Apparatus, system and method for detecting malicious code
First Claim
1. An apparatus executed on one or more hardware processors for detecting malicious code, comprising:
- a malicious code detection module loaded on said one or more hardware processors for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious, wherein the malicious code detection module checks whether a string of a file name corresponding to the code related to the thread is present in a virtual memory of the process having generated the thread, and preliminarily determines the code to be malicious when the string is present; and
a forcible malicious code termination module loaded on said one or more hardware processors for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code;
wherein when no code related to the thread is identified, the malicious code detection module traces a thread stack to obtain a list of dynamic link libraries (DLLs) being used by the thread, and examines a portable executable (PE) feature of the DLLs to preliminarily determine whether or not the DLLs are malicious.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are an apparatus, system and method for detecting malicious code inserted into a normal process in disguise. The apparatus includes a malicious code detection module for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious; and a forcible malicious code termination module for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code.
105 Citations
13 Claims
-
1. An apparatus executed on one or more hardware processors for detecting malicious code, comprising:
-
a malicious code detection module loaded on said one or more hardware processors for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious, wherein the malicious code detection module checks whether a string of a file name corresponding to the code related to the thread is present in a virtual memory of the process having generated the thread, and preliminarily determines the code to be malicious when the string is present; and a forcible malicious code termination module loaded on said one or more hardware processors for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code; wherein when no code related to the thread is identified, the malicious code detection module traces a thread stack to obtain a list of dynamic link libraries (DLLs) being used by the thread, and examines a portable executable (PE) feature of the DLLs to preliminarily determine whether or not the DLLs are malicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system including one or more hardware processors for detecting malicious code, comprising:
-
a malicious code detection apparatus comprising a malicious code detection module loaded on said one or more hardware processors for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting code preliminarily determined to be malicious, wherein the malicious code detection module checks whether a string of a file name corresponding to the code related to the thread is present in a virtual memory of the process having generated the thread, and preliminarily determines the code to be malicious when the string is present; and a forcible malicious code termination module loaded on said one or more hardware processors for finally determining the code as malicious based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code; and a virtual environment malicious code behavior analysis apparatus having a tog generation module for executing the code extracted by the malicious code detection module in a virtual environment to generate a behavior log for the code, and a malicious behavior analysis module for analyzing whether the behavior of the code corresponds to one of behavior of disabling an operating system (OS) firewall or vaccine, a virtual environment recognition behavior, and behavior of generating or modifying a file or registry using the log and transferring the analysis result to the forcible malicious code termination module; wherein when no code related to the thread is identified, the malicious code detection module traces a thread stack to obtain a list of dynamic link libraries (DLLs) being used by the thread, and examines a portable executable (PE) feature of the DLLs to preliminarily determine whether or not the DLLs are malicious. - View Dependent Claims (10, 11)
-
-
12. A method of detecting malicious code, comprising:
-
extracting a list of processes running on a computer system and information on a thread subordinate to each process; identifying code related to the thread, and preliminarily determining whether or not the identified code is malicious by examining at least one of a virtual memory of the process, a portable executable (PE) feature of the code, a relationship between the code and a service process, and a thread stack, wherein the malicious code detection module checks whether a string of a file name corresponding to the code related to the thread is present in a virtual memory of the process having generated the thread, and preliminarily determines the code to be malicious when the string is present; calculating a degree of malicious threat of the code preliminarily determined to be malicious; extracting code whose calculated degree of malicious threat is a threshold value or more, and requesting a virtual environment malicious code behavior analysis apparatus to analyze the code; finally determining the code as malicious code on the basis of an analysis result received from the virtual environment malicious code behavior analysis apparatus; and forcibly terminating execution of the code finally determined to be malicious code; wherein when no code related to the thread is identified, tracing a thread stack to obtain a list of dynamic link libraries (DLLs) being used by the thread, and examining a portable executable (PE) feature of the DLLs to preliminarily determine whether or not the DLLs are malicious. - View Dependent Claims (13)
-
Specification