System and method for detecting time-bomb malware
First Claim
Patent Images
1. A system comprising:
- an addressable memory; and
one or more hardware processors communicatively coupled to the addressable memory, the one or more hardware processors being configured to instantiate one or more virtual machines that are adapted to analyze received content that has been identified as suspicious by the content having a level of likelihood that at least one characteristic identified during inspection of the content indicates a potential presence of malware, the one or more virtual machines being configured to (i) monitor a delay caused by one or more events including, during processing of the suspicious content, an instruction pointer remaining at a specific address in the addressable memory or within a specific address range in the addressable memory that is less than an entire address range-and (ii) determine the suspicious content includes malware when the delay corresponding to the instruction pointer remaining at the specific address or within the specific address range exceeds a first time period.
8 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a system comprises one or more counters; comparison logic; and one or more hardware processors communicatively coupled to the one or more counters and the comparison logic. The one or more hardware processors are configured to instantiate one or more virtual machines that are adapted to analyze received content, where the one or more virtual machines are configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period.
-
Citations
20 Claims
-
1. A system comprising:
-
an addressable memory; and one or more hardware processors communicatively coupled to the addressable memory, the one or more hardware processors being configured to instantiate one or more virtual machines that are adapted to analyze received content that has been identified as suspicious by the content having a level of likelihood that at least one characteristic identified during inspection of the content indicates a potential presence of malware, the one or more virtual machines being configured to (i) monitor a delay caused by one or more events including, during processing of the suspicious content, an instruction pointer remaining at a specific address in the addressable memory or within a specific address range in the addressable memory that is less than an entire address range-and (ii) determine the suspicious content includes malware when the delay corresponding to the instruction pointer remaining at the specific address or within the specific address range exceeds a first time period. - View Dependent Claims (2, 3, 4, 6, 7, 8, 9, 10, 11)
-
-
5. A system comprising:
-
an addressable memory; and one or more hardware processors communicatively coupled to the addressable memory, the one or more hardware processors being configured to instantiate one or more virtual machines that are adapted to analyze received content, the one or more virtual machines being configured to (i) monitor a delay caused by one or more events including, during processing of the content, an instruction pointer remaining at a specific address in the addressable memory or within a specific address range in the addressable memory that is less than an entire address range-and (ii) determine the content includes malware when the delay corresponding to the instruction pointer remaining at the specific address or within the specific address range exceeds a first time period and a level of utilization for the one or more hardware processors is greater than a prescribed operating threshold. - View Dependent Claims (12, 13)
-
-
14. A system comprising:
-
one or more hardware processors; a memory communicatively coupled to the one or more hardware processors, wherein the one or more hardware processors being configured to instantiate one or more virtual machines that are adapted to analyze received content that has been identified as suspicious by having a level of likelihood that at least one characteristic identified during prior inspection of the content indicates a potential presence of malware and the one or more virtual machines determine if the content includes time-bomb malware by monitoring, during processing of the received content within the one or more virtual machines, whether an instruction pointer is being repeatedly directed to a specific address or a specific address range that is less than an entire address space, and identifying the content as including malware when the instruction pointer is repeatedly directed to the specific address or the specific address range. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification