System and method for detecting time-bomb malware

US 9,536,091 B2
Filed: 06/24/2013
Issued: 01/03/2017
Est. Priority Date: 06/24/2013
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

an addressable memory; and

one or more hardware processors communicatively coupled to the addressable memory, the one or more hardware processors being configured to instantiate one or more virtual machines that are adapted to analyze received content that has been identified as suspicious by the content having a level of likelihood that at least one characteristic identified during inspection of the content indicates a potential presence of malware, the one or more virtual machines being configured to (i) monitor a delay caused by one or more events including, during processing of the suspicious content, an instruction pointer remaining at a specific address in the addressable memory or within a specific address range in the addressable memory that is less than an entire address range-and (ii) determine the suspicious content includes malware when the delay corresponding to the instruction pointer remaining at the specific address or within the specific address range exceeds a first time period.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a system comprises one or more counters; comparison logic; and one or more hardware processors communicatively coupled to the one or more counters and the comparison logic. The one or more hardware processors are configured to instantiate one or more virtual machines that are adapted to analyze received content, where the one or more virtual machines are configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period.

Citations

20 Claims

1. A system comprising:
- an addressable memory; and
  
  one or more hardware processors communicatively coupled to the addressable memory, the one or more hardware processors being configured to instantiate one or more virtual machines that are adapted to analyze received content that has been identified as suspicious by the content having a level of likelihood that at least one characteristic identified during inspection of the content indicates a potential presence of malware, the one or more virtual machines being configured to (i) monitor a delay caused by one or more events including, during processing of the suspicious content, an instruction pointer remaining at a specific address in the addressable memory or within a specific address range in the addressable memory that is less than an entire address range-and (ii) determine the suspicious content includes malware when the delay corresponding to the instruction pointer remaining at the specific address or within the specific address range exceeds a first time period.
- View Dependent Claims (2, 3, 4, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the one or more virtual machines being configured to further monitor time intervals for one or more Sleep request messages initiated during processing of the suspicious content and identifying the suspicious content as including malware if a combined delay for the one or more Sleep request messages exceeds the first time period.
  - 3. The system of claim 1, wherein the one or more virtual machines being configured to further monitor time intervals for one or more Sleep request messages initiated during processing of the suspicious content and identifying the suspicious content as including malware if one of the time intervals exceeds the first time period.
  - 4. The system of claim 1, wherein the one or more virtual machines being configured to further monitor the one or more events being a number of function calls initiated during processing of the suspicious content represented by a value contained in one or more counters accessible to the one or more virtual machines and identifying the suspicious content as including malware if the number of function calls exceeds a threshold value in response to a comparison conducted by comparison logic being processed by the one or more hardware processors.
  - 6. The system of claim 1, wherein the one or more virtual machines being configured to further maintain and monitor values of time intervals for Sleep calls per call site, initiated during processing of the suspicious content and identifying the suspicious content as including malware if one of the time intervals exceeds a predetermined time period.
  - 7. The system of claim 1, wherein the one or more virtual machines being configured to further maintain and monitor values of call counters for certain functions per call site, initiated during processing of the suspicious content, and identifying the suspicious content as including malware if one of the call counters exceeds the a predetermined count threshold.
  - 8. The system of claim 1 further comprising a reporting module being configured to differentiate call sites based on module names and assign weights accordingly and identifying the suspicious content as including malware if a higher count is associated with a call site residing in the suspicious content under analysis.
  - 9. The system of claim 1 further comprising a heuristic engine being configured to identify delay hotspots and identifying the suspicious content as including malware if one of a plurality of time intervals associated with the delay exceeds a predetermined time period.
  - 10. The system of claim 1, wherein the one or more hardware processors being further configured to process a reporting module that issues an alert message indicating the presence of malware within the suspicious content.
  - 11. The system of claim 1, wherein the one or more virtual machines being configured to determine the content includes malware when the delay corresponding to the instruction pointer remaining at the specific address or within the specific address range exceeds the first time period and no other malicious activity associated with the suspicious content has been detected by the one or more virtual machines.

