Methods for detecting file altering malware in VM based analysis

US 9,483,644 B1
Filed: 03/31/2015
Issued: 11/01/2016
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors; and

a storage module communicatively coupled to the one or more processors, the storage module comprising logic that, upon execution by the one or more processors, performs operations comprising;

receiving a configuration file and an object by a virtual machine, the virtual machine including a file system;

placing a lure file within the file system according to information of the configuration file;

selectively modifying a name of the lure file;

processing the object within the virtual machine; and

determine whether the object exhibits file altering behavior based on a comparison of one or more actions performed while processing the object that are associated with the lure file and one more known file activity patterns.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a threat detection platform is integrated with at least one virtual machine that automatically performs a dynamic analysis of a received object and monitors the processing during the dynamic analysis for a change to a file system within the virtual machine wherein the change involves a lure file placed in the file system. The file system is configured based on a received configuration file. Upon detection of a change in the file system associated with a lure file, the changes associated with the lure file during processing are compared to known file activity patterns of changes caused by file altering malware to determine whether the object includes file altering malware.

Citations

29 Claims

1. A system comprising:
- one or more processors; and
  
  a storage module communicatively coupled to the one or more processors, the storage module comprising logic that, upon execution by the one or more processors, performs operations comprising;
  
  receiving a configuration file and an object by a virtual machine, the virtual machine including a file system;
  
  placing a lure file within the file system according to information of the configuration file;
  
  selectively modifying a name of the lure file;
  
  processing the object within the virtual machine; and
  
  determine whether the object exhibits file altering behavior based on a comparison of one or more actions performed while processing the object that are associated with the lure file and one more known file activity patterns.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1 further comprising:
    - prior to processing the object, capturing a snapshot of a state of the file system including the lure file having the selectively modified name.
  - 3. The system of claim 2, wherein determining whether the object exhibits file altering behavior includes a comparison of the state of the file system captured in the snapshot and a state of the file system after beginning processing the object.
  - 4. The system of claim 1, wherein the configuration file includes configuration information associated with the one or more lure files and information associated with placement of the one or more lure files in the file system.
  - 5. The system of claim 1, wherein selectively modifying includes adding one or more characters to the lure file name.
  - 6. The system of claim 1, wherein the name of the lure file is randomized.
  - 7. The system of claim 1, wherein the one or more actions performed while processing the object that are associated with the lure file match the known file activity pattern when at least one of the one or more of the actions performed while processing the object that are associated with the lure file are equivalent to at least a portion of the known file activity pattern.
  - 8. The system of claim 1, wherein the determining of the exhibition of file altering behavior is performed concurrently with the processing of the object.
  - 9. The system of claim 1, wherein the determining of the exhibition of file altering behavior is performed upon completion of the processing of the object.
  - 10. The system of claim 1, wherein the lure file is received by the virtual machine.
  - 11. The system of claim 1, wherein the lure file is generated by logic included in the virtual machine.
  - 12. The system of claim 1 further comprising:
    - selectively modifying content of the lure file prior to processing the object.
  - 13. The system of claim 1, wherein the file altering behavior is sub-classified based one or more matches found with known file activity patterns.
  - 14. The system of claim 1, wherein file altering behavior exhibited by the object is further classified into a sub-class.
  - 15. The system of claim 1, wherein the configuration file is updated by information obtained through transmissions with a cloud computing service.

16. A non-transitory computer readable medium that includes logic that, when executed by one or more processors, performs operations comprising:
- receiving a configuration file and an object by a virtual machine, the virtual machine including a file system;
  
  placing a lure file within the file system according to information of the configuration file;
  
  selectively modifying a name of the lure file;
  
  processing the object within the virtual machine; and
  
  determine the object includes file altering malware when one or more actions performed while processing the object that are associated with the lure file match a known pattern.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The non-transitory computer readable medium of claim 16 further comprising:
    - prior to processing the object, capturing a snapshot of a state of the file system including the lure file having the selectively modified name.
  - 18. The non-transitory computer readable medium of claim 16, wherein the determining the object includes file altering malware includes a comparison of the state of the file system captured in the snapshot and a state of the file system after beginning processing the object.
  - 19. The non-transitory computer readable medium of claim 16, wherein the configuration file includes configuration information associated with the one or more lure files and information associated with placement of the one or more lure files in the file system.
  - 20. The non-transitory computer readable medium of claim 16, wherein the determining the object includes file altering malware is performed concurrently with the processing of the object.
  - 21. The non-transitory computer readable medium of claim 16, wherein the one or more actions performed while processing the object that are associated with the lure file match the known pattern when at least one of the one or more of the actions performed while processing the object that are associated with the lure file are equivalent to at least a portion of the known pattern.
  - 22. The non-transitory computer readable medium of claim 16, wherein the virtual machine is provided with the lure file.
  - 23. The non-transitory computer readable medium of claim 16 further comprising:
    - selectively modifying contents of the lure file prior to processing the object.

24. A computerized method comprising:
- receiving a configuration file and an object by a virtual machine, the virtual machine including a file system;
  
  placing a lure file within the file system according to information of the configuration file;
  
  selectively modifying a name of the lure file;
  
  processing the object within the virtual machine; and
  
  determine the object includes file altering malware when one or more actions performed while processing the object that are associated with the lure file match a known pattern.
- View Dependent Claims (25, 26, 27, 28, 29)
- - 25. The computerized method of claim 24 further comprising:
    - prior to processing the object, capturing a snapshot of a state of the file system including the lure file having the selectively modified name.
  - 26. The computerized method of claim 24, wherein the determining the object includes file altering malware includes a comparison of the state of the file system captured in the snapshot and a state of the file system after beginning processing the object.
  - 27. The computerized method of claim 24, wherein the configuration file includes configuration information associated with the one or more lure files and information associated with placement of the one or more lure files in the file system.
  - 28. The computerized method of claim 24, wherein the one or more actions performed while processing the object that are associated with the lure file match the known pattern when at least one of the one or more of the actions performed while processing the object that are associated with the lure file are equivalent to at least a portion of the known pattern.
  - 29. The computerized method of claim 24 further comprising:
    - selectively modifying content of the lure file prior to processing the object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Yang, Raymond, Paithane, Sushant, Vashisht, Sai, Khalid, Yasir
Primary Examiner(s)
Le, Chau

Application Number

US14/675,648
Time in Patent Office

581 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/128   Details of file system snap...

G06F 16/166   File name conversion

G06F 16/1734   Details of monitoring file ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/031   Protect user input by softw...

Methods for detecting file altering malware in VM based analysis

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for detecting file altering malware in VM based analysis

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links