Systems and methods of processing data associated with detection and/or handling of malware

US 9,213,838 B2
Filed: 08/24/2012
Issued: 12/15/2015
Est. Priority Date: 05/13/2011
Status: Active Grant

First Claim

Patent Images

1. A method implemented on a computing system for analyzing a sample of code for malware, the method comprising:

performing, by an analyzer of the computing system, at least one of unpacking or decrypting the sample;

running the sample in a native operating system (OS) environment, wherein the sample is run in parallel with one or more other samples running in respective native OS environments;

recording behavior information indicating behavior of the sample during the running;

reverse engineering the sample into disassembled source code;

performing a static analysis of the disassembled source code, wherein the performing the static analysis includes comparing logic execution paths in the disassembled source code with previously executed logic execution paths indicated by the behavior information to determine latent logic execution path information associated with the disassembled source code;

providing intelligent report information regarding the sample and each latent logic execution path in the sample, wherein the report information includes malware current payloads and any payload information regarding potential payloads that are hidden in latent code; and

generating an intelligent report regarding the behavior of the sample.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates to malware and, more particularly, towards systems and methods of processing information associated with detecting and handling malware. According to certain illustrative implementations, methods of processing malware are disclosed. Moreover, such methods may include one or more of unpacking and/or decrypting malware samples, dynamically analyzing the samples, disassembling and/or reverse engineering the samples, performing static analysis of the samples, determining latent logic execution path information regarding the samples, classifying the samples, and/or providing intelligent report information regarding the samples.

62 Citations

View as Search Results

15 Claims

1. A method implemented on a computing system for analyzing a sample of code for malware, the method comprising:
- performing, by an analyzer of the computing system, at least one of unpacking or decrypting the sample;
  
  running the sample in a native operating system (OS) environment, wherein the sample is run in parallel with one or more other samples running in respective native OS environments;
  
  recording behavior information indicating behavior of the sample during the running;
  
  reverse engineering the sample into disassembled source code;
  
  performing a static analysis of the disassembled source code, wherein the performing the static analysis includes comparing logic execution paths in the disassembled source code with previously executed logic execution paths indicated by the behavior information to determine latent logic execution path information associated with the disassembled source code;
  
  providing intelligent report information regarding the sample and each latent logic execution path in the sample, wherein the report information includes malware current payloads and any payload information regarding potential payloads that are hidden in latent code; and
  
  generating an intelligent report regarding the behavior of the sample.
- View Dependent Claims (2)
- - 2. The method of claim 1, further comprising classifying the sample, wherein the classifying the sample includes determining a malware family to which the sample belongs.

3. A system for analyzing a sample of code for malware, the system comprising:
- at least one processor;
  
  at least one memory element coupled to the at least one processor; and
  
  at least one module adapted, when executed by the at least one processor, to;
  
  perform at least one of unpacking or decrypting the sample;
  
  run the sample in a native operating system (OS) environment, wherein the sample is run in parallel with one or more other samples running in respective native OS environments;
  
  record behavior information indicating behavior of the sample when running;
  
  reverse engineer the sample into disassembled source code;
  
  perform a static analysis of the disassembled source code, wherein the static analysis is performed by comparing logic execution paths in the disassembled source code with previously executed logic execution paths indicated by the behavior information to determine latent logic execution path information associated with the disassembled source code;
  
  provide intelligent report information regarding the sample and each latent logic execution path in the sample, wherein the report information includes malware current payloads and any payload information regarding potential payloads that are hidden in latent code; and
  
  generate an intelligent report regarding the behavior of the sample.
- View Dependent Claims (4)
- - 4. The system of claim 3, wherein the at least one module is adapted, when executed by the at least one processor, to classify the sample, wherein the sample is classified at least in part by determining a malware family to which the sample belongs.

5. At least one non-transitory computer-readable medium comprising instructions to analyze a sample of code for malware, wherein the instructions, when executed by at least one processor, cause the at least one processor to:
- perform at least one of unpacking or decrypting the sample;
  
  run the sample in a native operating system (OS) environment, wherein the sample is run in parallel with one or more other samples running in respective native OS environments;
  
  record behavior information indicating behavior of the sample when running;
  
  reverse engineer the sample into disassembled source code;
  
  perform a static analysis of the disassembled source code, wherein performing the static analysis includes comparing logic execution paths in the disassembled source code with previously executed logic execution paths indicated by the behavior information to determine latent logic execution path information associated with the disassembled source code;
  
  provide intelligent report information regarding the sample and each latent logic execution path in the sample, wherein the report information includes malware current payloads and any payload information regarding potential payloads that are hidden in latent code; and
  
  generate an intelligent report regarding the behavior of the sample.
- View Dependent Claims (6)
- - 6. The at least one non-transitory computer-readable medium of claim 5, wherein the instructions, when executed by the at least one processor, cause the at least one processor to classify the sample, wherein the sample is classified at least in part by determining a malware family to which the sample belongs.

