APPARATUS, SYSTEM AND METHOD FOR DETECTING MALICIOUS CODE

US 20110271343A1
Filed: 01/05/2011
Published: 11/03/2011
Est. Priority Date: 04/28/2010
Status: Active Grant

First Claim

Patent Images

1. An apparatus for detecting malicious code, comprising:

a malicious code detection module for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious; and

a forcible malicious code termination module for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are an apparatus, system and method for detecting malicious code inserted into a normal process in disguise. The apparatus includes a malicious code detection module for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious; and a forcible malicious code termination module for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code.

57 Citations

View as Search Results

15 Claims

1. An apparatus for detecting malicious code, comprising:
- a malicious code detection module for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious; and
  
  a forcible malicious code termination module for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein the code related to the thread is an execution file or a dynamic link library (DLL).
  - 3. The apparatus of claim 1, wherein the malicious code detection module preliminarily determines whether or not the identified code is malicious by checking at least one of a virtual memory of the process, a portable executable (PE) feature of the identified code, a service attribute of the identified code, and a thread stack.
  - 4. The apparatus of claim 1, wherein the malicious code detection module extracts a list of processes running on the computer system and information on threads generated by the respective processes to extract the thread information.
  - 5. The apparatus of claim 1, wherein the malicious code detection module checks whether a string of a file name corresponding to the code related to the thread is present in a virtual memory of the process having generated the thread, and preliminarily determines the code to be malicious when the string is present.
  - 6. The apparatus of claim 1, wherein the malicious code detection module examines a portable executable (PE) feature of the identified code, and preliminarily determines the code to be malicious when an unknown section is present.
  - 7. The apparatus of claim 1, wherein the malicious code detection module examines a portable executable (PE) feature of the identified code, and preliminarily determines the code to be malicious when a checksum is not correct, or a file size in the PE feature is different from a file size shown in an explorer.
  - 8. The apparatus of claim 1, wherein the malicious code detection module examines an attribute of a service performed by the identified code, and preliminarily determines the code to be malicious when the service has neither a relationship with nor dependency on another service, or automatic start is set for the service.
  - 9. The apparatus of claim 1, wherein when no code related to the thread is identified, the malicious code detection module traces a thread stack to obtain a list of dynamic link libraries (DLLs) being used by the thread, and examines a portable executable (PE) feature of the DLLs to preliminarily determine whether or not the DLLs are malicious.
  - 10. The apparatus of claim 1, wherein when the analysis result of behavior corresponds to one of behavior of disabling an operating system (OS) firewall or vaccine, a virtual environment recognition behavior, and behavior of generating or modifying a file or registry, the forcible malicious code termination module finally determines the code as malicious code.

11. A system for detecting malicious code, comprising:
- a malicious code detection apparatus having a malicious code detection module for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious; and
  
  a forcible malicious code termination module for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code; and
  
  a virtual environment malicious code behavior analysis apparatus having a log generation module for executing the code extracted by the malicious code detection module in a virtual environment to generate a behavior log of the code, and a malicious behavior analysis module for analyzing whether the behavior of the code corresponds to one of behavior of disabling an operating system (OS) firewall or vaccine, a virtual environment recognition behavior, and behavior of generating or modifying a file or registry using the log and transferring the analysis result to the forcible malicious code termination module.
- View Dependent Claims (12, 13)
- - 12. The system of claim 11, wherein the malicious code detection apparatus operates in a client, andthe virtual environment malicious code behavior analysis apparatus operates in a server.
  - 13. The system of claim 12, wherein the malicious code detection module requests the virtual environment malicious code behavior analysis apparatus to analyze behavior of the extracted code in the virtual environment.

14. A method of detecting malicious code, comprising:
- extracting a list of processes running on a computer system and information on a thread subordinate to each process;
  
  identifying code related to the thread, and preliminarily determining whether or not the identified code is malicious by examining at least one of a virtual memory of the process, a portable executable (PE) feature of the code, a relationship between the code and a service process, and a thread stack;
  
  calculating a degree of malicious threat of the code preliminarily determined to be malicious;
  
  extracting code whose calculated degree of malicious threat is a threshold value or more, and requesting a virtual environment malicious code behavior analysis apparatus to analyze the code;
  
  finally determining the code as malicious code on the basis of an analysis result received from the virtual environment malicious code behavior analysis apparatus; and
  
  forcibly terminating execution of the code finally determined to be malicious code.
- View Dependent Claims (15)
- - 15. The method of claim 14, wherein finally determining the code as malicious code includes finally determining the code as malicious code when the analysis result of the virtual environment malicious code behavior analysis apparatus corresponds to one of behavior of disabling an operating system (OS) firewall or vaccine, a virtual environment recognition behavior, and behavior of generating or modifying a file or registry.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Kim, Dong Soo, Yun, Young Tae, Chung, Yoon Jung, Han, Yu Jung, Lee, Cheol Won, Sohn, Ki Wook, Kim, Won Ho, Noh, Sang Kyun, Kim, Yo Sik

Granted Patent

US 8,955,124 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

APPARATUS, SYSTEM AND METHOD FOR DETECTING MALICIOUS CODE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

57 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS, SYSTEM AND METHOD FOR DETECTING MALICIOUS CODE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links