Detection of spyware threats within virtual machine
First Claim
1. A method for preventing sources of content that are accessible over a network from installing spyware or other undesired items into a user environment, the method comprising:
- producing a virtual machine on a computing device and installing an operating system on the virtual machine to create a virtual machine environment configured to test a potential source of content accessible on the network, to determine if the potential source of content attempts to install spyware on the computing device of a user;
automatically loading the content from the potential source of content within the virtual machine environment;
determining whether or not the potential source of content has at least attempted to install spyware in the virtual machine environment, by detecting whether at least one of a plurality of predefined triggers are fired, andin the case where at least one of the plurality of predefined triggers is detected, determining that the potential source of content is at least attempting to perform an attack in the virtual machine environment;
wherein the predefined triggers comprise at least one ofdetermining which processes of the virtual machine are either a browser process or known helper processes associated with the browser process and detecting that a new process is launched, excluding the browser process and known helper processes;
determining which folders are safe folders and detecting that a file is created or modified outside of the determined safe folders;
determining which processes of the virtual machine are either the browser process or known helper processes associated with the browser process and detecting that a process besides the determined browser process and its known helper processes performed a file creation or modification;
determining which registry entries are sensitive registry entries and detecting that one of the sensitive registry entries is modified; and
determining that the browser process or an operating system process has crashed or has stopped responding;
in the case where the potential source of content has not at least attempted to install spyware in the virtual machine environment, transferring the content to a user environment other than the virtual machine; and
in the case where the potential source of content has at least attempted to install spyware in the virtual machine environment, preventing the content from being loaded to the user environment other than the virtual machine;
wherein producing the virtual machine, automatically loading the content, and determining whether or not the potential source of content has at least attempted to install spyware are each performed by a client-side spyproxy module of the computing device.
1 Assignment
0 Petitions
Accused Products
Abstract
A system analyzes content accessed at a network site to determine whether it is malicious. The system employs a tool able to identify spyware that is piggy-backed on executable files (such as software downloads) and is able to detect “drive-by download” attacks that install software on the victim'"'"'s computer when a page is rendered by a browser program. The tool uses a virtual machine (VM) to sandbox and analyze potentially malicious content. By installing and running executable files within a clean VM environment, commercial anti-spyware tools can be employed to determine whether a specific executable contains piggy-backed spyware. By visiting a Web page with an unmodified browser inside a clean VM environment, predefined “triggers,” such as the installation of a new library, or the creation of a new process, can be used to determine whether the page mounts a drive-by download attack.
-
Citations
20 Claims
-
1. A method for preventing sources of content that are accessible over a network from installing spyware or other undesired items into a user environment, the method comprising:
-
producing a virtual machine on a computing device and installing an operating system on the virtual machine to create a virtual machine environment configured to test a potential source of content accessible on the network, to determine if the potential source of content attempts to install spyware on the computing device of a user; automatically loading the content from the potential source of content within the virtual machine environment; determining whether or not the potential source of content has at least attempted to install spyware in the virtual machine environment, by detecting whether at least one of a plurality of predefined triggers are fired, and in the case where at least one of the plurality of predefined triggers is detected, determining that the potential source of content is at least attempting to perform an attack in the virtual machine environment; wherein the predefined triggers comprise at least one of determining which processes of the virtual machine are either a browser process or known helper processes associated with the browser process and detecting that a new process is launched, excluding the browser process and known helper processes; determining which folders are safe folders and detecting that a file is created or modified outside of the determined safe folders; determining which processes of the virtual machine are either the browser process or known helper processes associated with the browser process and detecting that a process besides the determined browser process and its known helper processes performed a file creation or modification; determining which registry entries are sensitive registry entries and detecting that one of the sensitive registry entries is modified; and determining that the browser process or an operating system process has crashed or has stopped responding; in the case where the potential source of content has not at least attempted to install spyware in the virtual machine environment, transferring the content to a user environment other than the virtual machine; and in the case where the potential source of content has at least attempted to install spyware in the virtual machine environment, preventing the content from being loaded to the user environment other than the virtual machine; wherein producing the virtual machine, automatically loading the content, and determining whether or not the potential source of content has at least attempted to install spyware are each performed by a client-side spyproxy module of the computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for preventing sources of content that are accessible over a network from completing an attack in a user environment, where the attack includes installing spyware or other undesired items, the system comprising:
