System and method for below-operating system regulation and control of self-modifying code

US 9,392,016 B2
Filed: 07/10/2014
Issued: 07/12/2016
Est. Priority Date: 03/29/2011
Status: Active Grant

First Claim

Patent Images

1. An article of manufacture, comprising:

a non-transitory computer readable medium;

computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;

trap, at a higher priority than all operating systems of the electronic device, an attempted access to a particular memory location in memory of the electronic device, the attempted access indicating a presence of self-modifying malware, the electronic device including one or more operating systems;

record information associated with the attempted access in a history in response to trapping the attempted access to memory;

analyze information in the history associated with the particular memory location to determine suspicious behavior with respect to the particular memory location, wherein analyzing information includes;

identifying suspicious behavior based on information in the history indicating that content at a first memory location was copied to a second location, modified at the second location, and subsequently executed at the second location;

identifying suspicious behavior based on whether information in the history indicates attempted execution of content at a third memory location and a fourth memory location, wherein each of the third and fourth memory locations have a common ancestor at a fifth location; and

identifying suspicious behavior based on whether information in the history indicates content at the particular memory location has ancestors at a plurality of other memory locations;

initiate corrective action in response to determining suspicious behavior respect to the particular memory location;

determine whether the particular memory location has been affected by malware; and

initiate further corrective action in response to determining that the particular memory location has been affected by malware, comprising at least one of;

disallowing execution of content associated with the particular memory location, reversing changes to the content in the history, repairing the content, replacing the content with harmless content, and disabling a process associated with the content.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for securing an electronic device may include a memory, a processor; one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to: (i) trap attempted accesses to the memory, wherein each of such attempted accesses may, individually or in the aggregate, indicate the presence of self-modifying malware; (ii) in response to trapping each attempted access to the memory, record information associated with the attempted access in a history; and (iii) in response to a triggering attempted access associated with a particular memory location, analyze information in the history associated with the particular memory location to determine if suspicious behavior has occurred with respect to the particular memory location.

Citations

24 Claims

1. An article of manufacture, comprising:
- a non-transitory computer readable medium;
  
  computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;
  
  trap, at a higher priority than all operating systems of the electronic device, an attempted access to a particular memory location in memory of the electronic device, the attempted access indicating a presence of self-modifying malware, the electronic device including one or more operating systems;
  
  record information associated with the attempted access in a history in response to trapping the attempted access to memory;
  
  analyze information in the history associated with the particular memory location to determine suspicious behavior with respect to the particular memory location, wherein analyzing information includes;
  
  identifying suspicious behavior based on information in the history indicating that content at a first memory location was copied to a second location, modified at the second location, and subsequently executed at the second location;
  
  identifying suspicious behavior based on whether information in the history indicates attempted execution of content at a third memory location and a fourth memory location, wherein each of the third and fourth memory locations have a common ancestor at a fifth location; and
  
  identifying suspicious behavior based on whether information in the history indicates content at the particular memory location has ancestors at a plurality of other memory locations;
  
  initiate corrective action in response to determining suspicious behavior respect to the particular memory location;
  
  determine whether the particular memory location has been affected by malware; and
  
  initiate further corrective action in response to determining that the particular memory location has been affected by malware, comprising at least one of;
  
  disallowing execution of content associated with the particular memory location, reversing changes to the content in the history, repairing the content, replacing the content with harmless content, and disabling a process associated with the content.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The article of claim 1, further comprising instructions to initiate corrective action by communicating forensic evidence to a protection server.
  - 3. The article of claim 1, further comprising instructions to initiate corrective action by comparing content of the particular memory location with known processes to determine whether the particular memory location has been affected by malware.
  - 4. The article of claim 1, further comprising instructions to, in response to another attempted access of the particular memory location, initiate recording information associated with attempted accesses to the particular memory location in the history.
  - 5. The article of claim 1, further comprising instructions to identify suspicious behavior based on whether a subsequent attempted access is made of the particular memory location, the subsequent attempted access including an attempt to change permissions associated with the particular memory location.
  - 6. The article of claim 1, further comprising instructions to:
    - perform the trapping, recording, and analyzing by a below-operating system security agent;
      
      access the below-operating system security agent with the processor; and
      
      execute additional programs in the memory with the processor.

7. A system for securing an electronic device, comprising:
- a memory;
  
  a processor;
  
  one or more operating systems residing in the memory for execution by the processor;
  
  a security agent configured to;
  
  execute on the electronic device at higher priority than all operating systems of the electronic device;
  
  trap an attempted access of a particular memory location in the memory based upon an indication that the attempted access is associated with self-modifying malware;
  
  record information associated with the attempted access in a history;
  
  determine whether suspicious behavior is related to the particular memory location based on information in the history indicating that content was copied between memory locations, that the content was subsequently modified, and that the processor subsequently attempted to execute the content;
  
  determine whether suspicious behavior is related to the particular memory location based on information in the history indicating attempted execution of a plurality of memory locations that each have a common memory location ancestor;
  
  determine whether suspicious behavior is related to the particular memory location based on information in the history indicating content at the particular memory location has ancestors at a plurality of other memory locations;
  
  initiate corrective action in response to determining suspicious behavior related to the particular memory location;
  
  determine whether the particular memory location has been affected by malware; and
  
  initiate further corrective action in response to determining that the particular memory location has been affected by malware, including at least one of;
  
  disallowing execution of content associated with the particular memory location, reversing changes to the content described in the history, repairing the content, replacing the content with harmless content, and disabling a process associated with the content.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the security agent is further configured to initiate corrective action by communicating forensic evidence of the suspicious behavior to a protection server communicatively coupled to the processor.
  - 9. The system of claim 7, wherein the security agent is further configured to initiate corrective action by comparing content of the particular memory location with known processes executing in the processor to determine whether the particular memory location has been affected by malware.
  - 10. The system of claim 7, wherein the security agent is further configured to:
    - determine another attempted access of the particular memory location; and
      
