System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection

US 9,189,627 B1
Filed: 11/21/2013
Issued: 11/17/2015
Est. Priority Date: 11/21/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method comprising:

receiving an encrypted object having a Portable Executable (PE) file format;

conducting a first static scanning operation on the encrypted object to decrypt the encrypted object in real-time, the conducting of the first static scanning operation comprises(A) conducting, by execution of a format detection logic by a processor, one or more logical operations at least on data associated with a first data string expected at a first location within an object having the PE file format and data within the encrypted object at the first location to produce a partial key,(B) conducting, by execution of key detection logic by the processor, one or more logical operations at least on the partial key and a first portion of the encrypted object at a second location within the encrypted object to produce a result, wherein the second location is different than the first location and the result includes a portion of data associated with a plaintext version of a second data string that is expected at the second location,(C) responsive to the result including data associated with the plaintext version of the second data string, during execution of the key detection logic by the processor, conducting one or more logical operations at least on a second portion of the encrypted object and the data associated with the plaintext version of the second data string expected at the second location to recover a cryptographic key, wherein the second portion of the encrypted object includes the first portion of the encrypted object, and(D) decrypting, by execution of decryption logic by the processor, the encrypted object using the cryptographic key to produce a decrypted object.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a computerized method comprises receiving an encrypted object and conducting a first static scanning operation on the encrypted object to decrypt the encrypted object in real-time. Thereafter, a second static scanning operation is conducted on the decrypted object to determine whether the decrypted object is suspected of including malware. Based on the results of the second static scanning operation, the decrypted object may be classified to identify a suspected presence of malware.

Citations

43 Claims

1. A computerized method comprising:
- receiving an encrypted object having a Portable Executable (PE) file format;
  
  conducting a first static scanning operation on the encrypted object to decrypt the encrypted object in real-time, the conducting of the first static scanning operation comprises(A) conducting, by execution of a format detection logic by a processor, one or more logical operations at least on data associated with a first data string expected at a first location within an object having the PE file format and data within the encrypted object at the first location to produce a partial key,(B) conducting, by execution of key detection logic by the processor, one or more logical operations at least on the partial key and a first portion of the encrypted object at a second location within the encrypted object to produce a result, wherein the second location is different than the first location and the result includes a portion of data associated with a plaintext version of a second data string that is expected at the second location,(C) responsive to the result including data associated with the plaintext version of the second data string, during execution of the key detection logic by the processor, conducting one or more logical operations at least on a second portion of the encrypted object and the data associated with the plaintext version of the second data string expected at the second location to recover a cryptographic key, wherein the second portion of the encrypted object includes the first portion of the encrypted object, and(D) decrypting, by execution of decryption logic by the processor, the encrypted object using the cryptographic key to produce a decrypted object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computerized method of claim 1, further comprising:
    - performing a second static scanning operation associated with the decrypted object to determine whether the decrypted object is suspected of including malware; and
      
      classifying the decrypted object to identify a suspected presence of malware based on results of the second static scanning operation.
  - 3. The computerized method of claim 1, wherein the conducting of the one or more logical operations on the data associated with the first data string and the data within the encrypted object at the first location comprises conducting a first Exclusive OR (XOR) operation on a first plurality of alphanumeric characters and a portion of the encrypted object at a first prescribed address.
  - 4. The computerized method of claim 3, wherein the first plurality of alphanumeric characters comprises alphanumeric characters “
    - MZ”
      
