Systems and methods of processing data associated with detection and/or handling of malware
First Claim
1. A method implemented on a computing system for analyzing a sample of code for malware, the method comprising:
- performing, by an analyzer of the computing system, at least one of unpacking or decrypting the sample;
running the sample in a native operating system (OS) environment, wherein the sample is run in parallel with one or more other samples running in respective native OS environments;
recording behavior information indicating behavior of the sample during the running;
reverse engineering the sample into disassembled source code;
performing a static analysis of the disassembled source code, wherein the performing the static analysis includes comparing logic execution paths in the disassembled source code with previously executed logic execution paths indicated by the behavior information to determine latent logic execution path information associated with the disassembled source code;
providing intelligent report information regarding the sample and each latent logic execution path in the sample, wherein the report information includes malware current payloads and any payload information regarding potential payloads that are hidden in latent code; and
generating an intelligent report regarding the behavior of the sample.
10 Assignments
0 Petitions
Accused Products
Abstract
The present disclosure relates to malware and, more particularly, towards systems and methods of processing information associated with detecting and handling malware. According to certain illustrative implementations, methods of processing malware are disclosed. Moreover, such methods may include one or more of unpacking and/or decrypting malware samples, dynamically analyzing the samples, disassembling and/or reverse engineering the samples, performing static analysis of the samples, determining latent logic execution path information regarding the samples, classifying the samples, and/or providing intelligent report information regarding the samples.
62 Citations
15 Claims
-
1. A method implemented on a computing system for analyzing a sample of code for malware, the method comprising:
-
performing, by an analyzer of the computing system, at least one of unpacking or decrypting the sample; running the sample in a native operating system (OS) environment, wherein the sample is run in parallel with one or more other samples running in respective native OS environments; recording behavior information indicating behavior of the sample during the running; reverse engineering the sample into disassembled source code; performing a static analysis of the disassembled source code, wherein the performing the static analysis includes comparing logic execution paths in the disassembled source code with previously executed logic execution paths indicated by the behavior information to determine latent logic execution path information associated with the disassembled source code; providing intelligent report information regarding the sample and each latent logic execution path in the sample, wherein the report information includes malware current payloads and any payload information regarding potential payloads that are hidden in latent code; and generating an intelligent report regarding the behavior of the sample. - View Dependent Claims (2)
-
-
3. A system for analyzing a sample of code for malware, the system comprising:
-
at least one processor; at least one memory element coupled to the at least one processor; and at least one module adapted, when executed by the at least one processor, to; perform at least one of unpacking or decrypting the sample; run the sample in a native operating system (OS) environment, wherein the sample is run in parallel with one or more other samples running in respective native OS environments; record behavior information indicating behavior of the sample when running; reverse engineer the sample into disassembled source code; perform a static analysis of the disassembled source code, wherein the static analysis is performed by comparing logic execution paths in the disassembled source code with previously executed logic execution paths indicated by the behavior information to determine latent logic execution path information associated with the disassembled source code; provide intelligent report information regarding the sample and each latent logic execution path in the sample, wherein the report information includes malware current payloads and any payload information regarding potential payloads that are hidden in latent code; and generate an intelligent report regarding the behavior of the sample. - View Dependent Claims (4)
-
-
5. At least one non-transitory computer-readable medium comprising instructions to analyze a sample of code for malware, wherein the instructions, when executed by at least one processor, cause the at least one processor to:
-
perform at least one of unpacking or decrypting the sample; run the sample in a native operating system (OS) environment, wherein the sample is run in parallel with one or more other samples running in respective native OS environments; record behavior information indicating behavior of the sample when running; reverse engineer the sample into disassembled source code; perform a static analysis of the disassembled source code, wherein performing the static analysis includes comparing logic execution paths in the disassembled source code with previously executed logic execution paths indicated by the behavior information to determine latent logic execution path information associated with the disassembled source code; provide intelligent report information regarding the sample and each latent logic execution path in the sample, wherein the report information includes malware current payloads and any payload information regarding potential payloads that are hidden in latent code; and generate an intelligent report regarding the behavior of the sample. - View Dependent Claims (6)
-
-
7. A method for analyzing a sample of code for malware, the method comprising:
-
hosting multiple operating systems (OSes) on a multiple core central processor unit (CPU) system, wherein each OS is associated with a respective analyzer of multiple analyzers configured to run in parallel on the CPU system; providing a native application environment for each OS in which malware may be executed; identifying which analyzer is available to analyze the sample; providing the sample to the identified analyzer; performing at least one of unpacking or decrypting the sample; running the sample in a native operating system (OS) environment associated with the identified analyzer, wherein the sample is run in parallel with one or more other samples running in respective native OS environments; recording behavior information indicating behavior of the sample when running; reverse engineering the sample into disassembled source code; performing a static analysis of the disassembled source code to determine latent logic execution path information associated with the disassembled source code; providing intelligent report information regarding the sample and each latent logic execution path in the sample, wherein the report information includes malware current payloads and any payload information regarding potential payloads that are hidden in latent code; and generating an intelligent report regarding the behavior of the sample. - View Dependent Claims (8, 9)
-
-
10. A system for analyzing a sample of code for malware, the system comprising:
-
at least one processor; at least one memory element coupled to the at least one processor; and at least one module adapted, when executed by the at least one processor, to; host multiple operating systems (OSes) on a multiple core central processor unit (CPU) system, wherein each OS is associated with a respective analyzer of multiple analyzers configured to run in parallel on the CPU system; provide a native application environment for each OS in which malware may be executed; identify which analyzer is available to analyze the sample; provide the sample to the identified analyzer; perform at least one of unpacking or decrypting the sample; run the sample in a native operating system (OS) environment associated with the identified analyzer, wherein the sample is run in parallel with one or more other samples running in respective native OS environments; record behavior information indicating behavior of the sample when running; reverse engineer the sample into disassembled source code; perform a static analysis of the disassembled source code to determine latent logic execution path information associated with the disassembled source code; provide intelligent report information regarding the sample and each latent logic execution path in the sample, wherein the report information includes malware current payloads and any payload information regarding potential payloads that are hidden in latent code; and generate an intelligent report regarding the behavior of the sample. - View Dependent Claims (11, 12)
-
-
13. At least one non-transitory computer-readable medium comprising instructions to analyze a sample of code for malware, wherein the instructions, when executed by at least one processor, cause the at least one processor to:
-
host multiple operating systems (OSes) on a multiple core central processor unit (CPU) system, wherein each OS is associated with a respective analyzer of multiple analyzers configured to run in parallel on the CPU system; provide a native application environment for each OS in which malware may be executed; identify which analyzer is available to analyze the sample; provide the sample to the identified analyzer; perform at least one of unpacking or decrypting the sample; run the sample in a native operating system (OS) environment associated with the identified analyzer, wherein the sample is run in parallel with one or more other samples running in respective native OS environments; record behavior information indicating behavior of the sample when running; reverse engineer the sample into disassembled source code; perform a static analysis of the disassembled source code to determine latent logic execution path information associated with the disassembled source code; provide intelligent report information regarding the sample and each latent logic execution path in the sample, wherein the report information includes malware current payloads and any payload information regarding potential payloads that are hidden in latent code; and generate an intelligent report regarding the behavior of the sample. - View Dependent Claims (14, 15)
-
Specification