Preventing the successful exploitation of software application vulnerability for malicious purposes

US 9,754,105 B1
Filed: 09/24/2013
Issued: 09/05/2017
Est. Priority Date: 09/25/2012
Status: Active Grant

First Claim

Patent Images

1. A method for identifying malicious behavior of a protected process of a protected application, the method comprising:

storing a plurality of application profiles, each of the plurality of application profiles associated with a different group of related applications of a particular application type, each of the plurality of application profiles including a different list of application programming interface (API) calls;

detecting an API call originating from the protected process;

determining an application profile applicable to the protected application based on an application type of the protected application;

comparing the API call against a list of API calls included in the application profile corresponding to the protected application;

determining to intercept the API call based on its presence in the list of API calls included in the application profile; and

responsive to determining to intercept the API call;

capturing a memory address associated with the API call and one or more parameters associated with the API call;

applying, by a computing system, a memory analysis to determine if the memory address associated with the API call lacks execute access;

applying, by the computing system, an element analysis to determine if a malicious characteristic associated with the API call is present based on the one or more parameters associated with the API call; and

responsive to detecting that the memory address associated with the API call lacks execute access or determining that the malicious characteristic associated with the API call is present, terminating the protected process.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An anti-exploit system monitors and identifies malicious behavior related to one or more protected applications or processes. The anti-exploit system intercepts API calls associated with the protected application or process including parameters passed on to the operating system functions as well as a memory address associated with the caller to the API calls. Based on the characteristics associated with the intercepted API call a Behavioral Analysis Component determines whether the API call is malicious in nature.

Citations

17 Claims

1. A method for identifying malicious behavior of a protected process of a protected application, the method comprising:
- storing a plurality of application profiles, each of the plurality of application profiles associated with a different group of related applications of a particular application type, each of the plurality of application profiles including a different list of application programming interface (API) calls;
  
  detecting an API call originating from the protected process;
  
  determining an application profile applicable to the protected application based on an application type of the protected application;
  
  comparing the API call against a list of API calls included in the application profile corresponding to the protected application;
  
  determining to intercept the API call based on its presence in the list of API calls included in the application profile; and
  
  responsive to determining to intercept the API call;
  
  capturing a memory address associated with the API call and one or more parameters associated with the API call;
  
  applying, by a computing system, a memory analysis to determine if the memory address associated with the API call lacks execute access;
  
  applying, by the computing system, an element analysis to determine if a malicious characteristic associated with the API call is present based on the one or more parameters associated with the API call; and
  
  responsive to detecting that the memory address associated with the API call lacks execute access or determining that the malicious characteristic associated with the API call is present, terminating the protected process.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein applying the memory analysis further comprises:
    - determining if the memory address associated with the API call belongs to a module not designed to make the API call.
  - 3. The method of claim 1, wherein applying the memory analysis further comprises:
    - determining if the memory address associated with a caller of the API call is within a specific range of memory.
  - 4. The method of claim 1, wherein applying the element analysis further comprises:
    - determining if the parameters of the API call include a characteristic known to enable the malicious behavior of the protected application.
  - 5. The method of claim 1, wherein applying the element analysis comprises:
    - storing a reference to a new file created with a prior API call upon its creation; and
      
      identifying when the API call attempts to create a new process with the new file created with the prior API call.
  - 6. The method of claim 1, further comprising:
    - associating the protected application with an application profile; and
      
      determining to intercept the application programming interface (API) call based on its presence in a list of API calls associated with the application profile.
  - 7. The method of claim 1, further comprising:
    - determining that the protected process should be protected based on its presence in a list of applications and associated processes to be protected.

