Dynamic content activation for automated analysis of embedded objects

US 9,438,613 B1
Filed: 03/30/2015
Issued: 09/06/2016
Est. Priority Date: 03/30/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable storage medium having stored thereon logic that, upon execution by one or more processors implemented within a network device, performs operations during processing of a first object in a virtual machine, comprising:

launching the first object in the virtual machine;

querying a document object model corresponding to an object-type of the first object to determine whether an embedded object is included in the first object;

responsive to querying the document object model, receiving metadata associated with the embedded object, the metadata including an object-type of the embedded object;

responsive to determining the object-type of the embedded object is one of a predetermined set of object-types based on the metadata, processing the embedded object in the virtual machine; and

determining whether at least one of the first object or the embedded object is malicious.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a threat detection platform is integrated with at least one virtual machine that automatically performs a dynamic analysis of a received document object and monitors the processing during the dynamic analysis. The dynamic analysis includes a detection of embedded objects and may automatically process the embedded objects, while maintaining a context of the embedding, within the virtual machine processing the document object. The virtual machine may monitor the processing of both the document object and the embedded object. The results of the processing may be analyzed to determine whether the document object includes malware and/or a threat level of the document object.

735 Citations

73 Claims

1. A non-transitory computer readable storage medium having stored thereon logic that, upon execution by one or more processors implemented within a network device, performs operations during processing of a first object in a virtual machine, comprising:
- launching the first object in the virtual machine;
  
  querying a document object model corresponding to an object-type of the first object to determine whether an embedded object is included in the first object;
  
  responsive to querying the document object model, receiving metadata associated with the embedded object, the metadata including an object-type of the embedded object;
  
  responsive to determining the object-type of the embedded object is one of a predetermined set of object-types based on the metadata, processing the embedded object in the virtual machine; and
  
  determining whether at least one of the first object or the embedded object is malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 31, 32, 33)
- - 2. The non-transitory computer readable storage medium of claim 1, wherein the processing of the embedded object includes launching the embedded object to place the embedded object in an activated state and subsequently processing the activated embedded object.
  - 3. The non-transitory computer readable storage medium of claim 1 wherein the logic, upon execution by the one or more processors implemented within the network device, further performs operations comprising:
    - prior to processing the first object in the virtual machine, launching the first object in a plurality of versions of a first application.
  - 4. The non-transitory computer readable storage medium of claim 3 wherein the logic, upon execution by the one or more processors implemented within the network device, further performs operations comprising:
    - monitoring the processing of the first object for suspicious activity; and
      
      when no suspicious activity has been observed within a predetermined amount of time and prior to querying the document object model, selecting a version of the plurality of versions of the first application to utilize when querying the document object model.
  - 5. The non-transitory computer readable storage medium of claim 1, wherein the launching of the embedded object is performed through an automation framework interface.
  - 6. The non-transitory computer readable storage medium of claim 5, wherein when the first object is a document of a text processor, the automation framework interface uses a packager tool to launch the embedded object.
  - 7. The non-transitory computer readable storage medium of claim 1, wherein based on the processing of the first object and the processing of the embedded object, a threat level is determined.
  - 8. The non-transitory computer readable storage medium of claim 1, wherein, during the processing of the embedded object, a secondary embedded object is detected within the embedded object.
  - 9. The non-transitory computer readable storage medium of claim 8, wherein, whether processing of the secondary embedded object is performed is determined based on information in a configuration file.
  - 10. The non-transitory computer readable storage medium of claim 9, wherein the configuration file may be updated based on information received over a network.
  - 11. The non-transitory computer readable storage medium of claim 1 wherein the logic, upon execution by the one or more processors implemented within the network device, further performs operations comprising:
    - storing metadata of the embedded object in an event log.
  - 12. The non-transitory computer readable storage medium of claim 11, wherein the metadata is used to generate one or more signatures.
  - 31. The non-transitory computer readable storage medium of claim 1, wherein the metadata further includes an object-type of the embedded object, and the logic, upon execution by the one or more processors implemented within the network device, further performs operations comprising:
    - responsive to determining the location of the embedded object based on the metadata, directing the processing of the first object to a portion of first object including the location of the embedded object, the portion of the first object being less than an entirety of the first object.
  - 32. The non-transitory computer readable storage medium of claim 1, wherein the embedded object is a Uniform Resource Locator (URL).
  - 33. The non-transitory computer readable storage medium of claim 2, wherein the activating and the processing of the embedded object includes maintaining a context of embedding the embedded object in the first object.

