Centralized storage and management of malware manifests

US 9,203,862 B1
Filed: 07/01/2013
Issued: 12/01/2015
Est. Priority Date: 07/03/2012
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory machine-readable storage mediums storing one or more sequences of instructions for updating a central repository with information about malware resident upon a computer system, which when executed by one or more processors, causes:

the computer system executing all untrusted processes within virtual machines;

the computer system executing a particular untrusted process in a virtual machine;

upon detecting the malware executing in said virtual machine, a software module, without manual instruction, sending malware manifest data to a central repository over a network,wherein the malware manifest data comprises a copy of the malware and data identifying or comprising a set of files infected by the malware,wherein the malware manifest data further comprises all versions, including temporary versions, of any files within said virtual machine written to, updated by, or accessed by said malware,wherein the malware manifest data further comprises information identifying a template used to instantiate the virtual machine on said computer system, andwherein the malware manifest data further comprises an image of the virtual machine, wherein the image includes the contents of memory and data persistently stored on disk for the virtual machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Updating a central repository with information about malware resident upon a computer system. Upon detecting the malware executing in a virtual machine, a software module, without manual instruction, sends malware manifest data to a central repository over a network. The malware manifest data may comprise a copy of the malware and data identifying or comprising a set of files infected by the malware. The central repository may receive, over a network from at least two computer systems, distinct sets of malware manifest data and may subsequently store the sets of malware manifest data.

68 Citations

View as Search Results

18 Claims

1. One or more non-transitory machine-readable storage mediums storing one or more sequences of instructions for updating a central repository with information about malware resident upon a computer system, which when executed by one or more processors, causes:
- the computer system executing all untrusted processes within virtual machines;
  
  the computer system executing a particular untrusted process in a virtual machine;
  
  upon detecting the malware executing in said virtual machine, a software module, without manual instruction, sending malware manifest data to a central repository over a network,wherein the malware manifest data comprises a copy of the malware and data identifying or comprising a set of files infected by the malware,wherein the malware manifest data further comprises all versions, including temporary versions, of any files within said virtual machine written to, updated by, or accessed by said malware,wherein the malware manifest data further comprises information identifying a template used to instantiate the virtual machine on said computer system, andwherein the malware manifest data further comprises an image of the virtual machine, wherein the image includes the contents of memory and data persistently stored on disk for the virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The one or more non-transitory machine-readable storage mediums of claim 1, wherein the malware manifest data further comprises information identifying all actions performed by the malware within the virtual machine.
  - 3. The one or more non-transitory machine-readable storage mediums of claim 1, wherein the malware manifest data further comprises all information necessary to recreate the virtual machine on another computer system.
  - 4. The one or more non-transitory machine-readable storage mediums of claim 1, wherein the malware manifest data further comprises information describing why the virtual machine was instantiated.
  - 5. The one or more non-transitory machine-readable storage mediums of claim 1, wherein the malware manifest data further comprises information identifying where files in the virtual machine are physically stored on disk.
  - 6. The one or more non-transitory machine-readable storage mediums of claim 1, wherein the software module executes within a host operating system external to the virtual machine.
  - 7. The one or more non-transitory machine-readable storage mediums of claim 1, wherein activity in the virtual machine is suspended prior to the software module sending the malware manifest data to the central repository.
  - 8. The one or more non-transitory machine-readable storage mediums of claim 1, wherein the malware is allowed to execute in the virtual machine at the same time as the software module sends the malware manifest data to the central repository.

9. One or more non-transitory machine-readable storage mediums storing one or more sequences of instructions for maintaining a central repository that stores information about malware executing on one or more of a plurality of computer systems, which when executed by one or more processors, causes:
- receiving, over a network from at least two computer systems, distinct sets of malware manifest data which each indicate that malware has been detected on a virtual machine executing on a computer system from which the malware manifest data was sent,wherein the malware manifest data comprises a copy of the malware and data identifying or comprising a set of files infected by the malware,wherein the malware manifest data further comprises all versions, including temporary versions, of any files within said virtual machine written to, updated by, or accessed by said malware,wherein the malware manifest data further comprises information identifying a template used to instantiate the virtual machine on said computer system, andwherein the malware manifest data further comprises an image of the virtual machine, wherein the image includes the contents of memory and data persistently stored on disk for the virtual machine; and
  
