Advanced Persistent Threat and Targeted Malware Defense

US 20170243000A1
Filed: 03/21/2016
Published: 08/24/2017
Est. Priority Date: 03/23/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, at a computer system, data from one or more data feeds;

obtaining, with the computer system, a binary object based on the data;

loading, with the computer system, the binary object onto a sandboxed system;

executing the binary object with the sandbox system;

analyzing, with the computer system, operation of the sandboxed system to determine whether the binary object includes a malware payload; and

based on a determination that the binary object includes a malware payload, generating, with the computer system, a report indicating that the binary object includes a malware payload.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Novel tools and techniques are implemented for providing computer security. In various embodiments, a computer system might receive data from one or more data feeds, might obtain a binary object based on the data, might load the binary object onto a sandboxed system, and might execute the binary object with the sandbox system. The computer system might analyze operation of the sandboxed system to determine whether the binary object includes a malware payload, and might, based on a determination that the binary object includes a malware payload, generate a report indicating that the binary object includes a malware payload.

Citations

73 Claims

1. A method, comprising:
- receiving, at a computer system, data from one or more data feeds;
  
  obtaining, with the computer system, a binary object based on the data;
  
  loading, with the computer system, the binary object onto a sandboxed system;
  
  executing the binary object with the sandbox system;
  
  analyzing, with the computer system, operation of the sandboxed system to determine whether the binary object includes a malware payload; and
  
  based on a determination that the binary object includes a malware payload, generating, with the computer system, a report indicating that the binary object includes a malware payload.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65)
- - 2. The method of claim 1, wherein the sandboxed system is not a virtual machine.
  - 3. The method of claim 1, wherein the sandboxed system is a bare metal computer.
  - 4. The method of claim 1, wherein the sandboxed system employs a kernel-mode driver to monitor the sandbox system for suspicious events.
  - 5. The method of claim 4, wherein the kernel-mode driver is obfuscated.
  - 6. The method of claim 4, wherein at least one of the sandboxed system or the kernel-mode driver streams monitored data in real time.
  - 7. The method of claim 6, wherein the kernel-mode driver analyzes, in real time, the monitored data being streamed, to identify suspicious behavior.
  - 8. The method of claim 4, wherein the kernel-mode driver is dynamically loaded at startup to prevent evidence of a driver running at boot time.
  - 9. The method of claim 8, wherein the kernel-mode driver creates a system thread then immediately exits execution.
  - 10. The method of claim 9, wherein the system thread deletes the kernel-mode driver from a file system to remove evidence of the kernel-mode driver.
  - 11. The method of claim 9, wherein the system thread monitors the sandboxed system to detect malware activity.
  - 12. The method of claim 1, wherein the sandboxed system comprises a direct hardware interface with a motherboard of the sandboxed system, and wherein analyzing operation of the sandboxed system comprises analyzing output of the hardware interface.
  - 13. The method of claim 12, wherein the hardware interface is built into the motherboard of the sandboxed system.
  - 14. The method of claim 12, wherein the direct hardware interface is a manufacturer'"'"'s debugger interface.
  - 15. The method of claim 12, wherein the hardware interface is invisible to an operating system of the sandboxed system.
  - 16. The method of claim 12, wherein the malware payload is a boot sector infector or a firmware-based rootkit, and wherein the method comprises detecting the malware payload though the hardware interface.
  - 17. The method of claim 12, wherein analyzing operation of the sandboxed system comprises employing hardware breakpoints to pause operation of the sandboxed system.
  - 18. The method of claim 12, wherein analyzing operation of the sandboxed system further comprises tracing an execution path of a processor of the sandboxed system.
  - 19. The method of claim 12, wherein analyzing operation of the sandboxed system comprises:
    - performing a first checksum of a firmware component of the sandboxed system before execution of the binary object;
      
      performing a second checksum of the firmware component during or after execution of the binary object; and
      
