MONITORING EXECUTED SCRIPT FOR ZERO-DAY ATTACK OF MALWARE

US 20170185774A1
Filed: 12/24/2015
Published: 06/29/2017
Est. Priority Date: 12/24/2015
Status: Active Grant

First Claim

Patent Images

1. A computer program product tangibly embodied on non-transient computer readable media, the computer program product comprising instructions operable when executed to:

execute script code by a script application programming interface (API);

detect, by a decoder, an event in the script code, the event comprising one of a memory call or an indirect branch call;

redirect an instruction pointer to a predetermined memory location, the predetermined memory location comprising malware monitoring code;

execute the malware monitoring code upon execution of a script application programming interface (API) redirection of the instruction pointer to the predetermined memory location;

identify, in a heap memory, script code loaded into the heap memory; and

evaluate, by the malware monitor, the script code in the heap memory for malicious code prior to execution of the script code.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to hooking a call for a malware monitoring logic into a JavaScript API engine interpreter. Upon JavaScript being placed into heap memory, the malware monitoring logic can initiate an evaluation or analysis of the heap spray to determine whether the JavaScript includes malware or other malicious agents prior to execution of the JavaScript shell code. Upon execution of the JavaScript within the sandbox, the malware monitoring logic can initiate monitoring of the JavaScript using malware analysis and/or execution profiling techniques. Inferences can be made of the presence of malware based on a start and end time of the JavaScript execution.

13 Citations

24 Claims

1. A computer program product tangibly embodied on non-transient computer readable media, the computer program product comprising instructions operable when executed to:
- execute script code by a script application programming interface (API);
  
  detect, by a decoder, an event in the script code, the event comprising one of a memory call or an indirect branch call;
  
  redirect an instruction pointer to a predetermined memory location, the predetermined memory location comprising malware monitoring code;
  
  execute the malware monitoring code upon execution of a script application programming interface (API) redirection of the instruction pointer to the predetermined memory location;
  
  identify, in a heap memory, script code loaded into the heap memory; and
  
  evaluate, by the malware monitor, the script code in the heap memory for malicious code prior to execution of the script code.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer program product of claim 1, wherein the instructions are further operable to:
    - determine, by the malware monitor, the presence or absence of malware based on execution of the script code.
  - 3. The computer program product of claim 2, wherein the instructions are further operable to determine the presence or absence of malware based on execution profiling.
  - 4. The computer program product of claim 1, wherein the instructions are further operable to:
    - determine that one or more application versions are compatible with the script code; and
      
      execute the script code in a sandbox based on the determination that one or more application versions are compatible with the script code.
  - 5. The computer program product of claim 1, wherein the instructions are further operable to:
    - identify a start of an execution of the script code in a sandbox;
      
      identify an end of the execution of the script code in the sandbox; and
      
      determine that the script code contains malicious code based on a time difference from the start of the execution to the end of the execution of the script code.
  - 6. The computer program product of claim 1, wherein the instructions are further operable when executed to hook into the script API to implant code into the script API that calls the malware monitor upon execution of the script API.
  - 7. The computer program product of claim 1, wherein the instructions are further operable when executed to:
    - receive an indication from a processor of an indirect branch call; and
      
      evaluate the indirect branch call for malware.

8. A computer implemented method comprising:
- identifying one or more commands that when called trigger a instruction pointer redirection to a predetermined memory address;
  
  identifying the memory address to be redirected to if the one or more commands are called, the memory address comprising malware monitoring code;
  
  executing script code by a script application programming interface (API);
  
  detecting, by a decoder, an event in the script code, the event comprising one of a memory call or an indirect branch call;
  
  redirecting an instruction pointer to a predetermined memory location, the predetermined memory location comprising malware monitoring code;
  
  execute the malware monitoring code upon execution of a script application programming interface (API) redirection of the instruction pointer to the predetermined memory location;
  
  identifying, by the malware monitor, script code in a heap memory, the script code loaded into the heap memory by the script API; and
  