7. A method for analyzing a sample of code for malware, the method comprising:
- hosting multiple operating systems (OSes) on a multiple core central processor unit (CPU) system, wherein each OS is associated with a respective analyzer of multiple analyzers configured to run in parallel on the CPU system;
  
  providing a native application environment for each OS in which malware may be executed;
  
  identifying which analyzer is available to analyze the sample;
  
  providing the sample to the identified analyzer;
  
  performing at least one of unpacking or decrypting the sample;
  
  running the sample in a native operating system (OS) environment associated with the identified analyzer, wherein the sample is run in parallel with one or more other samples running in respective native OS environments;
  
  recording behavior information indicating behavior of the sample when running;
  
  reverse engineering the sample into disassembled source code;
  
  performing a static analysis of the disassembled source code to determine latent logic execution path information associated with the disassembled source code;
  
  providing intelligent report information regarding the sample and each latent logic execution path in the sample, wherein the report information includes malware current payloads and any payload information regarding potential payloads that are hidden in latent code; and
  
  generating an intelligent report regarding the behavior of the sample.
- View Dependent Claims (8, 9)
- - 8. The method of claim 7, further comprising classifying the sample, wherein the classifying the sample includes determining a malware family to which the sample belongs.
  - 9. The method of claim 7, wherein the latent logic execution path information is determined by comparing logic execution paths in the disassembled source code with previously executed logic execution paths indicated by the behavior information.

10. A system for analyzing a sample of code for malware, the system comprising:
- at least one processor;
  
  at least one memory element coupled to the at least one processor; and
  
  at least one module adapted, when executed by the at least one processor, to;
  
  host multiple operating systems (OSes) on a multiple core central processor unit (CPU) system, wherein each OS is associated with a respective analyzer of multiple analyzers configured to run in parallel on the CPU system;
  
  provide a native application environment for each OS in which malware may be executed;
  
  identify which analyzer is available to analyze the sample;
  
  provide the sample to the identified analyzer;
  
  perform at least one of unpacking or decrypting the sample;
  
  run the sample in a native operating system (OS) environment associated with the identified analyzer, wherein the sample is run in parallel with one or more other samples running in respective native OS environments;
  
  record behavior information indicating behavior of the sample when running;
  
  reverse engineer the sample into disassembled source code;
  
  perform a static analysis of the disassembled source code to determine latent logic execution path information associated with the disassembled source code;
  
  provide intelligent report information regarding the sample and each latent logic execution path in the sample, wherein the report information includes malware current payloads and any payload information regarding potential payloads that are hidden in latent code; and
  
  generate an intelligent report regarding the behavior of the sample.
- View Dependent Claims (11, 12)
- - 11. The system of claim 10, wherein the latent logic execution path information is determined by comparing logic execution paths in the disassembled source code with previously executed logic execution paths indicated by the behavior information.
  - 12. The system of claim 10, wherein the at least one module is adapted, when executed by the at least one processor, to classify the sample, wherein the sample is classified at least in part by determining a malware family to which the sample belongs.

13. At least one non-transitory computer-readable medium comprising instructions to analyze a sample of code for malware, wherein the instructions, when executed by at least one processor, cause the at least one processor to:
- host multiple operating systems (OSes) on a multiple core central processor unit (CPU) system, wherein each OS is associated with a respective analyzer of multiple analyzers configured to run in parallel on the CPU system;
  
  provide a native application environment for each OS in which malware may be executed;
  
  identify which analyzer is available to analyze the sample;
  
  provide the sample to the identified analyzer;
  
  perform at least one of unpacking or decrypting the sample;
  
  run the sample in a native operating system (OS) environment associated with the identified analyzer, wherein the sample is run in parallel with one or more other samples running in respective native OS environments;
  
  record behavior information indicating behavior of the sample when running;
  
  reverse engineer the sample into disassembled source code;
  
  perform a static analysis of the disassembled source code to determine latent logic execution path information associated with the disassembled source code;
  
  provide intelligent report information regarding the sample and each latent logic execution path in the sample, wherein the report information includes malware current payloads and any payload information regarding potential payloads that are hidden in latent code; and
  
  generate an intelligent report regarding the behavior of the sample.
- View Dependent Claims (14, 15)
- - 14. The at least one non-transitory computer-readable medium of claim 13, wherein the latent logic execution path information is determined by comparing logic execution paths in the disassembled source code with previously executed logic execution paths indicated by the behavior information.
  - 15. The at least one non-transitory computer-readable medium of claim 13, wherein the instructions, when executed by the at least one processor, cause the at least one processor to classify the sample, wherein the sample is classified at least in part by determining a malware family to which the sample belongs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mcafee Ireland Holdings Limited (McAfee, LLC)
Original Assignee
Mcafee Ireland Holdings Limited (McAfee, LLC)
Inventors
Lu, Lixin
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Jackson, Jenise

Application Number

US13/594,702
Publication Number

US 20130091571A1
Time in Patent Office

1,208 Days
Field of Search

726 22- 24, 713/188
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/561   Virus type analysis

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

G06F 2221/034   Test or assess a computer o...

Systems and methods of processing data associated with detection and/or handling of malware

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods of processing data associated with detection and/or handling of malware

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links