Malware detection system and method for compressed data on mobile platforms
First Claim
Patent Images
1. A computing device for developing search strings for detecting malware in compressed data, the device comprising:
- a non-transitory memory having stored thereon a plurality of malware-infected executables infected with a family of malware, wherein each of the plurality of malware-infected executables comprises a respective compressed code portion; and
a hardware-based processor configured to;
extract a plurality of candidate strings from the compressed code portions of the plurality of malware-infected executables;
identify at least one of the plurality of candidate strings that is present in each of the plurality of malware-infected executables as a search string common to the compressed code portions of the plurality of malware-infected executables; and
store the search string common to the plurality of malware-infected executables to a mobile device to cause the mobile device to determine whether target applications including compressed code portions are infected with malware based at least in part on the search string.
10 Assignments
0 Petitions
Accused Products
Abstract
A system and method for detecting malware in compressed data. The system and method identifies a set of search strings extracted from compressed executables, each of which is infected with malware from a family of malware. The search strings detect the presence of the family of malware in other compressed executables, fragments of compressed executables, or data streams.
98 Citations
11 Claims
-
1. A computing device for developing search strings for detecting malware in compressed data, the device comprising:
-
a non-transitory memory having stored thereon a plurality of malware-infected executables infected with a family of malware, wherein each of the plurality of malware-infected executables comprises a respective compressed code portion; and a hardware-based processor configured to; extract a plurality of candidate strings from the compressed code portions of the plurality of malware-infected executables; identify at least one of the plurality of candidate strings that is present in each of the plurality of malware-infected executables as a search string common to the compressed code portions of the plurality of malware-infected executables; and store the search string common to the plurality of malware-infected executables to a mobile device to cause the mobile device to determine whether target applications including compressed code portions are infected with malware based at least in part on the search string. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A mobile device for detecting malware in compressed data, the mobile device comprising:
-
a non-transitory memory configured to store a search string common to compressed code portions of a plurality of malware-infected executables, wherein each of the malware-infected executables is infected with a family of malware; and a hardware-based processor configured to; scan a compressed code portion of a target executable for the search string to detect whether the search string is present in the compressed code portion of the target executable, and determine that the target executable is infected with malware from the family of malware when the search string is detected in the compressed code portion of the target executable. - View Dependent Claims (9, 10, 11)
-
Specification