System and method for detecting file altering behaviors pertaining to a malicious attack

US 9,846,776 B1
Filed: 10/31/2016
Issued: 12/19/2017
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors; and

a storage module communicatively coupled to the one or more processors, the storage module comprising logic that, upon execution by the one or more processors, performs operations comprising;

receiving configuration information that identifies at least one or more locations of a system operating within a virtual machine for placement of lure data in the system, the lure data being configured to entice interaction of the lure data by malware associated with an object under analysis,placing the lure data within the system according to the configuration information,subsequent to placing the lure data within the system, selectively modifying information associated with the lure data,processing the object within the virtual machine, anddetermining whether the object exhibits one or more behaviors that alter the lure data or a portion of the system based on a comparison of one or more actions performed while processing the object that are associated with the lure data and one more patterns that represent one or more changes to the system associated with the lure data caused by known malware.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a computerized method for detecting malware is described. The method includes receiving configuration information that identifies (i) at least one type of lure data and (ii) one or more locations of a system operating within a virtual machine for placement of the lure data into the system. The lure data is configured to entice interaction of the lure data by malware associated with an object under analysis. Thereafter, the lure data is placed within the system according to the configuration information and lure data information is selectively modified. The information may include a name or content within a directory including the lure data. During processing of an object within the virtual machine, a determination is made whether the object exhibits file altering behavior based on a comparison of actions performed that are associated with the lure data and one more known file activity patterns.

Citations

37 Claims

1. A system comprising:
- one or more processors; and
  
  a storage module communicatively coupled to the one or more processors, the storage module comprising logic that, upon execution by the one or more processors, performs operations comprising;
  
  receiving configuration information that identifies at least one or more locations of a system operating within a virtual machine for placement of lure data in the system, the lure data being configured to entice interaction of the lure data by malware associated with an object under analysis,placing the lure data within the system according to the configuration information,subsequent to placing the lure data within the system, selectively modifying information associated with the lure data,processing the object within the virtual machine, anddetermining whether the object exhibits one or more behaviors that alter the lure data or a portion of the system based on a comparison of one or more actions performed while processing the object that are associated with the lure data and one more patterns that represent one or more changes to the system associated with the lure data caused by known malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1, wherein the placing of the lure data within the system comprises generating one or more lure files according to the configuration information and placing a lure file of the one or more lure files into the one or more locations of a file system being the system configured at least for data storage.
  - 3. The system of claim 2, wherein the selectively modifying the information associated with the lure data comprises modifying a name of the lure file.
  - 4. The system of claim 2, wherein the selectively modifying the information associated with the lure data comprises modifying content of (i) a directory within the file system, (ii) the content includes a sub-directory, (iii) a folder, or (iv) a file located within the directory.
  - 5. The system of claim 2, wherein the logic further performs the operations including analyzing the configuration information including a lure configuration file and determining (i) a number of lure files to be generated, (ii) a type of each lure file of the one or more lure files, (iii) characteristics of each lure file of the one or more lure files, and (iv) a location in the file system for each of the one or more lure files.
  - 6. The system of claim 2 further comprising:
    - prior to processing the object received from a network, capturing a snapshot of a state of the file system including the lure data having the selectively modified information.
  - 7. The system of claim 6, wherein determining whether the object exhibits file altering behavior includes a comparison of the state of the file system captured in the snapshot and a state of the file system after beginning processing the object.
  - 8. The system of claim 1, wherein the configuration information is part of a lure configuration file that includes configuration information associated with one or more lure files being part of the lure data and information associated with placement of the one or more lure files in the system operating as a file system.
  - 9. The system of claim 1, wherein the selectively modifying of the information associated with the lure data comprises adding one or more characters to a name assigned to the lure data.
  - 10. The system of claim 9, wherein the name of the lure data is modified into a pseudo-random name.
  - 11. The system of claim 1, wherein the logic, prior to placing the lure data within the system, performs an operation of configuring the system to replicate a file system of a particular endpoint device.
  - 12. The system of claim 1, wherein the system corresponds to one of a disk file systems, an optical disk file system, a flash file system, or a database file system.
  - 13. The system of claim 1, wherein the lure data includes a lure file with one or more security measures being utilized to appear that contents of the lure file are being protected, the one or more security measures include encryption or password protection.
  - 14. The system of claim 1, wherein the configuration information further includes at least one attribute of the lure data.
  - 15. The system of claim 14, wherein the selectively modifying the information associated with the lure data comprises modifying an attribute of the at least one attribute of the lure data.
  - 16. The system of claim 14, wherein the lure data is a lure file and the at least one attribute includes a name of the lure file.