      comparing the first checksum with the second checksum to determine whether the firmware component has been modified.
  - 20. The method of claim 19, wherein the firmware component is a BIOS.
  - 21. The method of claim 12, wherein analyzing operation of the sandboxed system comprises pausing an operation associated with firmware reflashing.
  - 22. The method of claim 12, wherein the sandboxed system comprises a custom firmware device that records all information written to or read from the firmware device during analysis of the operation of the sandboxed system.
  - 23. The method of claim 1, wherein the sandboxed system comprises a simulated hard drive that is indistinguishable by an operating system of the sandboxed system from a physical hard drive.
  - 24. The method of claim 23, wherein the simulated hard drive comprises a hard drive controller and a network controller in communication with the hard drive controller.
  - 25. The method of claim 24, wherein the hard drive controller causes the network controller to perform network input/output in response to receiving disk input/output commands from the operating system of the sandboxed system.
  - 26. The method of claim 23, wherein the simulated hard drive is built into or attached to the motherboard of the sandboxed system.
  - 27. The method of claim 1, further comprising:
    - managing a boot environment for a plurality of sandboxed systems, the plurality of sandboxed systems comprising the sandboxed system.
  - 28. The method of claim 27, wherein the boot environment includes a networked drive mountable by a network block device protocol, and wherein the sandboxed system does not include a physical hard drive.
  - 29. The method of claim 28, wherein the network block device protocol is iSCSI.
  - 30. The method of claim 28, wherein the networked drive employs a volume manager.
  - 31. The method of claim 30, wherein the volume manager is ZFS.
  - 32. The method of claim 30, wherein managing the boot environment comprises:
    - automatically resetting an operating system image to a default state in the volume manager; and
      
      booting the sandboxed system from the networked drive using the default state of the operating system image.
  - 33. The method of claim 32, wherein the binary object is included in the default state of the operating system image.
  - 34. The method of claim 27, wherein managing the boot environment comprises selecting from among a plurality of operating system images, each of the plurality of operating system images configured to test a different potential malware scenario.
  - 35. The method of claim 27, wherein managing the boot environment comprises restoring an image of an already booted instance of an operating system directly into RAM on the sandboxed system.
  - 36. The method of claim 35, wherein the sandboxed system comprises a modified memory controller that reserves a portion of the installed RAM to store the image of the already booted instance of the operating system, and wherein the stored instance is not detectable by an operating system executing on the sandboxed system.
  - 37. The method of claim 1, further comprising providing, with a Human Interface Device (HID) emulator physically connected with the sandboxed system, automated input that cannot be distinguished, by the executing binary object, from human input.
  - 38. The method of claim 37, wherein the HID emulator is built into or attached to the motherboard of the sandboxed system.
  - 39. The method of claim 1, wherein analyzing operation of the sandboxed system comprises capturing, at a gateway, incoming and/or outgoing communications of the sandboxed system and analyzing, with a computer, the incoming and/or outgoing communications.
  - 40. The method of claim 39, wherein analyzing the outgoing communications comprises identifying a destination for outgoing communications and/or a source of incoming communications.
  - 41. The method of claim 39, wherein analyzing the incoming and/or outgoing communication comprises decrypting at least a portion of the incoming and/or outgoing communication.
  - 42. The method of claim 41, wherein decrypting at least a portion of the incoming and/or outgoing communication comprises performing a man-in-the-middle (MitM) attack on a destination for the outgoing communication.
  - 43. The method of claim 39, wherein analyzing the outgoing communications comprises identifying one or more credentials used to connect to a command-and-control channel for the malware payload.
  - 44. The method of claim 1, wherein analyzing operation of the sandboxed system comprises tracking behavior of the binary object.
  - 45. The method of claim 44, wherein analyzing operation of the sandboxed system comprises documenting the behavior of the binary object.
  - 46. The method of claim 44, wherein analyzing operation of the sandboxed system comprises comparing the behavior of the binary object with one or more malware signatures.
  - 47. The method of claim 44, wherein analyzing operation of the sandboxed system comprises analyzing the behavior of the binary object against one or more heuristics.
  - 48. The method of claim 1, further comprising:
    - creating a malware identification based on a determination that the binary object includes a malware payload.
  - 49. The method of claim 48, further comprising:
    - distributing the malware identification to a plurality of networking devices to immunize the plurality of networking devices against the malware payload.
  - 50. The method of claim 1, wherein the one or more data feeds comprises email collected from a honey pot.
  - 51. The method of claim 1, wherein the one or more data feeds comprises URLs collected from web browsing operations.
  - 52. The method of claim 51, wherein analysis of the operation of the sandboxed system comprises identifying drive-by malware associated with one or more of the URLs.
  - 53. The method of claim 1, wherein the one or more data feeds comprises data collected from one or more sensors in a customer network.
  - 54. The method of claim 53, wherein the one or more sensors comprises a sensor in communication with or integrated with a mail server in the customer network.
  - 55. The method of claim 53, wherein the one or more sensors comprises a sensor in communication with or integrated with a web proxy in the customer network.
  - 56. The method of claim 53, wherein the one or more sensors comprises a sensor in communication with or integrated with one or more network or system log aggregators.
  - 57. The method of claim 53, wherein the one or more sensors comprises a sensor in communication with or integrated with a System Information and Event Manager (SIEM) in the customer network.
  - 58. The method of claim 53, wherein the one or more sensors comprises a sensor in communication with or integrated with an antivirus agent on a client computer in the customer network.
  - 59. The method of claim 1, further comprising searching for vulnerabilities in hardware or an operating system of the sandboxed system using a hardware debugger interface by feeding streams of random or malformed data to the sandboxed system.
  - 60. The method of claim 1, wherein the binary object is an executable file.
  - 61. The method of claim 1, wherein the binary object is a media file.
  - 62. The method of claim 1, wherein the binary object is a file created by a desktop office application.
  - 63. The method of claim 1, wherein the binary object is a web browser visiting a suspicious URL.
  - 64. The method of claim 1, wherein the binary object is a compressed file.
  - 65. The method of claim 1, wherein the binary object is a PDF file.

