System and method for detecting file altering behaviors pertaining to a malicious attack
First Claim
1. A system comprising:
- one or more processors; and
a storage module communicatively coupled to the one or more processors, the storage module comprising logic that, upon execution by the one or more processors, performs operations comprising;
receiving configuration information that identifies at least one or more locations of a system operating within a virtual machine for placement of lure data in the system, the lure data being configured to entice interaction of the lure data by malware associated with an object under analysis,placing the lure data within the system according to the configuration information,subsequent to placing the lure data within the system, selectively modifying information associated with the lure data,processing the object within the virtual machine, anddetermining whether the object exhibits one or more behaviors that alter the lure data or a portion of the system based on a comparison of one or more actions performed while processing the object that are associated with the lure data and one more patterns that represent one or more changes to the system associated with the lure data caused by known malware.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a computerized method for detecting malware is described. The method includes receiving configuration information that identifies (i) at least one type of lure data and (ii) one or more locations of a system operating within a virtual machine for placement of the lure data into the system. The lure data is configured to entice interaction of the lure data by malware associated with an object under analysis. Thereafter, the lure data is placed within the system according to the configuration information and lure data information is selectively modified. The information may include a name or content within a directory including the lure data. During processing of an object within the virtual machine, a determination is made whether the object exhibits file altering behavior based on a comparison of actions performed that are associated with the lure data and one more known file activity patterns.
-
Citations
37 Claims
-
1. A system comprising:
-
one or more processors; and a storage module communicatively coupled to the one or more processors, the storage module comprising logic that, upon execution by the one or more processors, performs operations comprising; receiving configuration information that identifies at least one or more locations of a system operating within a virtual machine for placement of lure data in the system, the lure data being configured to entice interaction of the lure data by malware associated with an object under analysis, placing the lure data within the system according to the configuration information, subsequent to placing the lure data within the system, selectively modifying information associated with the lure data, processing the object within the virtual machine, and determining whether the object exhibits one or more behaviors that alter the lure data or a portion of the system based on a comparison of one or more actions performed while processing the object that are associated with the lure data and one more patterns that represent one or more changes to the system associated with the lure data caused by known malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer readable medium that is executed by one or more hardware processors, the medium comprising:
-
a virtual machine installed with a file system, a configuration file, and one or more lure files; a first software module that, upon execution by the one or more hardware processors, selectively modifies information associated with a lure file of the one or more lure files; a second software module that, upon execution by the one or more hardware processors, processes an object received from a network within the virtual machine; and a third software module that, upon execution by the one or more hardware processors, determines the object includes file altering malware when one or more actions performed while processing the object that are associated with the lure file match a known pattern. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
24. A computerized method, comprising:
-
receiving configuration information that identifies least one or more locations of a system configured at least for data storage that is operating within a virtual machine for placement of the lure data into the system, the lure data being configured to entice interaction of the lure data by malware associated with an object under analysis; placing the lure data within the system according to the configuration information; subsequent to placing the lure data within the system, selectively modifying information associated with the lure data; processing the object within the virtual machine; and determining whether the object exhibits one or more behaviors that alter (i) the lure data or (ii) a portion of the system based on a comparison of one or more actions performed while processing the object that are associated with the lure data and one more patterns that represent one or more system changes caused by known malware. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
Specification