System and method for detecting malicious mobile program code

US 9,246,938 B2
Filed: 04/23/2007
Issued: 01/26/2016
Est. Priority Date: 04/23/2007
Status: Active Grant

First Claim

Patent Images

1. A method of detecting malware, comprising:

receiving a program file;

performing, by a malware detector comprising executable instructions, analysis on the program file to identify a plurality of URLs;

associating, by the malware detector, a category with each of the plurality of URLs as a function of a URL filter database;

assigning, by the malware detector, a malware probability and a malware type to each of the plurality of URLs responsive to the category associated with each of the plurality of URLs, wherein the malware type describes a function of malware associated with the category associated with that URL;

calculating a malware type probability associated with the malware type of each of the plurality of URLs, the malware type probability comprising a probability that URLs in the category associated with that URL are associated with the malware type;

assigning an overall malware type to the program file corresponding to the malware type of a first URL of the plurality of URLs having a malware type probability that exceeds a predetermined threshold value; and

deciding how to dispose of the program file based at least in part on the overall malware type of the program file; and

wherein the malware probability and the malware type of each of the plurality of URLs are assigned without accessing content pointed to by that URL unless that URL is uncategorized by the URL filter database, in which case accessing content pointed to by that URL in order to assign the malware probability and the malware type to that URL.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method of detecting malware. A program file is received and analysis performed to identify URLs embedded in the program file. The URLs are categorized as a function of a URL filter database and a malware probability is assigned to each URL identified. A decision is made on how to dispose of the program file as a function of the malware probability of one or more of the URLs identified. In one example approach, a malware type is also assigned to the program file as a function of one or more of the URLs identified.

21 Citations

View as Search Results

16 Claims

1. A method of detecting malware, comprising:
- receiving a program file;
  
  performing, by a malware detector comprising executable instructions, analysis on the program file to identify a plurality of URLs;
  
  associating, by the malware detector, a category with each of the plurality of URLs as a function of a URL filter database;
  
  assigning, by the malware detector, a malware probability and a malware type to each of the plurality of URLs responsive to the category associated with each of the plurality of URLs, wherein the malware type describes a function of malware associated with the category associated with that URL;
  
  calculating a malware type probability associated with the malware type of each of the plurality of URLs, the malware type probability comprising a probability that URLs in the category associated with that URL are associated with the malware type;
  
  assigning an overall malware type to the program file corresponding to the malware type of a first URL of the plurality of URLs having a malware type probability that exceeds a predetermined threshold value; and
  
  deciding how to dispose of the program file based at least in part on the overall malware type of the program file; and
  
  wherein the malware probability and the malware type of each of the plurality of URLs are assigned without accessing content pointed to by that URL unless that URL is uncategorized by the URL filter database, in which case accessing content pointed to by that URL in order to assign the malware probability and the malware type to that URL.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein performing analysis comprises performing a static behavioral analysis bysearching for function calls and identifying any URLs passed with the function calls.
  - 3. The method of claim 1, wherein performing analysis comprises performing dynamic behavioral analysis by emulating code in the program file.
  - 4. The method of claim 1, wherein associating a category with each of the plurality of URLs as a function of a URL filter database comprises:
    - determining if a URL is not in the URL filter database and,if the URL is not in the URL filter database, querying a server of the URL for information.

5. A gateway, comprising:
- a hardware processor;
  
  an anti-malware filter, comprising executable instructions;
  
  a URL filter database; and
  
  a malware detector, comprising executable instructions, connected to the anti-malware filter and the URL filter database;
  
  wherein the malware detector is configured to;
  
  perform analysis on a program file to identify a plurality of URLs;
  
  associate a category with each of the plurality of URLs as a function of the URL filter database;
  
  assign a malware type to each of the plurality of URLs,wherein the malware type describes a function of malware associated with the category associated with that URL;
  
  assign a malware probability to each of the plurality of URLs, based on the category associated with that URL;
  
