Malware protection

US 9,858,416 B2
Filed: 09/13/2016
Issued: 01/02/2018
Est. Priority Date: 03/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method of detecting malware in a computer system, the method comprising:

determining that an executable file should be identified as not being legitimate by inspecting a database containing identifiers of legitimate and/or not legitimate executable files;

executing the executable file in an emulated environment;

monitoring the behaviour of the executable file to determine that the executable file, aware that it is being executed in the emulated environment, is taking evasive action by failing to respond in a way in which it would be expected to act when executed in a real environment, wherein the evasive action comprises at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment; and

determining that the executable file is malware.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to a first aspect of the present invention there is provided a method of protecting a computer system from malware, which malware attempts to prevent detection or analysis when executed in an emulated computer system. The method comprises determining if an executable file should be identified as being legitimate and, if not, executing the executable file while providing indications to the executable file that it is being executed within an emulated computer system.

Citations

13 Claims

1. A method of detecting malware in a computer system, the method comprising:
- determining that an executable file should be identified as not being legitimate by inspecting a database containing identifiers of legitimate and/or not legitimate executable files;
  
  executing the executable file in an emulated environment;
  
  monitoring the behaviour of the executable file to determine that the executable file, aware that it is being executed in the emulated environment, is taking evasive action by failing to respond in a way in which it would be expected to act when executed in a real environment, wherein the evasive action comprises at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment; and
  
  determining that the executable file is malware.
- View Dependent Claims (2, 3, 4)
- - 2. A method as claimed in claim 1, wherein the step of determining that an executable file should be identified as not being legitimate is performed at the computer system.
  - 3. A method as claimed in claim 1, wherein the step of determining that an executable file should be identified as not being legitimate comprises:
    - determining if an identifier for the executable file is contained in a database identifying legitimate executable files and, if not, identifying the executable file as not legitimate;
      
      determining if an identifier for the executable file is contained in a database identifying prohibited executable files and, if so, identifying the executable file as not legitimate; and
      
      determining if an identifier for the executable file is contained in a database relating to executable files, the database including a value indicating the legitimacy of each executable file and, if so, determining if the value associated with the executable file does not exceed a threshold at which an executable file is considered to be legitimate.
  - 4. A method as claimed in claim 1, further comprising monitoring whether the executable file attempts to connect to a remote location while being executed in the emulated environment, and if so, determining that the electronic file is malware.

5. A non-transitory computer storage medium having stored thereon a computer program comprising computer program code means that performs:
- determining that an executable file should be identified as not being legitimate by inspecting a database containing identifiers of legitimate and/or not legitimate executable files;
  
  executing the executable file in an emulated environment;
  
  monitoring the behaviour of the executable file to determine that the executable file, aware that it is being executed in the emulated environment, is taking the evasive action by failing to respond in a way in which it would be expected to act when executed in a real environment, wherein the evasive action comprises at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment; and
  
  determining that the executable file is malware.

6. A computer system comprising:
- at least one processor; and
  
  at least one non-transitory memory including computer program code, the at least one processor and computer program code configured to, with the at least one processor, cause the computer system to perform;
  
  determining that an executable file should be identified as not being legitimate by inspecting a database containing identifiers of legitimate and/or not legitimate executable files,executing the executable file in an emulated computer system,monitoring the behaviour of the executable file to determine that the executable file, aware that it is being executed in the emulated environment, is taking evasive action by failing to respond in a way in which it would be expected to act when executed in a real environment, wherein the evasive action comprises at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment, anddetermining that the executable file is malware.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. A computer system as claimed in claim 6, wherein the processor is further configured to generate a message for sending to a server, the message including the executable file or an identifier for the executable file, and to process a response received from the server to determine if it indicates that the file should be identified as not being legitimate.
  - 8. A computer system as claimed in claim 6, wherein the memory is further configured to store a database identifying legitimate executable files, and the processor is further configured to determine if an identifier for the executable file is contained in the database identifying legitimate executable files.
  - 9. A computer system as claimed in claim 6, wherein the memory is further configured to store a database identifying prohibited executable files, and the processor is further configured to determine if an identifier for the executable file is contained in the database identifying prohibited executable files.
  - 10. A computer system as claimed in claim 6, wherein the memory is further configured to store a database of information relating to executable files, the database including a value indicating the legitimacy of each executable file, and the processor is further configured to determine if an identifier for the executable file is contained in the database.
  - 11. A computer system as claimed in claim 10, wherein the processor is further configured to, if an identifier for the executable file is contained in the database of executable files, determine if the value associated with the executable file exceeds a threshold at which an executable file is considered to be legitimate.
  - 12. A computer system as claimed in claim 6, wherein the processor is further configured to monitor whether the executable file attempts to connect to a remote location while being executed in the emulated environment, and if so, determine that the executable file is malware.

13. An apparatus for detecting potential malware, the apparatus comprising:
- at least one processor; and
  
  at least one non-transitory memory including computer program code, the at least one processor and computer program code configured to, with the at least one processor, cause the apparatus to perform;
  
  determining that the executable file should be identified as not being legitimate by inspecting a database containing identifiers of legitimate and/or not legitimate executable files,executing the executable file in an emulated computer system,monitoring the behaviour of the executable file to determine that the executable file, aware that it is being executed in the emulated environment, is taking the evasive action by failing to respond in a way in which it would be expected to act when executed in a real environment, wherein the evasive action comprises at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment, anddetermining that the executable file is malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Withsecure Corporation
Original Assignee
F-Secure Oyj
Inventors
Niemel, Jarno, Hyppnen, Mikko, Kangas, Santeri
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/263,461
Publication Number

US 20160378985A1
Time in Patent Office

476 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/629   to features or functions of...

Malware protection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Malware protection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links