Systems and methods for scanning packed programs in response to detecting suspicious behaviors
First Claim
1. A computer-implemented method for scanning packed programs in response to detecting suspicious behaviors, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- executing a packed program that comprises;
malicious code that has been obfuscated within the packed program;
unpacking code that deobfuscates and executes the malicious code when the packed program is executed;
receiving scanning criteria that specifies at least one suspicious behavior that will trigger scanning of a portion of memory of the packed program for at least one malware signature that is associated with the at least one suspicious behavior, wherein the at least one suspicious behavior indicates that the unpacking code has deobfuscated and executed the malicious code;
monitoring, while the packed program is executing, how the packed program behaves;
detecting, while monitoring how the packed program behaves, the at least one suspicious behavior;
scanning, in response to detecting the at least one suspicious behavior, the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior;
wherein the at least one malware signature that is associated with the at least one suspicious behavior comprises a subset of a set of malware signatures used to scan for malware such that scanning the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior reduces a number of malware signatures used to scan the packed program for malware.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for scanning packed programs in response to detecting suspicious behaviors may include (1) executing a packed program that may include (i) malicious code that has been obfuscated within the packed program and (ii) unpacking code that deobfuscates and executes the malicious code when the packed program is executed, (2) monitoring, while the packed program is executing, how the packed program behaves, (3) detecting, while monitoring how the packed program behaves, a suspicious behavior of the malicious code that indicates that the unpacking code has deobfuscated and executed the malicious code, and (4) performing a security operation on the packed program in response to detecting the suspicious behavior of the malicious code. Various other methods, systems, and computer-readable media are also disclosed.
13 Citations
18 Claims
-
1. A computer-implemented method for scanning packed programs in response to detecting suspicious behaviors, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
executing a packed program that comprises; malicious code that has been obfuscated within the packed program; unpacking code that deobfuscates and executes the malicious code when the packed program is executed; receiving scanning criteria that specifies at least one suspicious behavior that will trigger scanning of a portion of memory of the packed program for at least one malware signature that is associated with the at least one suspicious behavior, wherein the at least one suspicious behavior indicates that the unpacking code has deobfuscated and executed the malicious code; monitoring, while the packed program is executing, how the packed program behaves; detecting, while monitoring how the packed program behaves, the at least one suspicious behavior; scanning, in response to detecting the at least one suspicious behavior, the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior; wherein the at least one malware signature that is associated with the at least one suspicious behavior comprises a subset of a set of malware signatures used to scan for malware such that scanning the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior reduces a number of malware signatures used to scan the packed program for malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for scanning packed programs in response to detecting suspicious behaviors, the system comprising:
-
an executing module, stored in a memory, that executes a packed program that comprises; malicious code that has been obfuscated within the packed program; unpacking code that deobfuscates and executes the malicious code when the packed program is executed; a receiving module, stored in the memory, that receives scanning criteria that specifies at least one suspicious behavior that will trigger scanning of a portion of memory of the packed program for at least one malware signature that is associated with the at least one suspicious behavior, wherein the at least one suspicious behavior indicates that the unpacking code has deobfuscated and executed the malicious code; a monitoring module, stored in the memory, that monitors how the packed program behaves while the packed program is executing; a detecting module, stored in the memory, that detects, while the packed program is monitored, the at least one suspicious behavior; a security module, stored in the memory, that scans, in response to detecting the at least one suspicious behavior, the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior; at least one processor that executes the executing module, the monitoring module, the detecting module, and the security module; wherein the at least one malware signature that is associated with the at least one suspicious behavior comprises a subset of a set of the malware signatures used to scan for malware such that the security module reduces a number of malware signatures used to scan the packed program for malware by scanning the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
execute a packed program that comprises; malicious code that has been obfuscated within the packed program; unpacking code that deobfuscates and executes the malicious code when the packed program is executed; receive scanning criteria that specifies at least one suspicious behavior that will trigger scanning of a portion of memory of the packed program for at least one malware signature that is associated with the at least one suspicious behavior, wherein the at least one suspicious behavior indicates that the unpacking code has deobfuscated and executed the malicious code; monitor, while the packed program is executing, how the packed program behaves; detect, while monitoring how the packed program behaves, the at least one suspicious behavior; scan, in response to detecting the at least one suspicious behavior, the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior; wherein the at least one malware signature that is associated with the at least one suspicious behavior comprises a subset of a set of malware signatures used to scan for malware such that scanning the portion of the memory of the packed program for only the at least one malware signature that is associated with the at least one suspicious behavior reduces a number of malware signatures used to scan the packed program for malware. - View Dependent Claims (18)
-
Specification