Detection of spyware threats within virtual machine

US 9,043,913 B2
Filed: 06/04/2012
Issued: 05/26/2015
Est. Priority Date: 01/23/2006
Status: Active Grant

First Claim

Patent Images

1. A method for preventing sources of content that are accessible over a network from installing spyware or other undesired items into a user environment, the method comprising:

producing a virtual machine on a computing device and installing an operating system on the virtual machine to create a virtual machine environment configured to test a potential source of content accessible on the network, to determine if the potential source of content attempts to install spyware on the computing device of a user;

automatically loading the content from the potential source of content within the virtual machine environment;

determining whether or not the potential source of content has at least attempted to install spyware in the virtual machine environment, by detecting whether at least one of a plurality of predefined triggers are fired, andin the case where at least one of the plurality of predefined triggers is detected, determining that the potential source of content is at least attempting to perform an attack in the virtual machine environment;

wherein the predefined triggers comprise at least one ofdetermining which processes of the virtual machine are either a browser process or known helper processes associated with the browser process and detecting that a new process is launched, excluding the browser process and known helper processes;

determining which folders are safe folders and detecting that a file is created or modified outside of the determined safe folders;

determining which processes of the virtual machine are either the browser process or known helper processes associated with the browser process and detecting that a process besides the determined browser process and its known helper processes performed a file creation or modification;

determining which registry entries are sensitive registry entries and detecting that one of the sensitive registry entries is modified; and

determining that the browser process or an operating system process has crashed or has stopped responding;

in the case where the potential source of content has not at least attempted to install spyware in the virtual machine environment, transferring the content to a user environment other than the virtual machine; and

in the case where the potential source of content has at least attempted to install spyware in the virtual machine environment, preventing the content from being loaded to the user environment other than the virtual machine;

wherein producing the virtual machine, automatically loading the content, and determining whether or not the potential source of content has at least attempted to install spyware are each performed by a client-side spyproxy module of the computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system analyzes content accessed at a network site to determine whether it is malicious. The system employs a tool able to identify spyware that is piggy-backed on executable files (such as software downloads) and is able to detect “drive-by download” attacks that install software on the victim'"'"'s computer when a page is rendered by a browser program. The tool uses a virtual machine (VM) to sandbox and analyze potentially malicious content. By installing and running executable files within a clean VM environment, commercial anti-spyware tools can be employed to determine whether a specific executable contains piggy-backed spyware. By visiting a Web page with an unmodified browser inside a clean VM environment, predefined “triggers,” such as the installation of a new library, or the creation of a new process, can be used to determine whether the page mounts a drive-by download attack.

Citations

20 Claims

1. A method for preventing sources of content that are accessible over a network from installing spyware or other undesired items into a user environment, the method comprising:
- producing a virtual machine on a computing device and installing an operating system on the virtual machine to create a virtual machine environment configured to test a potential source of content accessible on the network, to determine if the potential source of content attempts to install spyware on the computing device of a user;
  
  automatically loading the content from the potential source of content within the virtual machine environment;
  
  determining whether or not the potential source of content has at least attempted to install spyware in the virtual machine environment, by detecting whether at least one of a plurality of predefined triggers are fired, andin the case where at least one of the plurality of predefined triggers is detected, determining that the potential source of content is at least attempting to perform an attack in the virtual machine environment;
  
  wherein the predefined triggers comprise at least one ofdetermining which processes of the virtual machine are either a browser process or known helper processes associated with the browser process and detecting that a new process is launched, excluding the browser process and known helper processes;
  
  determining which folders are safe folders and detecting that a file is created or modified outside of the determined safe folders;
  
  determining which processes of the virtual machine are either the browser process or known helper processes associated with the browser process and detecting that a process besides the determined browser process and its known helper processes performed a file creation or modification;
  
  determining which registry entries are sensitive registry entries and detecting that one of the sensitive registry entries is modified; and
  
  determining that the browser process or an operating system process has crashed or has stopped responding;
  
  in the case where the potential source of content has not at least attempted to install spyware in the virtual machine environment, transferring the content to a user environment other than the virtual machine; and
  
  in the case where the potential source of content has at least attempted to install spyware in the virtual machine environment, preventing the content from being loaded to the user environment other than the virtual machine;
  
  wherein producing the virtual machine, automatically loading the content, and determining whether or not the potential source of content has at least attempted to install spyware are each performed by a client-side spyproxy module of the computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the potential source of content includes a web page component that is configured to be rendered by a browser program, and wherein:
    - loading the potential source of content within the virtual machine environment comprises—
      
      executing the browser program within the virtual machine environment;
      
      requesting the web page from a remote site on the network using the browser program; and
      
