecting the at least one suspicious behavior, the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior;

wherein the at least one malware signature that is associated with the at least one suspicious behavior comprises a subset of a set of malware signatures used to scan for malware such that scanning the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior reduces a number of malware signatures used to scan the packed program for malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for scanning packed programs in response to detecting suspicious behaviors may include (1) executing a packed program that may include (i) malicious code that has been obfuscated within the packed program and (ii) unpacking code that deobfuscates and executes the malicious code when the packed program is executed, (2) monitoring, while the packed program is executing, how the packed program behaves, (3) detecting, while monitoring how the packed program behaves, a suspicious behavior of the malicious code that indicates that the unpacking code has deobfuscated and executed the malicious code, and (4) performing a security operation on the packed program in response to detecting the suspicious behavior of the malicious code. Various other methods, systems, and computer-readable media are also disclosed.

13 Citations

View as Search Results

18 Claims

1. A computer-implemented method for scanning packed programs in response to detecting suspicious behaviors, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- executing a packed program that comprises;
  
  malicious code that has been obfuscated within the packed program;
  
  unpacking code that deobfuscates and executes the malicious code when the packed program is executed;
  
  receiving scanning criteria that specifies at least one suspicious behavior that will trigger scanning of a portion of memory of the packed program for at least one malware signature that is associated with the at least one suspicious behavior, wherein the at least one suspicious behavior indicates that the unpacking code has deobfuscated and executed the malicious code;
  
  monitoring, while the packed program is executing, how the packed program behaves;
  
  detecting, while monitoring how the packed program behaves, the at least one suspicious behavior;
  
  scanning, in response to detecting the at least one suspicious behavior, the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior;
  
  wherein the at least one malware signature that is associated with the at least one suspicious behavior comprises a subset of a set of malware signatures used to scan for malware such that scanning the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior reduces a number of malware signatures used to scan the packed program for malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein scanning the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior comprises scanning only the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior.
  - 3. The method of claim 2, wherein the portion of the memory of the packed program comprises less than all of the memory of the packed program such that scanning only the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior reduces an amount of memory of the packed program that is scanned.
  - 4. The method of claim 1 wherein:
    - the at least one suspicious behavior comprises a behavior of a known malicious program;
      
      the at least one malware signature that is associated with the at least one suspicious behavior comprises a signature of the known malicious program.
  - 5. The method of claim 1, wherein detecting the at least one suspicious behavior comprises detecting an attempt, by the malicious code, to create a run registry key.
  - 6. The method of claim 1, wherein detecting the at least one suspicious behavior comprises detecting an attempt, by the malicious code, to create a generic load point.
  - 7. The method of claim 1, wherein detecting the at least one suspicious behavior comprises detecting an attempt, by the malicious code, to inject the malicious code into a process.
  - 8. The method of claim 1, wherein detecting the at least one suspicious behavior comprises detecting an attempt, by the malicious code, to modify security settings.

9. A system for scanning packed programs in response to detecting suspicious behaviors, the system comprising:
- an executing module, stored in a memory, that executes a packed program that comprises;
  
  malicious code that has been obfuscated within the packed program;
  
  unpacking code that deobfuscates and executes the malicious code when the packed program is executed;
  
  a receiving module, stored in the memory, that receives scanning criteria that specifies at least one suspicious behavior that will trigger scanning of a portion of memory of the packed program for at least one malware signature that is associated with the at least one suspicious behavior, wherein the at least one suspicious behavior indicates that the unpacking code has deobfuscated and executed the malicious code;
  
  a monitoring module, stored in the memory, that monitors how the packed program behaves while the packed program is executing;
  
  a detecting module, stored in the memory, that detects, while the packed program is monitored, the at least one suspicious behavior;
  
  a security module, stored in the memory, that scans, in response to detecting the at least one suspicious behavior, the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior;
  
  at least one processor that executes the executing module, the monitoring module, the detecting module, and the security module;
  
  wherein the at least one malware signature that is associated with the at least one suspicious behavior comprises a subset of a set of the malware signatures used to scan for malware such that the security module reduces a number of malware signatures used to scan the packed program for malware by scanning the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the security module scans the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior by scanning only the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior.
  - 11. The system of claim 10, wherein the portion of the memory of the packed program comprises less than all of the memory of the packed program such that the security module reduces an amount of memory of the packed program that is scanned by scanning only the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior.
  - 12. The system of claim 9 wherein:
    - the at least one suspicious behavior comprises a behavior of a known malicious program;
      
      the at least one malware signature that is associated with the at least one suspicious behavior comprises a signature of the known malicious program.
  - 13. The system of claim 9, wherein the detecting module detects the at least one suspicious behavior by detecting an attempt, by the malicious code, to create a run registry key.
  - 14. The system of claim 9, wherein the detecting module detects the at least one suspicious behavior by detecting an attempt, by the malicious code, to create a generic load point.
  - 15. The system of claim 9, wherein the detecting module detects the at least one suspicious behavior by detecting an attempt, by the malicious code, to inject the malicious code into a process.
  - 16. The system of claim 9, wherein the detecting module detects the at least one suspicious behavior by detecting an attempt, by the malicious code, to modify security settings.

17. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- execute a packed program that comprises;
  
  malicious code that has been obfuscated within the packed program;
  
  unpacking code that deobfuscates and executes the malicious code when the packed program is executed;
  
  receive scanning criteria that specifies at least one suspicious behavior that will trigger scanning of a portion of memory of the packed program for at least one malware signature that is associated with the at least one suspicious behavior, wherein the at least one suspicious behavior indicates that the unpacking code has deobfuscated and executed the malicious code;
  
  monitor, while the packed program is executing, how the packed program behaves;
  
  detect, while monitoring how the packed program behaves, the at least one suspicious behavior;
  
  scan, in response to detecting the at least one suspicious behavior, the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior;
  
  wherein the at least one malware signature that is associated with the at least one suspicious behavior comprises a subset of a set of malware signatures used to scan for malware such that scanning the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior reduces a number of malware signatures used to scan the packed program for malware.
- View Dependent Claims (18)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the one or more computer-executable instructions cause the computing device to scan the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior by causing the computing device to scan only the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Pereira, Shane
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
PLECHA, THADDEUS J

Application Number

US14/178,727
Publication Number

US 20150227742A1
Time in Patent Office

622 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

Systems and methods for scanning packed programs in response to detecting suspicious behaviors

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for scanning packed programs in response to detecting suspicious behaviors

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others