8. A non-transitory computer-readable storage medium configured to store executable computer code that when executed by a processor causes the processor to perform steps including:
- storing a plurality of application profiles, each of the plurality of application profiles associated with a different group of related applications of a particular application type, each of the plurality of application profiles including a different list of application programming interface (API) calls;
  
  detecting an API call originating from the protected process;
  
  determining an application profile applicable to the protected application based on an application type of the protected application;
  
  comparing the API call against a list of API calls included in the application profile corresponding to the protected application;
  
  determining to intercept the API call based on its presence in the list of API calls included in the application profile; and
  
  responsive to determining to intercept the API call;
  
  capturing a memory address associated with the API call and one or more parameters associated with the API call;
  
  applying, by a computing system, a memory analysis to determine if the memory address associated with the API call lacks execute access;
  
  applying, by the computing system, an element analysis to determine if a malicious characteristic associated with the API call is present based on the one or more parameters associated with the API call; and
  
  responsive to detecting that the memory address associated with the API call lacks execute access or determining that the malicious characteristic associated with the API call is present, terminating the protected process.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable storage medium of claim 8, wherein applying the memory analysis further comprises:
    - determining if the memory address associated with the API call belongs to a module not designed to make the API call.
  - 10. The non-transitory computer-readable storage medium of claim 8, wherein applying the memory analysis further comprises:
    - determining if the memory address associated with a caller of the API call is within a specific range of memory.
  - 11. The non-transitory computer-readable storage medium of claim 8, wherein applying the element analysis comprises:
    - determining if the parameters of the API call include a characteristic known to enable the malicious behavior of the protected application.
  - 12. The non-transitory computer-readable storage medium of claim 8, wherein applying the element analysis comprises:
    - storing a reference to a new file created with a prior API call upon its creation; and
      
      identifying when the API call attempts to create a new process with the new file created with the prior API call.
  - 13. The non-transitory computer-readable storage medium of claim 8, further comprising:
    - associating the protected application with an application profile; and
      
      determining to intercept the application programming interface (API) call based on its presence in a list of API calls associated with the application profile.
  - 14. The non-transitory computer-readable storage medium of claim 8, further comprising:
    - determining that the protected process should be protected based on its presence in a list of applications and associated processes to be protected.

15. A system, comprising:
- a processor;
  
  a non-transitory computer-readable storage medium comprising instructions configured to be executed by the processor to perform a process comprising;
  
  storing a plurality of application profiles, each of the plurality of application profiles associated with a different group of related applications of a particular application type, each of the plurality of application profiles including a different list of application programming interface (API) calls;
  
  detecting an API call originating from the protected process;
  
  determining an application profile applicable to the protected application based on an application type of the protected application;
  
  comparing the API call against a list of API calls included in the application profile corresponding to the protected application;
  
  determining to intercept the API call based on its presence in the list of API calls included in the application profile; and
  
  responsive to determining to intercept the API call;
  
  capturing a memory address associated with the API call and one or more parameters associated with the API call;
  
  applying, by a computing system, a memory analysis to determine if the memory address associated with the API call lacks execute access;
  
  applying, by the computing system, an element analysis to determine if a malicious characteristic associated with the API call is present based on the one or more parameters associated with the API call; and
  
  responsive to detecting that the memory address associated with the API call lacks execute access or determining that the malicious characteristic associated with the API call is present, terminating the protected process.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, wherein applying the element analysis comprises:
    - storing a reference to a new file created with a prior API call upon its creation; and
      
      identifying when the API call attempts to create a new process with the new file created with the prior API call.
  - 17. The system of claim 15, wherein applying the element analysis comprises:
    - determining if the parameters of the API call include a characteristic known to enable the malicious behavior of the protected application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malwarebytes Corporate Holdco Incorporated
Original Assignee
Malwarebytes Corporation
Inventors
Lpez-Chicheri, Pedro Bustamante, Lavado, David Snchez
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Giddins, Nelson

Application Number

US14/035,678
Time in Patent Office

1,442 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

Preventing the successful exploitation of software application vulnerability for malicious purposes

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Preventing the successful exploitation of software application vulnerability for malicious purposes

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links