      loading the web page into the browser program so that it is rendered; and
      
      determining whether or not the potential source of content has at least attempted to install spyware in the virtual machine environment comprises—
      
      detecting whether at least one of the plurality of predefined triggers fired as a result of the page being loaded into the browser program and rendered; and
      
      if at least one of the plurality of predefined triggers is detected, determining that the web page is at least attempting to perform a drive-by attack in the virtual machine environment.
  - 3. The method of claim 2, further comprising, if at least one of the plurality of predefined triggers is detected, executing anti-spyware software within the virtual machine environment to perform a spyware scan of the virtual machine environment to test for a definitive indication that spyware has been installed in the virtual machine environment.
  - 4. The method of claim 1, wherein the potential source of content includes an executable file, and wherein:
    - loading the potential source of content within the virtual machine environment comprises installing the executable file within the virtual machine environment; and
      
      determining whether or not the potential source of content has at least attempted to install spyware in the virtual machine environment comprises analyzing the virtual machine environment after the executable file is installed, to determine if installation of the executable file has caused an attack to be made within the virtual machine environment, the attack comprising executable code that is installed by a software module included with the executable file.
  - 5. The method of claim 4, wherein installing the executable file comprises employing heuristics to emulate a user navigating and making selections in an installation process carried out by the executable file, when the executable file is executed within the virtual machine environment.
  - 6. The method of claim 4, wherein:
    - analyzing the virtual machine environment comprises installing and executing an anti-spyware software program within the virtual machine environment; and
      
      determining whether or not the potential source of content has at least attempted to install spyware in the virtual machine environment comprises employing the anti-spyware software program to analyze the virtual machine environment using predefined criteria, to determine whether installation of the executable file has caused spyware to be installed within the virtual machine environment.
  - 7. The method of claim 1, further comprising if it is determined that the potential source of content has at least attempted to install spyware in the virtual machine environment, retaining data identifying the potential source of content.
  - 8. The method of claim 1, further comprising disabling, by the operating system on the virtual machine, all unnecessary background system services prior to automatically loading the content from the potential source of content within the virtual machine environment.
  - 9. The method of claim 1, wherein the predefined triggers comprise at least:
    - determining which processes of the virtual machine are either a browser process or known helper processes associated with the browser process and detecting that a new process is launched, excluding the browser process and known helper processes; and
      
      determining which folders are safe folders and detecting that a file is created or modified outside of the determined safe folders.
  - 10. The method of claim 1, wherein the predefined triggers comprise at least:
    - determining which registry entries are sensitive registry entries and detecting that one of the sensitive registry entries is modified; and
      
      determining that the browser process or an operating system process has crashed or has stopped responding.
  - 11. The method of claim 1, wherein the predefined triggers comprise at least determining which processes of the virtual machine are either the browser process or known helper processes associated with the browser process and detecting that a process besides the determined browser process and its known helper processes performed a file creation or modification.

12. A system for preventing sources of content that are accessible over a network from completing an attack in a user environment, where the attack includes installing spyware or other undesired items, the system comprising:
- a border router having a memory and a processor coupled to the memory, wherein the processor is configured to execute machine instructions that are stored in the memory; and
  
  an interface coupling the border router to be in communication with the network, wherein the machine instructions cause the processor to automatically carry out a plurality of functions using the interface to communicate over the network, including;
  
  creating a virtual machine environment in which to test potential sources of content found on the network to determine if a potential source of content at least attempts an attack, wherein a clean operating system executes within the virtual machine environment;
  
  automatically loading the content from the potential source of content into the virtual machine environment for testing; and
  
  determining whether or not the potential source of content has at least attempted an attack in the virtual machine environment, by detecting whether at least one of a plurality of predefined triggers are fired, andin the case where at least one of the plurality of predefined triggers is detected, determining that the potential source of content is at least attempting to perform an attack in the virtual machine environment;
  
  wherein the predefined triggers comprise at least one ofdetermining which processes of the virtual machine are either a browser process or known helper processes associated with the browser process and detecting that a new process is launched, excluding the browser process and known helper processes;
  
  determining which folders are safe folders and detecting that a file is created or modified outside of the determined safe folders;
  
  determining which processes of the virtual machine are either the browser process or known helper processes associated with the browser process and detecting that a process besides the determined browser process and its known helper processes performed a file creation or modification;
  
  determining which registry entries are sensitive registry entries and detecting that one of the sensitive registry entries is modified; and
  
  determining that the browser process or an operating system process has crashed or has stopped responding;
  
  in the case where the potential source of content has not at least attempted to install spyware in the virtual machine environment, allowing access to the content in a user environment other than the virtual machine; and
  