13. A system for detecting malware during processing of a first object in a virtual machine, the system comprising:
- one or more processors; and
  
  a storage module communicatively coupled to the one or more processors, the storage module comprising logic executed by the one or more processors, the logic comprising;
  
  a launcher that launches the first object in a plurality of versions of the first application processed in the virtual machine;
  
  an identification agent that utilizes an automation framework interface to query a document object model corresponding to the object-type of the first object to determine whether an embedded object is included with the first object and to receive metadata of the embedded object based on the query to the document object model, the metadata including an object-type of the embedded object, the identification agent further selects one version of the plurality of versions of the first application to utilize when (i) querying the document object model and (ii) no suspicious activity is observed within a predetermined amount of time; and
  
  an activation agent for launching the embedded object in a second application in the virtual machine.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein the activation agent, when launching the embedded object, places the embedded object in an activated state and processes the activated embedded object.
  - 15. The system of claim 13, wherein the identification agent determines the object-type of the embedded object is one of a predetermined set of object-types.
  - 16. The system of claim 13, wherein the activation agent launches the embedded object by utilizing the automation framework interface of the first application.
  - 17. The system of claim 16, wherein when the first object is a document of a text processor, the automation framework interface uses a packager tool to launch the embedded object.
  - 18. The system of claim 13, wherein the first application is dependent on the object-type of the first object and the second application is dependent on the object-type of the embedded object.

19. A computerized method detecting malware associated with a first object being processed in a virtual machine, the method comprising:
- launching the first object in the virtual machine;
  
  querying a document object model corresponding to an object-type of the first object to determine whether an embedded object is included in the first object;
  
  receiving metadata associated with the embedded object based on the querying of the document object model, the metadata including an object-type of the embedded object;
  
  responsive to determining the object-type of the embedded object is one of a predetermined set of object-types based on the metadata, processing the embedded object in the virtual machine; and
  
  determining whether at least one of the first object or the embedded object is malicious.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 20. The computerized method of claim 19, wherein the processing of the embedded object includes launching the embedded object to place the embedded object in an activated state and subsequently processing the activated embedded object.
  - 21. The computerized method of claim 19 further comprising:
    - prior to processing the first object in the virtual machine, launching the first object in a plurality of versions of a first application.
  - 22. The computerized method of claim 21, wherein when no suspicious activity is observed within a predetermined amount of time, selecting one version of the plurality of versions of the first application to utilize when querying the document object model.
  - 23. The computerized method of claim 21, wherein the launching of the embedded object is performed by utilization of an automation framework interface.
  - 24. The computerized method of claim 23, wherein when the first object is a document of a text processor, the automation framework interface uses a packager tool to launch the embedded object.
  - 25. The computerized method of claim 19, wherein based on the processing of the first object and the processing of the embedded object, a threat level is determined.
  - 26. The computerized method of claim 19, wherein, during the processing of the embedded object, a secondary embedded object is detected within the embedded object.
  - 27. The computerized method of claim 26, wherein, whether processing of the secondary embedded object is performed is determined based on information in a configuration file.
  - 28. The computerized method of claim 27, wherein the configuration file may be updated based on information received over a network.
  - 29. The computerized method of claim 19, further comprising:
    - storing metadata of the embedded object in an event log.
  - 30. The computerized method of claim 29, wherein the metadata is used to generate one or more signatures.