      .
  - 5. The computerized method of claim 3, wherein the one or more logical operations conducted on the second portion of the encrypted object and the data associated with the plaintext version of the second data string further comprises a second Exclusive OR (XOR) operation on the second portion of the encrypted object and the data associated with the plaintext version of the second data string, the data associated with the plaintext version of the second data string includes a second plurality of alphanumeric characters greater in number than the first plurality of alphanumeric characters of the first data string.
  - 6. The computerized method of claim 1, wherein the conducting of the one or more logical operations on the second portion of the encrypted object and the data associated with the plaintext version of the second data string expected at the second location comprises conducting an Exclusive OR (XOR) operation on the second portion of the encrypted object that corresponds to a DOS Stub statement and the data associated with the plaintext version of the second data string corresponds to an anticipated plaintext version of the a DOS Stub statement.
  - 7. The computerized method of claim 1, wherein the data associated with the first data string comprises a first plurality of alphanumeric characters, the result comprises a second plurality of alphanumeric characters greater in number than the first plurality of alphanumeric characters, and the data associated with the second data string comprises a third plurality of alphanumeric characters greater in number than the second plurality of characters.
  - 8. The computerized method of claim 7, wherein each of the logical operations operates as an Exclusive OR (XOR) operation.
  - 9. The computerized method of claim 1, wherein prior to decrypting the encrypted object using the cryptographic key, the method further the comprises validating the cryptographic key.
  - 10. The computerized method of claim 9, wherein the validating of the cryptographic key conducting of the one or more logical operations further comprisesconducting one or more logical operations on both a third portion of the encrypted object and the cryptographic key to recover a value associated with an address offset;
    - conducting one or more logical operations on the third portion of the encrypted object at the address offset and the cryptographic key to recover a data string; and
      
      comparing the data string to a prescribed data string expected at the address offset.
  - 11. The computerized method of claim 10 further comprising:
    - performing a second static scanning operation associated with the decrypted object to determine whether the decrypted object is suspected of including malware; and
      
      classifying the decrypted object to identify a suspected presence of malware based on results of the second static scanning operation.
  - 12. The computerized method of claim 1, wherein the data associated with the first data string expected at the first location within the object having the PE file format is data within the first data string.
  - 13. The computerized method of claim 1 further comprising analyzing the decrypted object by virtual execution of the decrypted object by one or more virtual machines (VMs) and monitoring for anomalous or unexpected activity indicative of the presence of malware.
  - 14. The computerized method of claim 1, wherein the receiving of the encrypted object comprises (i) determining that the encrypted object is embedded with a second object and (ii) extracting the encrypted object from the second object.

15. A non-transitory computer readable medium that includes software that, when executed by a processor, causes a malware content detection system to perform one or more operations corresponding to a first static scanning operation on an encrypted object having a Portable Executable (PE) file format to decrypt the encrypted object in real-time, comprising:
- conducting one or more logical operations at least on data associated with a first data string expected at a first location within an object having the PE file format and data within the encrypted object at the first location to produce a partial key;
  
  conducting one or more logical operations at least on the partial key and a first portion of the encrypted object at a second location within the encrypted object to produce a result, wherein the second location is different than the first location and the result includes a portion of data associated with a plaintext version of a second data string that is expected at the second location;
  
  responsive to the result including data associated with the plaintext version of the second data string, conducting one or more logical operations at least on a second portion of the encrypted object and the data associated with the plaintext version of the second data string expected at the second location to recover a cryptographic key, wherein the second portion of the encrypted object includes the first portion of the encrypted object anddecrypting the encrypted object using the cryptographic key to produce a decrypted object.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The non-transitory computer readable medium of claim 15,wherein the software, when executed by the processor, further causes the malware content detection system to perform operations comprising:
    - conducting a second static scanning operation associated with the decrypted object, where results of the second static scanning operation are used to classify the decrypted object to identify a suspected presence of malware; and
      
      issuing one or more alerts to identify a presence of malware within the encrypted object.
  - 17. The non-transitory computer readable medium of claim 15, wherein the one or more logical operations conducted on the data associated with the first data string and the data within the encrypted object at the first location comprises a first Exclusive OR (XOR) operation conducted on a first plurality of alphanumeric characters and a portion of the encrypted object at a first prescribed address.
  - 18. The non-transitory computer readable medium of claim 17, wherein the first plurality of alphanumeric characters comprises alphanumeric characters “
    - MZ”
      
