Detecting malware based on reflection

US 9,594,904 B1
Filed: 04/23/2015
Issued: 03/14/2017
Est. Priority Date: 04/23/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method comprising:

receiving, by a network device, an object for analysis;

conducting, by the network device, a first analysis to determine whether the object is configured to invoke reflection operations at run-time; and

responsive to the network device determining that the object is configured to invoke reflection operations at run-time, conducting a second analysis within one or more virtual machines to determine whether the object is deemed to be malicious.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment of the disclosure, a computerized method is described to detect a malicious object through its attempt to utilize reflection. The computerized method comprises receiving, by a network device, an object for analysis. Thereafter, the network device conducts a first analysis within a sandboxed environment. The first analysis determines whether the object is configured to utilize reflection. According to one embodiment, the first analysis involves analysis of the content of the object by a static analysis engine. Alternatively, or in addition to this analysis, the behavior of the object by an attempt to access a reflection API may determine that the object is utilizing reflection. Responsive to the network device determining that the object utilizes reflection, a second analysis is conducted to determine whether the object is malicious.

Citations

25 Claims

1. A computerized method comprising:
- receiving, by a network device, an object for analysis;
  
  conducting, by the network device, a first analysis to determine whether the object is configured to invoke reflection operations at run-time; and
  
  responsive to the network device determining that the object is configured to invoke reflection operations at run-time, conducting a second analysis within one or more virtual machines to determine whether the object is deemed to be malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computerized method of claim 1, wherein the object is deemed to be malicious if the second analysis determines that there exists a probability above a threshold probability that the object includes malware.
  - 3. The computerized method of claim 1, wherein the reflection operations comprise examining and modifying run-time behavior of the object without knowledge of a class associated with the object.
  - 4. The computerized method of claim 1, wherein the first analysis comprises de-obfuscating at least part of the object to produce a high-level representation of the object and analyzing the high-level representation of the object to determine whether the object is configured to issue a call to an Application Programming Interface that invokes the reflection operations.
  - 5. The computerized method of claim 4, wherein the high-level representation of the object comprises source code that is produced during decompiling of the object.
  - 6. The computerized method of claim 5, wherein the first analysis scans the source code to determine whether the source code includes an API function name for the Application Programming Interface that invokes the reflection operations.
  - 7. The computerized method of claim 1, wherein the first analysis comprises decompiling an executable that is at least part of the object to produce source code associated with the object and analyzing the source code to determine whether an Application Programming Interface (API) function name for an API that invokes the reflection operations and is accessible by the object through an API call.
  - 8. The computerized method of claim 1, wherein the first analysis comprises de-obfuscating at least a portion of content of the object and analyzing the de-obfuscated portion of the content to determine whether the de-obfuscated portion of the content of the object is configured to issue an Application Programming Interface call to an Application Programming Interface that invokes the reflection operations.
  - 9. The computerized method of claim 1, wherein the second analysis comprises (1) analyzing one or more features of the object provided as input into a probabilistic modeling analysis that produces a score value for each feature provided as input, (2) computing an aggregate of the score values for each of the one or more features to computer an aggregated score value, and (3) determining whether or not the object is malicious based on the aggregated score value.
  - 10. The computerized method of claim 1, wherein the second analysis comprisesanalyzing one or more features of the object provided as input into a machine learning analysis, the machine learning analysis includes conducting a comparison of content within a first feature of the one or more features to known malicious patterns;
    - anddetermining that the object is malicious based on a matching of at least one known malicious pattern of the known malicious patterns to the content within the first feature of the one or more features.
  - 11. The computerized method of claim 1, wherein the second analysis is conducted remotely from the network device.