  storing the malware manifest data in the central repository.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The one or more non-transitory machine readable storage mediums of claim 9, wherein execution of the one or more sequences of instructions further causes:
    - extracting the malware from a set of malware manifest data.
  - 11. The one or more non-transitory machine readable storage mediums of claim 9, wherein execution of the one or more sequences of instructions further causes:
    - after identifying a set of particular operating conditions from a set of malware manifest data, instantiating a new virtual machine possessing the particular set of operating conditions;
      
      extracting the malware from the set of malware manifest data; and
      
      after injecting the extracted malware into the new virtual machine possessing the particular set of operating conditions, executing the extracted malware in the new virtual machine.
  - 12. The one or more non-transitory machine readable storage mediums of claim 9, wherein storing the malware manifest data in the central repository comprises:
    - establishing and enforcing a policy that the malware manifest data is treated as untrusted data which is unable to be executed or interpreted within a host operating system.
  - 13. The one or more non-transitory machine-readable storage mediums of claim 9, wherein execution of the one or more sequences of instructions further causes:
    - analyzing the distinct sets of malware manifest data to identify a network address of a threat actor involved in a computer attack against the plurality of computer systems.
  - 14. The one or more non-transitory machine-readable storage mediums of claim 9, wherein execution of the one or more sequences of instructions further causes:
    - configuring (a) an automated intrusion detection system (IDS)/intrusion prevention system (IPS) or (b) a firewall or establishing one or more anti-virus signatures using information obtained from analyzing the distinct sets of malware manifest data.

15. An apparatus for updating a central repository with information about malware resident upon a computer system, comprising:
- one or more processors; and
  
  one or more computer-readable medium storing one or more sequences of instructions, which when executed by the one or more processors, cause;
  
  the computer system executing all untrusted processes within virtual machines;
  
  the computer system executing a particular untrusted process in a virtual machine;
  
  upon detecting the malware executing in a-said virtual machine, a software module, without manual instruction, sending malware manifest data to a central repository over a network,wherein the malware manifest data comprises a copy of the malware and data identifying or comprising a set of files infected by the malware,wherein the malware manifest data further comprises all versions, including temporary versions, of any files within said virtual machine written to, updated by, or accessed by said malware,wherein the malware manifest data further comprises information identifying a template used to instantiate the virtual machine on said computer system, andwherein the malware manifest data further comprises an image of the virtual machine, wherein the image includes the contents of memory and data persistently stored on disk for the virtual machine.
- View Dependent Claims (16)
- - 16. The apparatus of claim 15, wherein the malware manifest data further comprises all information necessary to recreate the virtual machine on another computer system.

17. An apparatus for updating a central repository with information about malware resident upon a computer system, comprising:
- one or more processors; and
  
  one or more computer-readable medium storing one or more sequences of instructions, which when executed by the one or more processors, cause;
  
  receiving, over a network from at least two computer systems, distinct sets of malware manifest data which each indicate that malware has been detected on a virtual machine executing on a computer system from which the malware manifest data was sent,wherein the malware manifest data comprises a copy of the malware and data identifying or comprising a set of files infected by the malware,wherein the malware manifest data further comprises all versions, including temporary versions, of any files within said virtual machine written to, updated by, or accessed by said malware,wherein the malware manifest data further comprises information identifying a template used to instantiate the virtual machine on said computer system, andwherein the malware manifest data further comprises an image of the virtual machine, wherein the image includes the contents of memory and data persistently stored on disk for the virtual machine; and
  
  storing the malware manifest data in the central repository.
- View Dependent Claims (18)
- - 18. The apparatus of claim 17, wherein execution of the one or more sequences of instructions further causes:
    - after identifying a set of particular operating conditions from a set of malware manifest data, instantiating a new virtual machine possessing the particular set of operating conditions;
      
      extracting the malware from the set of malware manifest data; and
      
      after injecting the extracted malware into the new virtual machine possessing the particular set of operating conditions, executing the extracted malware in the new virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Bromium (HP Inc.)
Inventors
Kashyap, Rahul C., Navaraj, J. McEnroe Samuel, Passi, Arun
Primary Examiner(s)
KIM, TAE K

Application Number

US13/932,465
Time in Patent Office

883 Days
Field of Search

726 22- 24
US Class Current

1/1
CPC Class Codes

G06F 11/1405   at machine instruction level

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/145   the attack involving the pr...

Centralized storage and management of malware manifests

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Centralized storage and management of malware manifests

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links