Systems and methods for malware detection and scanning

US 9,344,446 B2
Filed: 09/08/2014
Issued: 05/17/2016
Est. Priority Date: 12/30/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method operating in a computing device, the method comprising:

receiving, at a controller in the computing device, a malware scan request transmitted from a remote controller device via a network, the malware scan request comprising a type and version of an internet browser and one or more parameters, the one or more parameters comprising target uniform resource identifiers (URIs), uniform resource locators (URLs), and/or uniform resource names (URNs) used to identify web pages upon which malware scanning is to be performed, the computing device storing a plurality of virtual machines, wherein at least two of the plurality of virtual machines are within a same domain or a same netblock;

launching, by the controller, the plurality of virtual machines in the computing device, in response to the received malware scan request;

instructing, by the controller, each of the plurality of virtual machines of the computing device to;

launch an internet browser of the type and version,request data from a web server hosting a web page over the network via the internet browser, wherein at least one of the plurality of virtual machines that are within the same domain or the same netblock is rate-limited; and

perform, in the virtual machine of the computing device, analysis on the web page using one or more analysis tools; and

receiving, from each of the plurality of virtual machines, results of the performed analysis; and

storing, in a storage, the results of the performed analysis for malware analysis.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for malware scanning and detection in a computing system. In one exemplary embodiment, the method includes launching, in a computing device of the computing system, a virtual machine, and launching, in the virtual machine of the computing device, an internet browser. The method also includes requesting, by the internet browser, data from a web page, and performing, using one or more analysis tools, analysis on the web page. In the method, performing analysis on the web page includes performing monitoring and recording of system application programming interface (API) calls, and creating software objects associated with the web page. The method also includes performing antivirus scanning of the software objects, de-obfuscating JavaScript associated with the software objects, and correlating data associated with the performed analysis to determine if the web page is a malicious web page.

27 Citations

24 Claims

1. A computer-implemented method operating in a computing device, the method comprising:
- receiving, at a controller in the computing device, a malware scan request transmitted from a remote controller device via a network, the malware scan request comprising a type and version of an internet browser and one or more parameters, the one or more parameters comprising target uniform resource identifiers (URIs), uniform resource locators (URLs), and/or uniform resource names (URNs) used to identify web pages upon which malware scanning is to be performed, the computing device storing a plurality of virtual machines, wherein at least two of the plurality of virtual machines are within a same domain or a same netblock;
  
  launching, by the controller, the plurality of virtual machines in the computing device, in response to the received malware scan request;
  
  instructing, by the controller, each of the plurality of virtual machines of the computing device to;
  
  launch an internet browser of the type and version,request data from a web server hosting a web page over the network via the internet browser, wherein at least one of the plurality of virtual machines that are within the same domain or the same netblock is rate-limited; and
  
  perform, in the virtual machine of the computing device, analysis on the web page using one or more analysis tools; and
  
  receiving, from each of the plurality of virtual machines, results of the performed analysis; and
  
  storing, in a storage, the results of the performed analysis for malware analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein performing the analysis includes:
    - monitoring and recording of system application programming interface (API) calls,creating software objects associated with the web page,performing antivirus scanning of the software objects, andde-obfuscating code associated with the software objects; and
      
      correlating data associated with the analysis that is performed to determine if the web page is a malicious web page.
  - 3. The computer-implemented method of claim 1, further comprising:
    - routing, by the controller, traffic from each of the virtual machines through at least one proxy computing device in the network.
  - 4. The computer-implemented method of claim 1, further including:
    - creating, by the controller, packet capture (pcap) files; and
      
      storing the pcap files in a storage.
  - 5. The computer-implemented method of claim 1, further including:
    - comparing at least one of uniform resource identifier (URI), universal resource locator (URL) data, or uniform resource number (URN) data associated with the web page against one or more lists.
  - 6. The computer-implemented method of claim 1, wherein potential malware includes one or more of obfuscated executable code and potential cross-site scripting attacks.
  - 7. The computer-implemented method of claim 1, further including:
    - matching a pattern of the web page with one or more other patterns known to be indicative of malware.
  - 8. The computer-implemented method of claim 1, wherein the one or more parameters in the malware scan request includes a number of virtual machines to visit the web page, and wherein launching a plurality of virtual machines includes:
    - launching the plurality of virtual machines based on the number of virtual machines included in the malware scan request.