17. A non-transitory computer readable medium that is executed by one or more hardware processors, the medium comprising:
- a virtual machine installed with a file system, a configuration file, and one or more lure files;
  
  a first software module that, upon execution by the one or more hardware processors, selectively modifies information associated with a lure file of the one or more lure files;
  
  a second software module that, upon execution by the one or more hardware processors, processes an object received from a network within the virtual machine; and
  
  a third software module that, upon execution by the one or more hardware processors, determines the object includes file altering malware when one or more actions performed while processing the object that are associated with the lure file match a known pattern.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The non-transitory computer readable medium of claim 17, wherein the first software module to selectively modify the information associated with the lure file by at least modifying a name of the lure file.
  - 19. The non-transitory computer readable medium of claim 17, wherein the first software module to selectively modify the information associated with the lure file by at least modifying content of a directory within the file system, the content includes one of a sub-directory, a folder or a file located within the directory.
  - 20. The non-transitory computer readable medium of claim 17, wherein the configuration file being used by the one or more hardware processors to determine (i) a number of lure files to be generated, and (ii) a location in the file system for each of the one or more lure files.
  - 21. The non-transitory computer readable medium of claim 20, wherein the configuration file being further used by the one or more hardware processors to determine (iii) a type of each lure file of the one or more lure files, and (iv) characteristics of each lure file of the one or more lure files.
  - 22. The non-transitory computer readable medium of claim 17 further comprising:
    - a snapshot of a state of the file system including the lure file having the selectively modified information.
  - 23. The non-transitory computer readable medium of claim 22, wherein the third software module, upon execution by the one or more hardware processors, determines the object includes file altering malware upon a comparison of the state of the file system captured in the snapshot and a state of the file system after beginning processing of the object.

24. A computerized method, comprising:
- receiving configuration information that identifies least one or more locations of a system configured at least for data storage that is operating within a virtual machine for placement of the lure data into the system, the lure data being configured to entice interaction of the lure data by malware associated with an object under analysis;
  
  placing the lure data within the system according to the configuration information;
  
  subsequent to placing the lure data within the system, selectively modifying information associated with the lure data;
  
  processing the object within the virtual machine; and
  
  determining whether the object exhibits one or more behaviors that alter (i) the lure data or (ii) a portion of the system based on a comparison of one or more actions performed while processing the object that are associated with the lure data and one more patterns that represent one or more system changes caused by known malware.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 25. The computerized method of claim 24, wherein the placing of the lure data within the system comprises generating one or more lure files according to the configuration information and placing a lure file of the one or more lure files into the one or more locations of the system operating as a file system.
  - 26. The computerized method of claim 25, wherein the selectively modifying of the information associated with the lure data comprises modifying a name of the lure file.
  - 27. The computerized method of claim 25, wherein the selectively modifying of the information associated with the lure data comprises modifying content of a directory within the file system, the content includes a sub-directory, a folder or a file located within the directory.
  - 28. The computerized method of claim 25, further comprising analyzing the configuration information including a lure configuration file and determining (i) a number of lure files to be generated, (ii) a type of each lure file of the one or more lure files, (iii) characteristics of each lure file of the one or more lure files, and (iv) a location in the file system for each of the one or more lure files.
  - 29. The computerized method of claim 25 further comprising:
    - prior to processing the object received over a network, capturing a snapshot of a state of the file system including the lure data having the selectively modified information.
  - 30. The computerized method of claim 29, wherein the determining whether the object exhibits file altering behavior includes a comparison of the state of the file system captured in the snapshot and a state of the file system after beginning processing the object.
  - 31. The computerized method of claim 25, wherein the selectively modifying of the information associated with the lure data comprises adding one or more characters to a name assigned to the lure data.
  - 32. The computerized method of claim 31, wherein the name of the lure data is modified into a pseudo-random name.
  - 33. The computerized method of claim 24, wherein the logic, prior to placing the lure data within the system, performs an operation of configuring the system to replicate a file system of a particular endpoint device.
  - 34. The computerized method of claim 24, wherein the lure data includes a lure file, the system includes a file system, and the system changes includes changes to the lure file that is associated with the file system.
  - 35. The computerized method of claim 24, wherein the configuration information further includes at least one attribute of the lure data.
  - 36. The computerized method of claim 35, wherein the selectively modifying the information associated with the lure data comprises modifying an attribute of the at least one attribute of the lure data.
  - 37. The computerized method of claim 35, wherein the lure data is a lure file and the at least one attribute includes a name of the lure file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Paithane, Sushant, Vashist, Sai, Yang, Raymond, Khalid, Yasir
Primary Examiner(s)
Le, Chau

Application Number

US15/339,459
Time in Patent Office

414 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/128   Details of file system snap...

G06F 16/166   File name conversion

G06F 16/1734   Details of monitoring file ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/031   Protect user input by softw...

System and method for detecting file altering behaviors pertaining to a malicious attack

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting file altering behaviors pertaining to a malicious attack

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links