  evaluating, by the malware monitor, the script code in the heap memory for malicious code prior to execution of the script code.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The computer implemented method of claim 8, further comprising:
    - monitoring, by the malware monitor, execution of script code in a sandbox; and
      
      determining, by the malware monitor, the presence or absence of malware based on execution of the script code.
  - 10. The computer implemented method of claim 8, wherein the malware monitor comprises an execution profiler implemented at least partially in hardware, the method further comprising determining, by the execution profiler, the presence or absence of malware.
  - 11. The computer implemented method of claim 10, wherein determining the presence or absence of malware comprises executing one or more branches of the script code;
    - and determining whether the script contains malware based on the results of executing each of the one or more branches of the script.
  - 12. The computer implemented method of claim 8, further comprising:
    - determining, by an interpreter implemented at least partially in hardware, that one or more application versions are compatible with the script code; and
      
      executing, by the malware monitor, the script code in a sandbox based on the determination that one or more application versions are compatible with the script code.
  - 13. The computer implemented method of claim 8, further comprisingidentifying, by the malware monitor, a start of an execution of the script code in a sandbox;
    - identifying, by the malware monitor, an end of the execution of the script code in the sandbox; and
      
      determining, by the malware monitor, that the script code contains malicious code based on a time difference from the start of the execution to the end of the execution of the script code.
  - 14. The computer implemented method of claim 8 further comprising hooking, by a hooking module, into the script API to call the malware monitor at a start of an execution and an end of the execution of the script code.
  - 15. The computer implemented method of claim 8, further comprising hooking into the script API to implant code into the script API that calls the malware monitor upon execution of the script API.
  - 16. The computer implemented method of claim 15, wherein execution profiling comprises executing one or more indirect branches of the script code;
    - evaluating a result from the one or more branches, and determining the presence or absence of malware based on the result from each of the one or more branch executions.

17. A computing system for zero-day malware detection comprising:
- a script application programming interface (API) module implemented at least partially in hardware to load a script code into heap memory for execution;
  
  a decoder to identify one or more commands comprising one of a memory call or indirect branch and redirect an execution pointer to point to a predetermined memory location, the predetermined memory location pre-loaded with malware monitoring logic;
  
  a heap memory to dynamically store the script code;
  
  a malware monitoring logic preloaded into a predetermined memory location to identify the script code in the heap memory and evaluate the script code for malware prior to execution of the script code.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computing system of claim 17, wherein the script API module is configured to:
    - identify embedded script code in a document;
      
      call the malware monitor logic upon identifying the script code; and
      
      store the script code in the heap memory.
  - 19. The computing system of claim 18, wherein the script API module is configured to determine that one or more applications with compatible versions for the execution of the script code are present and execute the script code based on the determination.
  - 20. The computing system of any of claim 17, wherein the malware monitor logic is configured to monitor execution of the script code in a sandbox;
    - anddetermine the presence or absence of malware based on the execution of the script code.
  - 21. The computing system of any of claim 17, wherein the malware monitor logic is configured to determine the presence of absence or malware based on execution profiling of the script code.
  - 22. The computing system of claim 21, wherein execution profiling comprises executing one or more indirect branches of the script code;
    - evaluating a result from the one or more branches, and determining the presence or absence of malware based on the result from each of the one or more branch executions.
  - 23. The computing system of claim 17, further comprising a sandbox to:
    - identify an execution start time of the script code;
      
      identify an execution end time of the script code;
      
      determine a time period between the start time and the end time of the script code; and
      
      determine, based on the time period, that the script code contains malware.
  - 24. The computing system of claim 17, further comprising a hooking logic to hook into an interpreter module to implant code to call a sandbox upon execution of the script code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Li, Xiaoning, Sahita, Ravi, Lu, Lixin, Deng, Lu, Shepsen, Alexander, Xu, Xiang, Huang, Liangjun, Liu, Hua, Huang, Kai

Granted Patent

US 9,898,605 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

MONITORING EXECUTED SCRIPT FOR ZERO-DAY ATTACK OF MALWARE

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

MONITORING EXECUTED SCRIPT FOR ZERO-DAY ATTACK OF MALWARE

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links