      based on a determination of the other attempted access of the particular memory location, initiate recording information associated with attempted accesses to the particular memory location in the history.
  - 11. The system of claim 7, wherein the security agent is further configured to:
    - determine a subsequent attempted access of the particular memory location; and
      
      determine whether the subsequent attempted access of the particular memory location includes an attempted access to change permissions associated with the particular memory location; and
      
      determine whether suspicious behavior is related to the particular memory location based on the attempted access to change permissions.
  - 12. The system of claim 7, wherein:
    - the security agent includes a below-operating system security agent; and
      
      the processor is configured to execute additional programs at the same priority as the operating systems.

13. An article of manufacture, comprising:
- a non-transitory computer readable medium;
  
  computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to, at a higher priority than all operating systems of an electronic device;
  
  identify that an attempted access of a particular memory location in memory indicates self-modifying malware;
  
  trap the attempted access;
  
  record information about the attempted access in a history;
  
  determine possible suspicious behavior related to the particular memory location based on information in the history indicating that content was copied between memory locations, that the content was subsequently modified, and that the processor subsequently attempted to execute the content;
  
  determine possible suspicious behavior related to the particular memory location based on information in the history indicating attempted execution of a plurality of memory locations that each have a common memory location ancestor;
  
  determine possible suspicious behavior related to the particular memory location based on information in the history indicating that content at the particular memory location has ancestors at a plurality of other memory locations;
  
  initiate corrective action in response to determining any possible suspicious behavior related to the particular memory location;
  
  determine whether the particular memory location has been affected by malware; and
  
  initiate further corrective action in response to determining that the particular memory location has been affected by malware, including at least one of;
  
  disallowing execution of content associated with the particular memory location, reversing changes to the content described in the history, repairing the content, replacing the content with harmless content, and disabling a process associated with the content;
  
  wherein the electronic device includes one or more operating systems.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The article of claim 13, further comprising instructions for causing the processor to initiate corrective action by communicating forensic evidence of the possible suspicious behavior to a protection server.
  - 15. The article of claim 13, further comprising instructions for causing the processor to initiate corrective action by comparing content of the particular memory location with known processes executing in the processor to determine whether the particular memory location has been affected by malware.
  - 16. The article of claim 13, further comprising instructions for causing the processor to:
    - determine another attempted access of the particular memory location; and
      
      based on a determination of the other attempted access of the particular memory location, initiate recording information associated with attempted accesses to the particular memory location in the history.
  - 17. The article of claim 13, further comprising instructions for causing the processor to:
    - determine another attempted access of the particular memory location; and
      
      determine whether the other attempted access of the particular memory location includes an attempt to change permissions associated with the particular memory location; and
      
      determine possible suspicious behavior related to the particular memory location based on the attempt to change permissions.
  - 18. The article of claim 13, further comprising instructions for causing the processor to execute additional programs at the same priority as the operating systems.

19. A method for securing an electronic device, comprising:
- trapping, at a higher priority than all operating systems of the electronic device, an attempted access to a particular memory location in memory of the electronic device, the attempted access indicating a presence of self-modifying malware, the electronic device including one or more operating systems;
  
  recording information associated with the attempted access in a history in response to trapping the attempted access to memory; and
  
  analyzing information in the history associated with the particular memory location to determine suspicious behavior with respect to the particular memory location, comprising;
  
  identifying suspicious behavior based on information in the history indicating that content at a first memory location was copied to a second location, modified at the second location, and subsequently executed at the second location;
  
  identifying suspicious behavior based on whether information in the history indicates attempted execution of content at a third memory location and a fourth memory location, wherein each of the third and fourth memory locations have a common ancestor at a fifth location; and
  
  identifying suspicious behavior based on whether information in the history indicates content at the particular memory location has ancestors at a plurality of other memory locations;
  
  initiating corrective action in response to determining suspicious behavior respect to the particular memory location;
  
  determining whether the particular memory location has been affected by malware; and
  
  initiating further corrective action in response to determining that the particular memory location has been affected by malware, comprising at least one of;
  
  disallowing execution of content associated with the particular memory location, reversing changes to the content in the history, repairing the content, replacing the content with harmless content, and disabling a process associated with the content.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The method of claim 19, further comprising initiating corrective action by communicating forensic evidence to a protection server.
  - 21. The method of claim 19, further comprising initiating corrective action by comparing content of the particular memory location with known processes to determine whether the particular memory location has been affected by malware.
  - 22. The method of claim 19, further comprising, in response to another attempted access of the particular memory location, initiating recording information associated with attempted accesses to the particular memory location in the history.
  - 23. The method of claim 19, further comprising identifying suspicious behavior based on whether a subsequent attempted access is made of the particular memory location, the subsequent attempted access including an attempt to change permissions associated with the particular memory location.
  - 24. The method of claim 19, further comprising:
    - performing the trapping, recording, and analyzing by a below-operating system security agent;
      
      accessing the below-operating system security agent with the processor; and
      
      executing additional programs in the memory with the processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said
Primary Examiner(s)
Kim, Tae
Assistant Examiner(s)
Gao, Shu Chun

Application Number

US14/328,105
Publication Number

US 20140325656A1
Time in Patent Office

733 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/554   involving event detection a...

H04L 63/145   the attack involving the pr...

System and method for below-operating system regulation and control of self-modifying code

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for below-operating system regulation and control of self-modifying code

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links