-
a border router having a memory and a processor coupled to the memory, wherein the processor is configured to execute machine instructions that are stored in the memory; and an interface coupling the border router to be in communication with the network, wherein the machine instructions cause the processor to automatically carry out a plurality of functions using the interface to communicate over the network, including; creating a virtual machine environment in which to test potential sources of content found on the network to determine if a potential source of content at least attempts an attack, wherein a clean operating system executes within the virtual machine environment; automatically loading the content from the potential source of content into the virtual machine environment for testing; and determining whether or not the potential source of content has at least attempted an attack in the virtual machine environment, by detecting whether at least one of a plurality of predefined triggers are fired, and in the case where at least one of the plurality of predefined triggers is detected, determining that the potential source of content is at least attempting to perform an attack in the virtual machine environment; wherein the predefined triggers comprise at least one of determining which processes of the virtual machine are either a browser process or known helper processes associated with the browser process and detecting that a new process is launched, excluding the browser process and known helper processes; determining which folders are safe folders and detecting that a file is created or modified outside of the determined safe folders; determining which processes of the virtual machine are either the browser process or known helper processes associated with the browser process and detecting that a process besides the determined browser process and its known helper processes performed a file creation or modification; determining which registry entries are sensitive registry entries and detecting that one of the sensitive registry entries is modified; and determining that the browser process or an operating system process has crashed or has stopped responding; in the case where the potential source of content has not at least attempted to install spyware in the virtual machine environment, allowing access to the content in a user environment other than the virtual machine; and in the case where the potential source of content has at least attempted to install spyware in the virtual machine environment, preventing the content from being accessed in the user environment other than the virtual machine; wherein creating the virtual machine, automatically loading the content, and determining whether or not the potential source of content has at least attempted to install spyware are each performed by a spyproxy module of the border router. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer readable memory storing instructions that, in response to being executed by a computing device, cause the computing device to perform operations for preventing sources of content that are accessible over a network from installing spyware or other undesired items into a user environment, the operations comprising:
-
producing a virtual machine on a computing device and installing an operating system on the virtual machine to create a virtual machine environment configured to test a potential source of content accessible on the network, to determine if the potential source of content attempts to install spyware on the computing device of a user; automatically loading the content from the potential source of content within the virtual machine environment; determining whether or not the potential source of content has at least attempted to install spyware in the virtual machine environment, by detecting whether at least one of a plurality of predefined triggers are fired, and in the case where at least one of the plurality of predefined triggers is detected, determining that the potential source of content is at least attempting to perform an attack in the virtual machine environment; wherein the predefined triggers comprise at least one of determining which processes of the virtual machine are either a browser process or known helper processes associated with the browser process and detecting that a new process is launched, excluding the browser process and known helper processes; determining which folders are safe folders and detecting that a file is created or modified outside of the determined safe folders; determining which processes of the virtual machine are either the browser process or known helper processes associated with the browser process and detecting that a process besides the determined browser process and its known helper processes performed a file creation or modification; determining which registry entries are sensitive registry entries and detecting that one of the sensitive registry entries is modified; and determining that the browser process or an operating system process has crashed or has stopped responding; in the case where the potential source of content has not at least attempted to install spyware in the virtual machine environment, transferring the content to a user environment other than the virtual machine; and in the case where the potential source of content has at least attempted to install spyware in the virtual machine environment, preventing the content from being loaded to the user environment other than the virtual machine; wherein producing the virtual machine, automatically loading the content, and determining whether or not the potential source of content has at least attempted to install spyware are each performed by a client-side spyproxy module of the computing device.
-
Specification