      .
  - 19. The non-transitory computer readable medium of claim 17, wherein the one or more logical operations conducted on the second portion of the encrypted object and the data associated with the plaintext version of the second data string further comprises a second Exclusive OR (XOR) operation on the second portion of the encrypted object and the data associated with the plaintext version of the second data string, the data associated with the plaintext version of the second data string that includes a second plurality of alphanumeric characters greater in number than the first plurality of alphanumeric characters of the first data string.
  - 20. The non-transitory computer readable medium of claim 16, wherein the conducting of the one or more logical operations on the second portion of the encrypted object and the data associated with the plaintext version of the second data string expected at the second location comprises conducting an Exclusive OR (XOR) operation on the second portion of the encrypted object that corresponds to a DOS Stub statement and the known data associated with the plaintext version of the second data string corresponds to including an anticipated plaintext version of the DOS Stub statement.
  - 21. The non-transitory computer readable medium of claim 15, wherein the data associated with the first data string comprises a first plurality of alphanumeric characters, the result comprises a second plurality of alphanumeric characters greater in number than the first plurality of characters, and the data associated with the second data string comprises a third plurality of alphanumeric characters greater in number than the second plurality of alphanumeric characters.
  - 22. The non-transitory computer readable medium of claim 21, each of the logical operations operates as one or more Exclusive OR (XOR) operations.
  - 23. The non-transitory computer readable medium of claim 22,wherein prior to decrypting the encrypted object using the cryptographic key, the software, when executed by the processor, further validating the cryptographic key.
  - 24. The non-transitory computer readable medium of claim 23, wherein the validating of the cryptographic key comprisesconducting one or more logical operations on both a third portion of the encrypted object and the cryptographic key to recover a value associated with an address offset;
    - conducting one or more logical operations on the third portion of the encrypted object at the address offset and the cryptographic key to recover a data string; and
      
      comparing the data string to a prescribed data string expected at the address location.
  - 25. The non-transitory computer readable medium of claim 15, wherein the software, upon execution by the processor further performs operations comprisingperforming a second static scanning operation associated with the decrypted object to determine whether the decrypted object is suspected of including malware;
    - andclassifying the decrypted object to identify a suspected presence of malware based on results of the second static scanning operation.
  - 26. The non-transitory computer readable medium of claim 15, wherein the data associated with the first data string expected at the first location within the object having the PE file format is data within the first data string.
  - 27. The non-transitory computer readable medium of claim 15, wherein the software, when executed by the processor, further performs the operations comprising analyzing the decrypted object by virtual execution of the decrypted object by one or more virtual machines (VMs) and monitoring for anomalous or unexpected activity indicative of the presence of malware.
  - 28. The non-transitory computer readable medium of claim 15, wherein the software, when executed by the processor, to receive the encrypted object and perform operations that comprise (i) determining that the encrypted object is embedded with a second object and (ii) extracting the encrypted object from the second object.

29. An electronic device, comprising:
- one or more hardware processors; and
  
  a memory communicatively coupled to the one or more hardware processors,the memory including one or more software modules that, upon execution by the one or more hardware processors, conducts a first static scanning operation on an encrypted object to decrypt the encrypted object, wherein the first static scanning operation comprisesconducting one or more logical operations at least on data associated with a first data string expected at a first location within an object having the PE file format and data within the encrypted object at the first location to produce a partial key,conducting one or more logical operations at least on the partial key and a first portion of the encrypted object at a second location within the encrypted object to produce a result, wherein the second location is different than the first location and the result includes a portion of data associated with a plaintext version of a second data string that is expected at the second location,responsive to the result including data associated with the plaintext version of the second data string, conducting one or more logical operations at least on a second portion of the encrypted object and the data associated with the plaintext version of the second data string expected at the second location to recover a cryptographic key, wherein the second portion of the encrypted object includes the first portion of the encrypted object, anddecrypting the encrypted object using the cryptographic key to produce a decrypted object.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 30. The electronic device of claim 29, wherein the one or more hardware processors, upon execution of the one or more software modules, further comprises:
    - performing a second static scanning operation associated with the decrypted object to determine whether the decrypted object is suspected of including malware; and
      
      classifying the decrypted object to identify a suspected presence of malware based on results of the second static scanning operation.
  - 31. The electronic device of claim 29, wherein the one or more hardware processors, upon execution of the one or more software modules, conducting the one or more logical operations on the data associated with and part of the first data string and the data within the encrypted object at the first location comprises a first Exclusive OR (XOR) operation on a first plurality of alphanumeric characters and a portion of the encrypted object at a first prescribed address.
  - 32. The electronic device of claim 31, wherein the first plurality of alphanumeric characters comprises alphanumeric characters “
    - MZ”
      
