Systems and methods for discouraging polymorphic malware

US 9,189,629 B1
Filed: 08/28/2008
Issued: 11/17/2015
Est. Priority Date: 08/28/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for discouraging polymorphic malware, the method comprising:

receiving a request to register a file in a registration database, the request comprising the file;

prompting a user to select between solving a human-verification test and payment of a specified fee in order to register the file by;

simultaneously displaying both a graphical option for the user to solve the human-verification test and a graphical option for the user to pay the specified fee;

prompting the user to select one of the two simultaneously displayed graphical options in order to register the file;

receiving a selection from the user between solving the human-verification test and payment of the specified fee;

applying a registration tax to the file in accordance with the user'"'"'s selection;

determining based on whether the registration tax for the file has been satisfied in accordance with the user'"'"'s selection, whether to register the file in the registration database;

verifying legitimacy of the file by at least one of;

determining whether a digital signature of the file matches a digital signature of a known malicious file;

determining whether the file contains a malicious payload by executing the file within a virtual computing environment;

determining, based at least in part on whether the file has been registered in the registration database and the verifying legitimacy of the file, whether to add the file to an approved-file database;

adding the file to the approved-file database in accordance with the determining; and

transmitting information to a client device to enable the client device to check whether a digital signature of a candidate file at the client device matches the digital signature of the file added to the approved-file database, the transmitted information comprising at least one of;

an approved-file list based at least in part on the approved-file database;

an indication of whether the digital signature of the candidate file at the client device matches the digital signature of the file added to the approved-file database based on a comparison performed at a server device;

wherein the server device performs the method.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for discouraging polymorphic malware may comprise: 1) receiving a request to register a file in a registration database, 2) applying a registration tax to the file, 3) determining, based on whether the registration tax for the file has been satisfied, whether to register the file in the registration database, and then 4) determining, based at least in part on whether the file has been registered in the registration database, whether to add the file to an approved-file database. A method for determining whether to allow files on a computing device to execute using such an approved-file database is also disclosed. Corresponding systems and computer-readable media are also disclosed.

22 Citations

View as Search Results

20 Claims

1. A computer-implemented method for discouraging polymorphic malware, the method comprising:
- receiving a request to register a file in a registration database, the request comprising the file;
  
  prompting a user to select between solving a human-verification test and payment of a specified fee in order to register the file by;
  
  simultaneously displaying both a graphical option for the user to solve the human-verification test and a graphical option for the user to pay the specified fee;
  
  prompting the user to select one of the two simultaneously displayed graphical options in order to register the file;
  
  receiving a selection from the user between solving the human-verification test and payment of the specified fee;
  
  applying a registration tax to the file in accordance with the user'"'"'s selection;
  
  determining based on whether the registration tax for the file has been satisfied in accordance with the user'"'"'s selection, whether to register the file in the registration database;
  
  verifying legitimacy of the file by at least one of;
  
  determining whether a digital signature of the file matches a digital signature of a known malicious file;
  
  determining whether the file contains a malicious payload by executing the file within a virtual computing environment;
  
  determining, based at least in part on whether the file has been registered in the registration database and the verifying legitimacy of the file, whether to add the file to an approved-file database;
  
  adding the file to the approved-file database in accordance with the determining; and
  
  transmitting information to a client device to enable the client device to check whether a digital signature of a candidate file at the client device matches the digital signature of the file added to the approved-file database, the transmitted information comprising at least one of;
  
  an approved-file list based at least in part on the approved-file database;
  
  an indication of whether the digital signature of the candidate file at the client device matches the digital signature of the file added to the approved-file database based on a comparison performed at a server device;
  
  wherein the server device performs the method.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein applying the registration tax to the file further comprises administering the human-verification test.
  - 3. The method of claim 1, further comprising:
    - determining that the file has a positive attribute;
      
      reducing the registration tax required to register the file based on the determination that the file has the positive attribute.
  - 4. The method of claim 3, wherein the positive attribute comprises at least one of:
    - a digital signature with a class-3 certificate issued by a certificate authority vouching that the file is legitimate;
      
      absence of obfuscation;
      
      embedded vendor information that matches a registered identity of a provider that provides the file.
  - 5. The method of claim 1, wherein prompting the user to select one of the two simultaneously displayed graphical options comprises prompting the user to select one of the two simultaneously displayed graphical options using a radio button.
  - 6. The method of claim 1, wherein the specified fee is less than or equal to one dollar.
  - 7. The method of claim 1, further comprising increasing the registration tax required to register the file based on a determination that the file is suspicious.
  - 8. The method of claim 7, wherein the file is determined to be suspicious based on the file being determined to be at least one of packed and obfuscated.
  - 9. The method of claim 1, further comprising altering the registration tax based on a degree to which an identity of a submitter that submitted the file has been verified via a trustworthy source.
  - 10. The method of claim 1, further comprising adjusting the registration tax based on at least one of:
    - a period of time a developer of the file has been certified by a registration service to which the file was submitted;
      
      a volume of submissions by the developer to the registration service.