66. A system, comprising:
- a plurality of sandboxed computers, each comprising a main system board;
  
  a management computer in communication with the plurality of sandboxed computers, the management computer comprising;
  
  one or more processors; and
  
  a computer readable medium in communication with the one or more processors, the computer readable medium having encoded thereon a set of instructions executable by the computer system to perform one or more operations, the set of instructions comprising;
  
  instructions for downloading a binary object on to each of one or more of the plurality of sandboxed computers, such that each of the one or more of the plurality of sandboxed computers executes or opens the binary object;
  
  instructions for analyzing, with the computer system, operation of the sandboxed system to determine whether the binary object includes a malware payload; and
  
  instructions for, based on a determination that the binary object includes a malware payload, generating, with the computer system, a report indicating that the binary object includes a malware payload.
- View Dependent Claims (67)
- - 67. The system of claim 66, further comprising one or more sensors installed in one or more customer networks, the one or more sensors configured to provide data feeds to the management computer, wherein the binary object is obtained from one of the data feeds.

68. A method, comprising:
- collecting, with a computer, biographical information about a person, the biographical information comprising one or more social media handles;
  
  automatically accessing one or more social networks using the social media handles to identify unusual activity;
  
  automatically searching the Internet using the biographical information;
  
  correlating the unusual activity with results of searching the Internet; and
  
  displaying, on a dashboard, indications of unusual activity on the one or more social networks and correlated results of searching the Internet.

69. A device for secure web browsing, the device comprising:
- a first set of ports for connections to a set of peripherals;
  
  a second set of ports for connections with a computer;
  
  a processor in communication with the first and second sets of ports;
  
  a network interface in communication with the processor;
  
  a switch in communication with the processor; and
  
  a write-protected computer-readable medium having instructions encoded thereon, the instructions being executable by the processor to;
  
  provide, in a first configuration, a pass-through connection between the first set of ports and the second set of ports, such that the set of peripherals can communicate with the computer for normal operation of the computer;
  
  provide, in a second configuration, a secure browsing environment, in which the peripherals communicate with the processor to perform secure web browsing activities using the network interface, without any communication with the computer; and
  
  change from the first configuration to the second configuration when the switch is manipulated.
- View Dependent Claims (70, 71, 72, 73)
- - 70. The device of claim 69, further comprising the peripherals in an all-in-one system.
  - 71. The device of claim 69, wherein the device is configured to connect with a hard-coded IP address that routes all communications from the device over a specified virtual private network.
  - 72. The device of claim 71, wherein the virtual private network is associated with a curated Domain Name System (DNS) server.
  - 73. The device of claim 71, wherein the virtual private network allows connections only with a set of white-listed IP addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Binary Guard Corporation
Original Assignee
Binary Guard Corporation
Inventors
Shraim, Ihab, Chen, Allen E., Datskovskiy, Stanislav, Hannes, Jordan R., Hiquisi, Daniel M., Reese, III, Ray R.

Granted Patent

US 10,339,300 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H04L 9/00   Cryptographic mechanisms or...

Advanced Persistent Threat and Targeted Malware Defense

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

73 Claims

Specification

Solutions

Use Cases

Quick Links

Advanced Persistent Threat and Targeted Malware Defense

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

73 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links