Malware detection system and method for compressed data on mobile platforms

US 9,542,555 B2
Filed: 04/13/2015
Issued: 01/10/2017
Est. Priority Date: 04/06/2006
Status: Active Grant

First Claim

Patent Images

1. A computing device for developing search strings for detecting malware in compressed data, the device comprising:

a non-transitory memory having stored thereon a plurality of malware-infected executables infected with a family of malware, wherein each of the plurality of malware-infected executables comprises a respective compressed code portion; and

a hardware-based processor configured to;

extract a plurality of candidate strings from the compressed code portions of the plurality of malware-infected executables;

identify at least one of the plurality of candidate strings that is present in each of the plurality of malware-infected executables as a search string common to the compressed code portions of the plurality of malware-infected executables; and

store the search string common to the plurality of malware-infected executables to a mobile device to cause the mobile device to determine whether target applications including compressed code portions are infected with malware based at least in part on the search string.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting malware in compressed data. The system and method identifies a set of search strings extracted from compressed executables, each of which is infected with malware from a family of malware. The search strings detect the presence of the family of malware in other compressed executables, fragments of compressed executables, or data streams.

98 Citations

11 Claims

1. A computing device for developing search strings for detecting malware in compressed data, the device comprising:
- a non-transitory memory having stored thereon a plurality of malware-infected executables infected with a family of malware, wherein each of the plurality of malware-infected executables comprises a respective compressed code portion; and
  
  a hardware-based processor configured to;
  
  extract a plurality of candidate strings from the compressed code portions of the plurality of malware-infected executables;
  
  identify at least one of the plurality of candidate strings that is present in each of the plurality of malware-infected executables as a search string common to the compressed code portions of the plurality of malware-infected executables; and
  
  store the search string common to the plurality of malware-infected executables to a mobile device to cause the mobile device to determine whether target applications including compressed code portions are infected with malware based at least in part on the search string.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computing device of claim 1, wherein the hardware-based processor is configured to extract candidate strings from uncompressed header portions of the plurality of malware-infected executables.
  - 3. The computing device of claim 1, wherein the candidate strings are extracted from non-ASCII portions of the compressed code portions of the plurality of malware-infected executables.
  - 4. The computing device of claim 1, wherein the hardware-based processor is configured to identify a plurality of search strings common to the compressed code portions of the plurality of malware-infected executables from the plurality of candidate strings.
  - 5. The computing device of claim 1, wherein to searching is performed using an algorithm selected from the group consisting of:
    - a greedy algorithm, a heuristic algorithm, an evolutionary algorithm, and dynamic programming.
  - 6. The computing device of claim 1, wherein the hardware-based processor is configured to:
    - receive a target executable with the search string present in the target executable;
      
      incorporate the target executable into the plurality of malware-infected executables;
      
      re-execute the identifying to develop one or more improved search strings; and
      
      ,distribute the improved search strings to the mobile device.
  - 7. The computing device of claim 6, wherein the hardware-based processor distributes the improved search strings using a device independent secure management protocol.

8. A mobile device for detecting malware in compressed data, the mobile device comprising:
- a non-transitory memory configured to store a search string common to compressed code portions of a plurality of malware-infected executables, wherein each of the malware-infected executables is infected with a family of malware; and
  
  a hardware-based processor configured to;
  
  scan a compressed code portion of a target executable for the search string to detect whether the search string is present in the compressed code portion of the target executable, anddetermine that the target executable is infected with malware from the family of malware when the search string is detected in the compressed code portion of the target executable.
- View Dependent Claims (9, 10, 11)
- - 9. The mobile device of claim 8, wherein the hardware-based processor is further configured to:
    - obtain a second, different search string extracted from uncompressed header portions of the malware-infected executables; and
      
      scan an uncompressed header of the target executable for the second search string.
  - 10. The mobile device of claim 8, wherein the hardware-based processor is further configured to report the target executable to an operational support system after determining that the search string is present in the compressed code portion of the target executable.
  - 11. The mobile device of claim 8, wherein the mobile device is selected from a group consisting of:
    - a mobile telephone, a smart phone, a mobile computing device, a smart handheld device, and a network element.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Inventors
Tuvell, George, Venugopal, Deepak
Primary Examiner(s)
Goodchild, William
Assistant Examiner(s)
Salehi, Helai

Application Number

US14/685,391
Publication Number

US 20160012227A1
Time in Patent Office

638 Days
Field of Search

726/22, 726/24, 726/23, 713187-194
US Class Current

1/1
CPC Class Codes

G06F 16/245   Query processing

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04W 12/10   Integrity

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Malware detection system and method for compressed data on mobile platforms

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection system and method for compressed data on mobile platforms

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links