Methods and systems for malware detection based on environment-dependent behavior

US 9,361,459 B2
Filed: 04/19/2013
Issued: 06/07/2016
Est. Priority Date: 04/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method of classifying malicious computer code, the method comprising:

monitoring, by one or more computing processors, execution in a computing environment of a computer program comprising suspicious computer code;

detecting, by at least one of the one or more computing processors, access by the computer program of an item of environmental information for the computing environment;

identifying a branch in the computer program where the branch is based on a value of the accessed item of environmental information;

identifying a plurality of execution paths in the computer program stemming from the identified branch in the computer program;

causing execution of the plurality of execution paths by;

creating a snapshot of the computing environment;

monitoring execution of the computer program in the computing environment consistent with the snapshot;

restoring the computing environment to the snapshot;

altering the accessed item of environmental information in the restored computing environment; and

monitoring execution of the computer program in the restored computing environment consistent with the altered item of environmental information;

determining, based on the execution of the plurality of execution paths, that a first execution path in the plurality of execution paths results in benign behavior and that a second execution path in the plurality of execution paths results in malicious behavior; and

classifying the computer program as evasive malware responsive to the determining.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure is directed to methods and systems for malware detection based on environment-dependent behavior. Generally, an analysis environment is used to determine how input collected from an execution environment is used by suspicious software. The methods and systems described identify use of environmental information to decide between execution paths leading to malicious behavior or benign activity. In one aspect, one embodiment of the invention relates to a method comprising monitoring execution of suspect computer instructions; recognizing access by the instructions of an item of environmental information; identifying a plurality of execution paths in the instructions dependant on a branch in the instructions based on a value of the accessed item of environmental information; and determining that a first execution path results in benign behavior and that a second execution path results in malicious behavior. The method comprises classifying the computer instructions as evasive malware responsive to the determination.

15 Citations

20 Claims

1. A method of classifying malicious computer code, the method comprising:
- monitoring, by one or more computing processors, execution in a computing environment of a computer program comprising suspicious computer code;
  
  detecting, by at least one of the one or more computing processors, access by the computer program of an item of environmental information for the computing environment;
  
  identifying a branch in the computer program where the branch is based on a value of the accessed item of environmental information;
  
  identifying a plurality of execution paths in the computer program stemming from the identified branch in the computer program;
  
  causing execution of the plurality of execution paths by;
  
  creating a snapshot of the computing environment;
  
  monitoring execution of the computer program in the computing environment consistent with the snapshot;
  
  restoring the computing environment to the snapshot;
  
  altering the accessed item of environmental information in the restored computing environment; and
  
  monitoring execution of the computer program in the restored computing environment consistent with the altered item of environmental information;
  
  determining, based on the execution of the plurality of execution paths, that a first execution path in the plurality of execution paths results in benign behavior and that a second execution path in the plurality of execution paths results in malicious behavior; and
  
  classifying the computer program as evasive malware responsive to the determining.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising executing the computer program in a controlled computing environment.
  - 3. The method of claim 2, wherein the controlled computing environment is a virtual machine.
  - 4. The method of claim 2, wherein the controlled computing environment is based on hardware-supported virtualization.
  - 5. The method of claim 2, wherein monitoring execution of the computer program comprises monitoring the controlled computing environment.
  - 6. The method of claim 5, wherein monitoring the controlled computing environment comprises monitoring one or more computer memory elements.
  - 7. The method of claim 1, wherein access by the computer program of an item of environmental information comprises at least one of:
    - a) the computer program reads one or more files;
      
      b) the computer program reads one or more registry keys;
      
      c) the computer program reads a variable maintained by the operating system;
      
      d) the computer program queries an event handler;
      
      e) the computer program queries an event queue;
      
      f) the computer program interacts with a device driver;
      
      g) the computer program interacts directly with hardware;
      
      h) the computer program interacts with a network; and
      
      i) the computer program interacts with the BIOS or firmware.
  - 8. The method of claim 1, wherein a branch in the computer program is based on a value of the accessed item of environmental information when the computer program compares the value of the accessed item with a second information item.
  - 9. The method of claim 8, wherein the second information item is a second item of environmental information.
  - 10. The method of claim 8, wherein the second information item is internal to the computer program.
  - 11. The method of claim 1, further comprising altering the accessed item of environmental information to cause execution of the second path in the plurality of execution paths in the computer program.

12. A system for classifying malicious computer code, the system comprising one or more computing processors configured to:
- monitor execution in a computing environment of a computer program comprising suspicious computer code;
  
  detect access by the computer program of an item of environmental information for the computing environment;
  
  identify a branch in the computer program where the branch is based on a value of the accessed item of environmental information;
  
  identify a plurality of execution paths in the computer program stemming from the identified branch in the computer program;
  
  cause execution of the plurality of execution paths by;
  
  creating a snapshot of the computing environment;
  
  monitoring execution of the computer program in the computing environment consistent with the snapshot;
  
  restoring the computing environment to the snapshot;
  
  altering the accessed item of environmental information in the restored computing environment; and
  
  monitoring execution of the computer program in the restored computing environment consistent with the altered item of environmental information;
  
  determine, based on the execution of the plurality of execution paths, that a first execution path in the plurality of execution paths results in benign behavior and that a second execution path in the plurality of execution paths results in malicious behavior; and
  
  classify the computer program as evasive malware responsive to the determining.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, where in the one or more computing processor are further configured to provide a controlled computing environment and the monitored computer program executes in the controlled computing environment.
  - 14. The system of claim 13, wherein the controlled computing environment is a virtual machine.
  - 15. The system of claim 13, wherein the controlled computing environment is based on hardware-supported virtualization.
  - 16. The system of claim 12, wherein the one or more processor are configured to monitor execution of a computer program by monitoring one or more computer memory elements.
  - 17. The system of claim 12, wherein access by the computer program of an item of environmental information comprises at least one of:
    - a) the computer program reads one or more files;
      
      b) the computer program reads one or more registry keys;
      
      c) the computer program reads a variable maintained by the operating system;
      
      d) the computer program queries an event handler;
      
      e) the computer program queries an event queue;
      
      f) the computer program interacts with a device driver;
      
      g) the computer program interacts directly with hardware;
      
      h) the computer program interacts with a network; and
      
      i) the computer program interacts with the BIOS or firmware.
  - 18. The system of claim 12, wherein a branch in the computer program is based on a value of the accessed item of environmental information when the computer program compares the value of the accessed item with a second information item.
  - 19. The system of claim 18, wherein the second information item is a second item of environmental information.
  - 20. The system of claim 12, wherein the one or more processors are further configured to alter the accessed item of environmental information to cause execution of the second path in the plurality of execution paths in the computer program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VMware, Inc. (Broadcom, Inc.), Vmware LLC (Broadcom, Inc.)
Original Assignee
Lastline, Inc. (Broadcom, Inc.)
Inventors
Kolbitsch, Clemens, Comparetti, Paolo Milani, Cavedon, Ludovico
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Elmore, Gregory M

Application Number

US13/866,980
Publication Number

US 20140317745A1
Time in Patent Office

1,145 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

Methods and systems for malware detection based on environment-dependent behavior

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for malware detection based on environment-dependent behavior

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links