      .
  - 33. The electronic device of claim 31, wherein the one or more hardware processors, upon execution of the one or more software modules, conducting the one or more logical operations on the second portion of the encrypted object and the data associated with the plaintext version of the second data string that conducted on the second portion of the encrypted object and the data associated with the plaintext version of the second data string further comprises a second Exclusive OR (XOR) operation on the second portion of the encrypted object and the data associated with the plaintext version of the second data string, the data associated with the plaintext version of the second data string includes a second plurality of alphanumeric characters greater in number than the first plurality of alphanumeric characters of the first data string.
  - 34. The electronic device of claim 29, wherein the one or more hardware processors, upon execution of the one or more software modules, conduct the one or more logical operations on the second portion of the encrypted object and the data associated with the plaintext version of the second data string expected at the second location that comprise conducting an Exclusive OR (XOR) operation on the second portion of the encrypted object that corresponds to a DOS Stub statement and the data associated with the plaintext version of the second data string corresponds to an anticipated plaintext version of the DOS Stub statement.
  - 35. The electronic device of claim 29, wherein the data associated with the first data string comprises a first plurality of alphanumeric characters, the result comprises a second plurality of alphanumeric characters greater in number than the first plurality of alphanumeric characters, and the data associated with the second data string comprises a third plurality of alphanumeric characters greater in number than the second plurality of characters.
  - 36. The electronic device of claim 35, wherein the one or more hardware processors, upon execution of the one or more software modules, conducts the one or more logical operations that operate as one or more Exclusive OR (XOR) operations.
  - 37. The electronic device of claim 29, wherein the one or more hardware processors, upon execution of the one or more software modules and prior to decrypting the encrypted object using the cryptographic key, further validates the the cryptographic key.
  - 38. The electronic device of claim 37, wherein the one or more hardware processors, upon execution of the one or more software modules, validates the cryptographic key byconducting one or more logical operations on both a third portion of the encrypted object and the cryptographic key to recover a value associated with an address offset;
    - conducting one or more logical operations on the third portion of the encrypted object at the address offset and the cryptographic key to recover a data string; and
      
      comparing the data string to a prescribed data string expected at the address offset.
  - 39. The electronic device of claim 29, wherein the one or more hardware processors, upon execution of the one or more software modules, further performing a second static scanning operation associated with the decrypted object to determine whether the decrypted object is suspected of including malware;
    - and classifying the decrypted object to identify a suspected presence of malware based on results of the second static scanning operation.
  - 40. The electronic device of claim 29, wherein the one or more software modules further comprises a reporting module that, upon execution by the one or more hardware processors, transmits an alert indicating a presence of malware within the encrypted object.
  - 41. The electronic device of claim 29, wherein prior to conducting the first static scanning operation, the one or more hardware processors, upon execution of the one or more software modules, receive an object, determines that the object is embedded with a second object and (ii) extracting the second object as the encrypted object from the first object.
  - 42. The electronic device of claim 40, wherein the alert comprises reference information that identifies a particular message or messages within the encrypted object that contains malware first data string comprises a prescribed data string having alphanumeric characters “
    - MZ”
      
      .
  - 43. The electronic device of claim 42, wherein the reference information includes a pointer that points to a memory location associated with the particular message or messages that contain malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Islam, Ali
Primary Examiner(s)
Jeudy, Josnel

Application Number

US14/086,842
Time in Patent Office

726 Days
Field of Search

713187-188, 713193-194, 726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

H04L 12/2865   Logical combinations

H04L 41/50   Network service management,...

H04L 61/45   Network directories; Name-t...

H04L 61/4552   Lookup mechanisms between a...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0876   based on the identity of th...

H04L 63/123   received data contents, e.g...

H04L 63/1408   by monitoring network traff...

H04L 9/00   Cryptographic mechanisms or...

H04L 9/065   Encryption by serially and ...

H04L 9/08   Key distribution or managem...

H04L 9/0894   Escrow, recovery or storing...

System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links