5. A system comprising:
- an addressable memory; and
  
  one or more hardware processors communicatively coupled to the addressable memory, the one or more hardware processors being configured to instantiate one or more virtual machines that are adapted to analyze received content, the one or more virtual machines being configured to (i) monitor a delay caused by one or more events including, during processing of the content, an instruction pointer remaining at a specific address in the addressable memory or within a specific address range in the addressable memory that is less than an entire address range-and (ii) determine the content includes malware when the delay corresponding to the instruction pointer remaining at the specific address or within the specific address range exceeds a first time period and a level of utilization for the one or more hardware processors is greater than a prescribed operating threshold.
- View Dependent Claims (12, 13)
- - 12. The system of claim 5, wherein the first time period has a duration that is dynamically set.
  - 13. The system of claim 5, wherein the one or more virtual machines being configured to determine the content includes malware when the delay corresponding to the instruction pointer remaining at the specific address or within the specific address range exceeds the first time period, the level of utilization for the one or more hardware processors is greater than the prescribed operating threshold, and no other malicious activity associated with the suspicious content has been detected by the one or more virtual machines.

14. A system comprising:
- one or more hardware processors;
  
  a memory communicatively coupled to the one or more hardware processors, wherein the one or more hardware processors being configured to instantiate one or more virtual machines that are adapted to analyze received content that has been identified as suspicious by having a level of likelihood that at least one characteristic identified during prior inspection of the content indicates a potential presence of malware and the one or more virtual machines determine if the content includes time-bomb malware by monitoring, during processing of the received content within the one or more virtual machines, whether an instruction pointer is being repeatedly directed to a specific address or a specific address range that is less than an entire address space, and identifying the content as including malware when the instruction pointer is repeatedly directed to the specific address or the specific address range.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14, wherein the one or more virtual machines being configured to monitor time intervals for one type of event being one or more Sleep request messages initiated during processing of the received content and identifying the content as including malware if a total delay requested by the one or more Sleep request messages exceeds the second threshold being a first predetermined time period.
  - 16. The system of claim 14, wherein the one or more virtual machines being configured to monitor time intervals for one type of event being one or more Sleep request messages initiated during processing of the content and identifying the content as including malware if one of the time intervals exceeds a first predetermined time period.
  - 17. The system of claim 14, wherein the one or more virtual machines being configured to further monitor the number of events being a number of function calls initiated during processing of the content and identifying the content as including malware if the number of function calls exceeds the first threshold.
  - 18. The system of claim 14, wherein the second threshold has a duration that is dynamically set.
  - 19. The system of claim 14, wherein the one or more virtual machines being configured to maintain and monitor time intervals for Sleep calls per call site, initiated during processing of the content and identifying the content as including malware if one of the time intervals exceeds a predetermined time period.
  - 20. The system of claim 14, wherein the memory further comprises a reporting module being configured to differentiate call sites based on module names and assign weights accordingly and identifying the content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Paithane, Sushant, Vincent, Michael, Vashisht, Sai, Kindlund, Darien
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
GUNDRY, STEPHEN T

Application Number

US13/925,737
Publication Number

US 20140380474A1
Time in Patent Office

1,289 Days
Field of Search
US Class Current

1/1
CPC Class Codes

B01D 61/06   Energy recovery

C02F 1/44   by dialysis, osmosis or rev...

C02F 1/52   by flocculation or precipit...

C02F 1/66   by neutralisation; pH adjus...

C02F 1/76   with halogens or compounds ...

C02F 2103/08   Seawater, e.g. for desalina...

C02F 2303/10   Energy recovery

C02F 2303/18   Removal of treatment agents...

C02F 2303/185   The treatment agent being h...

C02F 3/1273   Submerged membrane bioreactors

C02F 5/08   Treatment of water with com...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Y02W 10/10   Biological treatment of wat...

Y02W 10/30   Wastewater or sewage treatm...

System and method for detecting time-bomb malware

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting time-bomb malware

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links