  in the case where the potential source of content has at least attempted to install spyware in the virtual machine environment, preventing the content from being accessed in the user environment other than the virtual machine;
  
  wherein creating the virtual machine, automatically loading the content, and determining whether or not the potential source of content has at least attempted to install spyware are each performed by a spyproxy module of the border router.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, wherein the machine instructions stored in the memory further cause the processor to:
    - execute a browser program in the virtual machine environment;
      
      from a remote site, automatically download a page having a component that is capable of being rendered as part of the page by a browser program, to determine if the component comprises the potential source of content that has at least attempted an attack in the virtual machine environment, the page being loaded into and rendered in the browser program;
      
      detect whether at least one of the plurality of predefined triggers fired as a result of the page being loaded into the browser program and rendered; and
      
      if at least one of the plurality of predefined triggers is detected, determine that the page is at least attempting a drive-by attack in the virtual machine environment.
  - 14. The system of claim 13, wherein if at least one of the plurality of predefined triggers is detected, the machine instructions further cause the processor to execute antispyware software within the virtual machine environment to perform a spyware scan of the virtual machine environment and test for a definitive indication that spyware has been installed in the virtual machine environment during the attack.
  - 15. The system of claim 14, wherein to install the executable file, the machine language instructions cause the processor to employ heuristics to emulate a user navigating and making selections in an installation process carried out by the executable file, when the executable file is executed within the virtual machine environment.
  - 16. The system of claim 14, wherein the machine language instructions cause the processor to:
    - install and execute an anti-spyware software program within the virtual machine environment; and
      
      employ the anti-spyware software program to analyze the virtual machine environment using predefined criteria, to determine whether installation of the executable file has caused spyware to be installed within the virtual machine environment.
  - 17. The system of claim 12, wherein the content comprises an executable file, and wherein the machine language instructions further cause the processor to:
    - install the executable file within the virtual machine environment; and
      
      analyze the virtual machine environment after the executable file is installed to determine if installation of the executable file has caused a drive-by attack to be made in the virtual machine environment by the executable file.
  - 18. The system of claim 12, wherein the machine language instructions further cause the processor to define a crawler program and employ the crawler program to access a plurality of sites on the network to search the network for potential attack sources, wherein the crawler program successively follows links on pages on a site, to access other pages and other sites on the network.
  - 19. The system of claim 12, wherein, if it is determined that the potential source of content has at least attempted an attack in the virtual machine environment, machine language instructions further cause the processor to retain data in the memory to identify the potential source of content.

20. A non-transitory computer readable memory storing instructions that, in response to being executed by a computing device, cause the computing device to perform operations for preventing sources of content that are accessible over a network from installing spyware or other undesired items into a user environment, the operations comprising:
- producing a virtual machine on a computing device and installing an operating system on the virtual machine to create a virtual machine environment configured to test a potential source of content accessible on the network, to determine if the potential source of content attempts to install spyware on the computing device of a user;
  
  automatically loading the content from the potential source of content within the virtual machine environment;
  
  determining whether or not the potential source of content has at least attempted to install spyware in the virtual machine environment, bydetecting whether at least one of a plurality of predefined triggers are fired, andin the case where at least one of the plurality of predefined triggers is detected, determining that the potential source of content is at least attempting to perform an attack in the virtual machine environment;
  
  wherein the predefined triggers comprise at least one ofdetermining which processes of the virtual machine are either a browser process or known helper processes associated with the browser process and detecting that a new process is launched, excluding the browser process and known helper processes;
  
  determining which folders are safe folders and detecting that a file is created or modified outside of the determined safe folders;
  
  determining which processes of the virtual machine are either the browser process or known helper processes associated with the browser process and detecting that a process besides the determined browser process and its known helper processes performed a file creation or modification;
  
  determining which registry entries are sensitive registry entries and detecting that one of the sensitive registry entries is modified; and
  
  determining that the browser process or an operating system process has crashed or has stopped responding;
  
  in the case where the potential source of content has not at least attempted to install spyware in the virtual machine environment, transferring the content to a user environment other than the virtual machine; and
  
  in the case where the potential source of content has at least attempted to install spyware in the virtual machine environment, preventing the content from being loaded to the user environment other than the virtual machine;
  
  wherein producing the virtual machine, automatically loading the content, and determining whether or not the potential source of content has at least attempted to install spyware are each performed by a client-side spyproxy module of the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
University of Washington
Original Assignee
University of Washington
Inventors
Gribble, Steven, Levy, Henry, Moshchuk, Alexander, Bragin, Tanya
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/488,222
Publication Number

US 20130014259A1
Time in Patent Office

1,086 Days
Field of Search

726/24
US Class Current

726/24
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

Detection of spyware threats within virtual machine

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of spyware threats within virtual machine

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links