9. A computing device for scanning and detection, the device comprising:
- at least one memory to store data and instructions; and
  
  at least one processor to access memory and to execute instructions to;
  
  receive, at a virtual machine controller in the computing device, a malware scan request transmitted from a remote controller device via a network, the malware scan request comprising a type and version of an internet browser and one or more parameters, the one or more parameters comprising target uniform resource identifiers (URIs), uniform resource locators (URLs), and/or uniform resource names (URNs) used to identify web pages upon which malware scanning is to be performed, wherein at least two of the plurality of virtual machines are within a same domain or a same netblock;
  
  launch, by the virtual machine controller, a plurality of virtual machines in the computing device, in response to the received malware scan request;
  
  instruct, by the virtual machine controller, each of the plurality of virtual machines of the computing device to;
  
  launch an internet browser of the type and version,request data from a web server hosting a web page over the network via the internet browser, wherein at least one of the plurality of virtual machines that are within the same domain or the same netblock is rate-limited; and
  
  perform, in the virtual machine of the computing device, analysis on the web page using one or more analysis tools;
  
  receive, from each of the plurality of virtual machines, results of the performed analysis; and
  
  store, in a storage, the results of the performed analysis for malware analysis.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computing device of claim 9, wherein performing the analysis includes:
    - monitoring and recording of system application programming interface (API) calls,creating software objects associated with the web page,performing antivirus scanning of the software objects, andde-obfuscating code associated with the software objects; and
      
      correlating data associated with the analysis that is performed to determine if the web page is a malicious web page.
  - 11. The computing device of claim 9, wherein the processor is further to:
    - route, by the virtual machine controller, traffic from each of the virtual machines through at least one proxy computing device in the network.
  - 12. The computing device of claim 9, wherein the processor is further to:
    - create, by the virtual machine controller, packet capture (pcap) files; and
      
      store the pcap files in a storage.
  - 13. The computing device of claim 9, wherein the processor is further to:
    - compare, by the virtual machine controller, at least one of uniform resource identifier (URI), universal resource locator (URL) data, or uniform resource number (URN) data associated with the web page against one or more lists.
  - 14. The computing device of claim 9, wherein potential malware includes one or more of obfuscated executable code and potential cross-site scripting attacks.
  - 15. The computing device of claim 9, wherein the processor is further to:
    - match a pattern of the web page with one or more other patterns known to be indicative of malware.
  - 16. The computing device of claim 9, wherein the one or more parameters in the malware scan request includes a number of virtual machines to visit the web page, and wherein launching a plurality of virtual machines includes:
    - launching the plurality of virtual machines based on the number of virtual machines included in the malware scan request.

17. A non-transitory computer-readable medium containing instructions that, when executed by a computing device, cause the computing device to perform a method to:
- receive, at a virtual machine controller in the computing device, a malware scan request comprising a type and version of an internet browser and one or more parameters, the one or more parameters comprising target uniform resource identifiers (URIs), uniform resource locators (URLs), and/or uniform resource names (URNs) used to identify web pages upon which malware scanning is to be performed, wherein at least two of the plurality of virtual machines are within a same domain or a same netblock;
  
  launch, by the virtual machine controller, a plurality of virtual machines in the computing device, in response to the received malware scan request;
  
  instruct, by the virtual machine controller, each of the plurality of virtual machines of the computing device to;
  
  launch an internet browser of the type and version,request data from a webserver hosting a web page over a network via the internet browser, wherein at least one of the plurality of virtual machines that are within the same domain or the same netblock is rate-limited; and
  
  perform, in the virtual machine of the computing device, analysis on the web page using one or more analysis tools;
  
  receive, from each of the plurality of virtual machines, results of the performed analysis; and
  
  store, in a storage, the results of the performed analysis for malware analysis.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The non-transitory computer-readable medium of claim 17, wherein performing the analysis includes:
    - monitoring and recording of system application programming interface (API) calls,creating software objects associated with the web page,performing antivirus scanning of the software objects, andde-obfuscating code associated with the software objects; and
      
      correlating data associated with the analysis that is performed to determine if the web page is a malicious web page.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the method is further to:
    - route, by the virtual machine controller, traffic from each of the virtual machines through at least one proxy computing device in the network.
  - 20. The non-transitory computer-readable medium of claim 17, wherein the method is further to:
    - create, by the virtual machine controller, packet capture (pcap) files; and
      
      store the pcap files in a storage.
  - 21. The non-transitory computer-readable medium of claim 17, wherein the method is further to:
    - compare, by the virtual machine controller, at least one of uniform resource identifier (URI), universal resource locator (URL) data, or uniform resource number (URN) data associated with the web page against one or more lists.
  - 22. The non-transitory computer-readable medium of claim 17, wherein potential malware includes one or more of obfuscated executable code and potential cross-site scripting attacks.
  - 23. The non-transitory computer-readable medium of claim 17, wherein the method is further to:
    - match a pattern of the web page with one or more other patterns known to be indicative of malware.
  - 24. The non-transitory computer-readable medium of claim 17, wherein the one or more parameters in the malware scan request includes a number of virtual machines to visit the web page, and wherein launching a plurality of virtual machines includes:
    - launching the plurality of virtual machines based on the number of virtual machines included in the malware scan request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Thomas, Ralph, Lapilla, Michael, Tonn, Trevor, Sinclair, Gregory, Hartstein, Blake, Cote, Matthew
Primary Examiner(s)
Abrishamkar, Kaveh
Assistant Examiner(s)
TRAN, TRI MINH

Application Number

US14/480,289
Publication Number

US 20140380482A1
Time in Patent Office

617 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

Systems and methods for malware detection and scanning

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for malware detection and scanning

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links