34. A non-transitory computer readable storage medium having stored thereon logic that, upon execution by one or more processors implemented within a network device, performs operations during processing a first object in a virtual machine, comprising:
- launching the first object in the virtual machine;
  
  querying a document object model corresponding to an object-type of the first object to determine whether an embedded object is included in the first object;
  
  responsive to querying the document object model, receiving metadata associated with the embedded object, the metadata including a location of the embedded object within the first object;
  
  responsive to determining the location of the embedded object based on the metadata, directing processing of the first object to a portion of the first object including the location of the embedded object, the portion of the first object being less than an entirety of the first object;
  
  processing the embedded object; and
  
  determining whether at least one of the first object or the embedded object is malicious.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 35. The non-transitory computer readable storage medium of claim 34, wherein the processing of the embedded object includes launching the embedded object to place the embedded object in an activated state and subsequently processing the activated embedded object.
  - 36. The non-transitory computer readable storage medium of claim 34, wherein the embedded object is a Uniform Resource Locator (URL).
  - 37. The non-transitory computer readable storage medium of claim 34 wherein the logic, upon execution by the one or more processors implemented within the network device, further performs operations comprising:
    - launching the first object in a plurality of versions of a first application.
  - 38. The non-transitory computer readable storage medium of claim 37 wherein the logic, upon execution by the one or more processors implemented within the network device, further performs operations comprising:
    - monitoring the processing of the first object for suspicious activity; and
      
      when no suspicious activity has been observed within a predetermined amount of time and prior to querying the document object model, selecting a version of the plurality of versions of the first application to utilize when querying the document object model.
  - 39. The non-transitory computer readable storage medium of claim 34, wherein the launching of the embedded object is performed through an automation framework interface.
  - 40. The non-transitory computer readable storage medium of claim 39, wherein when the first object is a document of a text processor, the automation framework interface uses a packager tool to launch the embedded object.
  - 41. The non-transitory computer readable storage medium of claim 34, wherein based on the processing of the first object and the processing of the embedded object, a threat level is determined.
  - 42. The non-transitory computer readable storage medium of claim 34, wherein, during the processing of the embedded object, a secondary embedded object is detected within the embedded object.
  - 43. The non-transitory computer readable storage medium of claim 42, wherein, whether processing of the secondary embedded object is performed is determined based on information in a configuration file.
  - 44. The non-transitory computer readable storage medium of claim 43, wherein the configuration file may be updated based on information received over a network.
  - 45. The non-transitory computer readable storage medium of claim 34 wherein the logic, upon execution by the one or more processors implemented within the network device, further performs operations comprising:
    - storing metadata of the embedded object in an event log.
  - 46. The non-transitory computer readable storage medium of claim 45, wherein the metadata is used to generate one or more signatures.

47. A system for detecting malware during processing of a first object in a virtual machine, the system comprising:
- one or more processors; and
  
  a storage module communicatively coupled to the one or more processors, the storage module comprising logic executed by the one or more processors, the logic comprising;
  
  a launcher that launches the first object in a plurality of versions of the first application processed in the virtual machine;
  
  an identification agent that utilizes an automation framework interface to query a document object model corresponding to the object-type of the first object to determine whether an embedded object is included with the first object and to receive metadata of the embedded object based on the query to the document object model, the metadata including a location of the embedded object in the first object, the identification agent further selects one version of the plurality of versions of the first application to utilize when (i) querying the document object model and (ii) no suspicious activity is observed within a predetermined amount of time; and
  
  an activation agent for launching the embedded object in a second application in the virtual machine.
- View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 48. The system of claim 47, wherein the activation agent, when launching the embedded object, places the embedded object in an activated state for processing within the virtual machine.
  - 49. The system of claim 47, wherein the embedded object is a Uniform Resource Locator (URL).
  - 50. The system of claim 47, wherein the processing of the embedded object includes launching the embedded object to place the embedded object in an activated state and subsequently processing the activated embedded object.
  - 51. The system of claim 47 wherein the logic, upon execution by the one or more processors implemented within the network device, further performs operations comprising:
    - launching the first object in a plurality of versions of a first application.
  - 52. The system of claim 51 wherein the logic, upon execution by the one or more processors implemented within the network device, further performs operations comprising:
    - monitoring the processing of the first object for suspicious activity; and
      