11. A system for discouraging polymorphic malware, the system comprising a server device that further comprises:
- a server comprising;
  
  at least one physical processor; and
  
  a memory storing a registration module programmed to perform the following through the at least one physical processor;
  
  identify a request to register a file in a registration database, the request comprising the file;
  
  prompt a user to select between solving a human-verification test and payment of a specified fee in order to register the file by;
  
  simultaneously displaying both a graphical option for the user to solve the human-verification test and a graphical option for the user to pay the specified fee;
  
  prompting the user to select one of the two simultaneously displayed graphical options in order to register the file;
  
  receive a selection from the user between solving the human verification test and payment of the specified fee;
  
  apply a registration tax to the file in accordance with the user'"'"'s selection;
  
  determine, based on whether the registration tax for the file has been satisfied in accordance with the user'"'"'s selection, whether to register the file in the registration database;
  
  wherein the memory further stores a file-approval module programmed to perform the following through the at least one physical processor;
  
  verify legitimacy of the file by at least one of;
  
  determining whether a digital signature of the file matches a digital signature of a known malicious file;
  
  determining whether the file contains a malicious payload by executing the file within a virtual computing environment;
  
  determine, based at least in part on whether the file has been registered in the registration database and the verifying legitimacy of the file, whether to add the file to an approved-file data base;
  
  add the file to the approved-file database in accordance with the determining; and
  
  transmit information to a client device to enable the client device to check whether a digital signature of a candidate file at the client device matches the digital signature of the file added to the approved-file database, the transmitted information comprising at least one of;
  
  an approved-file list based at least in part on the approved-file database;
  
  an indication of whether the digital signature of the candidate file at the client device matches the digital signature of the file added to the approved-file database based on a comparison performed at the server device.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11, wherein the registration module is programmed to apply the registration tax to the file by administering the human-verification test.
  - 13. The system of claim 11, wherein the registration module is programmed to alter the registration tax based on a degree to which an identity of a submitter that submitted the file has been verified via a trustworthy source.
  - 14. The system of claim 11, wherein the registration module is further programmed to adjust the registration tax based on at least one of:
    - at least one characteristic of the file; and
      
      at least one characteristic of a developer of the file.

15. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a server device, cause the server device to:
- receive a request to register a file in a registration database, the request comprising the file;
  
  prompt a user to select between solving a human-verification test and payment of a specified fee in order to register the file by;
  
  simultaneously displaying both a graphical option for the user to solve the human-verification test and a graphical option for the user to pay the specified fee;
  
  prompting the user to select one of the two simultaneously displayed graphical options in order to register the file;
  
  receive a selection from the user between solving the human-verification test and payment of the specified fee;
  
  apply a registration tax to the file in accordance with the user'"'"'s selection;
  
  determine based on whether the registration tax for the file has been satisfied in accordance with the user'"'"'s selection, whether to register the file in the registration database;
  
  verify legitimacy of the file by at least one of;
  
  determining whether a digital signature for the file matches a digital signature for a known malicious file;
  
  determining whether the file contains a malicious payload by executing the file within a virtual computing environment;
  
  determine, based at least in part on whether the file has been registered in the registration database and the verifying legitimacy of the file, whether to add the file to an approved-file database;
  
  add the file to the approved-file database in accordance with the determining; and
  
  transmit information to a client device to enable the client device to check whether a digital signature of a candidate file at the client device matches the digital signature of the file added to the approved-file database, the transmitted information comprising at least one of;
  
  an approved-file list based at least in part on the approved-file database;
  
  an indication of whether the digital signature of the candidate file at the client device matches the digital signature of the file added to the approved-file database based on a comparison performed at the server device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable medium of claim 15, wherein applying the registration tax to the file further comprises administering the human-verification test.
  - 17. The non-transitory computer-readable medium of claim 15, wherein prompting the user to select one of the two simultaneously displayed graphical options comprises prompting the user to select one of the two simultaneously displayed graphical options using a radio button.
  - 18. The non-transitory computer-readable medium of claim 15, wherein the instructions further cause the server device to alter the registration tax based on a degree to which an identity of a submitter that submitted the file has been verified via a trustworthy source.
  - 19. The non-transitory computer-readable medium of claim 15, wherein the instructions further cause the server device to adjust the registration tax based on at least one of:
    - a period of time a developer of the file has been certified by a registration service to which the file was submitted;
      
      a volume of submissions by the developer to the registration service.
  - 20. The non-transitory computer-readable medium of claim 15, wherein the instructions further cause the server device to increase the registration tax required to register the file based on a determination that the file is suspicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Spertus, Michael, Nachenburg, Carey S.
Primary Examiner(s)
Kim, Steven

Application Number

US12/200,679
Time in Patent Office

2,637 Days
Field of Search

726/21, 705/52
US Class Current

1/1
CPC Class Codes

G06F 21/12   Protecting executable software

G06F 21/125   by manipulating the program...

G06F 21/51   at application loading time...

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

H04L 63/145   the attack involving the pr...

Systems and methods for discouraging polymorphic malware

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for discouraging polymorphic malware

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links