12. A computerized method comprising:
- receiving, by a network device, an object for analysis;
  
  conducting, by the network device, a first analysis to determine whether, during processing of the object within a virtual machine, the object is issuing one or more function calls that invoke reflection operations; and
  
  responsive to the network device determining that the object is issuing calls that invoke reflection operations, conducting a second analysis to determine whether the object is malicious.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computerized method of claim 12, wherein the first analysis comprises detecting the one or more function calls that includes an Application Programming Interface (API) call to a reflection API.
  - 14. The computerized method of claim 13, wherein the first analysis comprises setting at least one hook at the reflection API and, in response to the API call to the reflection API, redirecting information associated with the API call for use in the second analysis.
  - 15. The computerized method of claim 13, wherein the reflection API comprises one of a getClass API and a Class.forname API.
  - 16. The computerized method of claim 12, wherein the second analysis comprises (1) analyzing one or more features of the object provided as input into a probabilistic modeling analysis that produces a score value for each feature provided as input, (2) computing an aggregate of the score values for each of the one or more features to computer an aggregated score value, and (3) determining whether or not the object is malicious based on the aggregated score value.
  - 17. The computerized method of claim 12, wherein the second analysis comprisesanalyzing one or more features of the object provided as input into a machine learning analysis, the machine learning analysis includes conducting a comparison of content within a first feature of the one or more features to known malicious patterns;
    - anddetermining that the object is malicious based on a matching of at least one known malicious pattern of the known malicious patterns to the content within the first feature of the one or more features.

18. A network device comprising:
- a communication interface configured to receive an incoming object, the communication interface includes a connector adapted for coupling to a wired communication medium;
  
  a static analysis engine communicatively coupled to the communication interface, the static analysis engine to receive the object and perform a first analysis of the object, the first analysis determines whether the object is configured to invoke reflection operations at run-time; and
  
  a classification system communicatively coupled to the static analysis engine, the classification system, in response to the static analysis engine determining that the object is configured to invoke reflection operations at run-time, conducts a second analysis by processing the object within one or more virtual machines to determine whether the object is malicious.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The network device of claim 18, wherein the object is deemed to be malicious by the classification system if the second analysis determines that there exists a probability above a threshold probability that the object includes malware.
  - 20. The network device of claim 18, wherein the static analysis engine performs the first analysis by at least decompiling at least part of the object to produce code and analyzing the code to determine whether the object is configured to issue a function call that invokes reflection operations.
  - 21. The network device of claim 20, wherein the function call comprises an API call to a reflection API that invokes the reflection operations.
  - 22. The network device of claim 18, wherein the classification system performs the second analysis by at least analyzing features of the object based on a decision-tree analysis, each of the features is assigned a score value in accordance with the decision-tree analysis and an aggregate of the score values for the features identifies whether or not the object is malicious.
  - 23. The network device of claim 18, wherein the classification system performs the second analysis by at least (1) analyzing one or more features of the object provided as input into a machine learning analysis, the machine learning analysis includes conducting a comparison of content within a first feature of the one or more features to known malicious patterns, and (2) determining that the object is malicious based on a matching of at least one known malicious pattern of the known malicious patterns to the content within the first feature of the one or more features.

24. A network device comprising:
- a communication interface configured to receive an incoming object, the communication interface includes one of (i) a connector adapted for coupling to a wired communication medium or (ii) a radio unit with one or more antennas for wireless connectivity for receiving the incoming object;
  
  a dynamic analysis engine communicatively coupled to the communication interface, the dynamic analysis engine to receive the object and perform a first analysis of the object, the first analysis determines, during processing of the object within a virtual machine, whether the object is invoking reflection operations based on one or more function calls; and
  
  a classification system communicatively coupled to the static analysis engine, the classification system, in response to the static analysis engine determining that the object invoking reflection operations, conducts a second analysis to determine whether the object is malicious.

25. A non-transitory storage medium including software that, when executed by a processor implemented with a network device, causes the network device to detect within an object under analysis is associated with a malicious attack by performing operations comprising:
- conducting at least one of (1) a first analysis to determine whether an object received for analysis is configured to invoke reflection operations at run-time and (2) a second analysis to determine, during processing of the object within a virtual machine, whether the object is issuing one or more function calls that invoke reflection operations; and
  
  responsive to the network device determining that the object is configured to invoke reflection operations at run-time, conducting a third analysis to determine whether the object is malicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Jain, Varun, Singh, Abhishek
Primary Examiner(s)
Moorthy, Aravind

Application Number

US14/694,796
Time in Patent Office

691 Days
Field of Search

726/23, 726/24, 713/167, 713/187, 713/188
US Class Current

1/1
CPC Class Codes

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

G06N 20/00   Machine learning

G06N 5/01   Dynamic search techniques; ...

G06N 7/01   Probabilistic graphical mod...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

Detecting malware based on reflection

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malware based on reflection

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links