      when no suspicious activity has been observed within a predetermined amount of time and prior to querying the document object model, selecting a version of the plurality of versions of the first application to utilize when querying the document object model.
  - 53. The system of claim 47, wherein the launching of the embedded object is performed through an automation framework interface.
  - 54. The system of claim 53, wherein when the first object is a document of a text processor, the automation framework interface uses a packager tool to launch the embedded object.
  - 55. The system of claim 47, wherein based on the processing of the first object and the processing of the embedded object, a threat level is determined.
  - 56. The system of claim 47, wherein, during the processing of the embedded object, a secondary embedded object is detected within the embedded object.
  - 57. The system of claim 56, wherein, whether processing of the secondary embedded object is performed is determined based on information in a configuration file.
  - 58. The system of claim 57, wherein the configuration file may be updated based on information received over a network.
  - 59. The system of claim 47 wherein the logic, upon execution by the one or more processors implemented within the network device, further performs operations comprising:
    - storing metadata of the embedded object in an event log.
  - 60. The system of claim 59, wherein the metadata is used to generate one or more signatures.

61. A computerized method detecting malware associated with a first object being processed in a virtual machine, the method comprising:
- launching the first object in the virtual machine;
  
  querying a document object model corresponding to an object-type of the first object to determine whether an embedded object is included in the first object;
  
  responsive to querying the document object model, receiving metadata associated with the embedded object, the metadata including a location of the embedded object;
  
  responsive to determining the location of the embedded object based on the metadata, directing processing of the first object to a portion of the first object including the location of the embedded object, the portion of the first object being less than an entirety of the first object;
  
  processing the embedded object; and
  
  determining whether at least one of the first object or the embedded object is malicious.
- View Dependent Claims (62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73)
- - 62. The computerized method of claim 61, wherein the processing of the embedded object includes launching the embedded object to place the embedded object in an activated state and subsequently processing the activated embedded object.
  - 63. The computerized method of claim 61, wherein the embedded object is a Uniform Resource Locator (URL).
  - 64. The computerized method of claim 61, wherein the logic, upon execution by the one or more processors implemented within the network device, further performs operations comprising:
    - prior to processing the first object in the virtual machine, launching the first object in a plurality of versions of a first application.
  - 65. The computerized method of claim 64, wherein the logic, upon execution by the one or more processors implemented within the network device, further performs operations comprising:
    - monitoring the processing of the first object for suspicious activity; and
      
      when no suspicious activity has been observed within a predetermined amount of time and prior to querying the document object model, selecting a version of the plurality of versions of the first application to utilize when querying the document object model.
  - 66. The computerized method of claim 61, wherein the launching of the embedded object is performed through an automation framework interface.
  - 67. The computerized method of claim 66, wherein when the first object is a document of a text processor, the automation framework interface uses a packager tool to launch the embedded object.
  - 68. The computerized method of claim 61, wherein based on the processing of the first object and the processing of the embedded object, a threat level is determined.
  - 69. The computerized method of claim 61, wherein, during the processing of the embedded object, a secondary embedded object is detected within the embedded object.
  - 70. The computerized method of claim 69, wherein, whether processing of the secondary embedded object is performed is determined based on information in a configuration file.
  - 71. The computerized method of claim 70, wherein the configuration file may be updated based on information received over a network.
  - 72. The computerized method of claim 61 wherein the logic, upon execution by the one or more processors implemented within the network device, further performs operations comprising:
    - storing metadata of the embedded object in an event log.
  - 73. The computerized method of claim 72, wherein the metadata is used to generate one or more signatures.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Paithane, Sushant, Vashisht, Sai
Primary Examiner(s)
Tabor, Amare F

Application Number

US14/673,535
Time in Patent Office

526 Days
Field of Search

726/23, 718/1, 713/189
US Class Current

1/1
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/168   above the transport layer

Dynamic content activation for automated analysis of embedded objects

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

735 Citations

73 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic content activation for automated analysis of embedded objects

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

735 Citations

73 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links