  calculate a malware type probability associated with the malware type of each of the plurality of URLs, the malware type probability comprising a probability that URLs in the category associated with that URL are associated with the malware type;
  
  assign an overall malware type to the program file corresponding to the malware type of a first URL of the plurality of URLs having a malware type probability that exceeds a predetermined threshold value; and
  
  wherein the anti-malware filter is configured to decide, based at least in part on the overall malware type of the program file, how to dispose of the program file, andwherein the malware probability and the malware type of each of the plurality of URLs are assigned without accessing content pointed to by that URL unless that URL is uncategorized by the URL filter database, in which case accessing content pointed to by that URL in order to assign the malware probability and the malware type to that URL.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The gateway of claim 5, wherein the analysis of the program file is a static behavioral analysis.
  - 7. The gateway of claim 6, wherein the static behavioral analysis comprises searching for function calls and identifying any URLs passed with the function calls.
  - 8. The gateway of claim 5, wherein the analysis comprises searching for URLs in data areas.
  - 9. The gateway of claim 5, wherein the analysis comprises dynamic behavioral analysis.
  - 10. The gateway of claim 9, wherein the dynamic behavioral analysis comprises emulating code in the program file by the malware detector.
  - 11. The gateway of claim 5, wherein the malware detector is further configured to determine if a URL of the plurality of URLs is not in the URL filter database and, if the URL is not in the URL filter database, query a server for URL information.

12. A non-transitory machine readable medium, on which are stored instructions, comprising instructions that when executed cause a machine to:
- identify, by a malware detector, a plurality of URLs in a program file;
  
  associate, by the malware detector, a category with each of the plurality of URLs as a function of a URL filter database;
  
  assign, by the malware detector, a malware probability and a malware type to the URL based at least in part on the category associated with that URL, wherein the malware type describes a function of malware associated with the category associated with that URL;
  
  calculate a malware type probability associated with the malware type of each of the plurality of URLs, the malware type probability comprising a probability that URLs in the category associated with that URL are associated with the malware type;
  
  assign an overall malware type to the program file corresponding to the malware type of a first URL of the plurality of URLs having a malware type probability that exceeds a predetermined threshold value; and
  
  determine how to dispose of the program file based at least in part on the overall malware type of the program file,wherein the malware probability and the malware type of each of the plurality of URLs are assigned without accessing content pointed to by that URL unless that URL is uncategorized by the URL filter database, in which case accessing content pointed to by that URL in order to assign the malware probability and the malware type to that URL.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The machine readable medium of claim 12, wherein the instructions further comprise instructions that when executed cause the machine to:
    - calculate a malware probability for the program file as a function of the malware probabilities of each of the plurality of URLs.
  - 14. The machine readable medium of claim 12, wherein the instruction that when executed cause the machine to identify a URL in the program file comprise instructions that when executed cause the machine to:
    - search a data area for a URL.
  - 15. The machine readable medium of claim 12, wherein the instruction that when executed cause the machine to identify a URL in the program file comprise instructions that when executed cause the machine to:
    - perform a dynamic behavioral analysis of the program file.
  - 16. The machine readable medium of claim 12, wherein the instruction that when executed cause the machine to associate a category with the URL using a URL filter database comprise instructions that when executed cause the machine to:
    - search for the URL in the URL filter database; and
      
      query a server for information associated with the URL responsive to not finding the URL in the URL filter database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Alme, Christoph
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
POTRATZ, DANIEL B

Application Number

US11/738,703
Publication Number

US 20080263659A1
Time in Patent Office

3,200 Days
Field of Search

726/22, 726/24
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 2221/2115   Third party

G06F 2221/2119   Authenticating web pages, e...

H04L 63/0236   Filtering by address, proto...

H04L 63/145   the attack involving the pr...

System and method for detecting malicious mobile program code

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

System and method for detecting malicious mobile program code

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others