Electronic message analysis for malware detection

US 9,106,694 B2
Filed: 04/18/2011
Issued: 08/11/2015
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for detecting malicious network content by a network content processing system, comprising:

receiving an electronic email message;

analyzing the electronic email message to detect a uniform resource locator (URL) address within message content of the electronic email message;

determining whether the detected URL address within the message content is suspicious;

in response to a determination that the detected URL address is suspicious, executing, with a computer processing system, the suspicious URL address detected within the message content of the electronic email message, wherein executing the suspicious URL address comprises executing, within a virtual environment, web content received in response to a request for the web content; and

identifying the suspicious URL address detected within the electronic email message content as malicious based on results of the executing of the suspicious URL address detected within the electronic email message content in the virtual environment.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.

565 Citations

51 Claims

1. A computer implemented method for detecting malicious network content by a network content processing system, comprising:
- receiving an electronic email message;
  
  analyzing the electronic email message to detect a uniform resource locator (URL) address within message content of the electronic email message;
  
  determining whether the detected URL address within the message content is suspicious;
  
  in response to a determination that the detected URL address is suspicious, executing, with a computer processing system, the suspicious URL address detected within the message content of the electronic email message, wherein executing the suspicious URL address comprises executing, within a virtual environment, web content received in response to a request for the web content; and
  
  identifying the suspicious URL address detected within the electronic email message content as malicious based on results of the executing of the suspicious URL address detected within the electronic email message content in the virtual environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The method of claim 1, further comprising:
    - comparing the detected URL address to a first list of URLs; and
      
      identifying the detected URL address as suspicious if the detected URL address is not in the first list of URLs.
  - 3. The method of claim 2, wherein the first list includes URLs associated with malware.
  - 4. The method of claim 2, wherein the first list includes URLs known to not be associated with malware.
  - 5. The method of claim 2, further comprising transmitting one or more malicious URL addresses to a remote device, the remote device configured to receive the one or more malicious URL addresses, consolidating malicious URL addresses, and transmitting an updated list of URL addresses associated with the malicious URL addresses.
  - 6. The method of claim 5, further comprising:
    - receiving one or more detected URL addresses from an electronic message malware detection system at a web malware detection system; and
      
      raising a priority associated with examining one or more of the detected URL addresses received from a network by the web malware detection system, the priority raised based on the received one or more detected URL addresses.
  - 7. The method of claim 6, further comprising:
    - dynamically adjusting a priority for processing URL addresses detected within an email based on the web malware detection system load.
  - 8. The method of claim 1, wherein the virtual environment comprises a virtual application component, one type of virtual application component comprises a virtual network browser application.
  - 9. The method of claim 8, wherein the detected URL address is determined to be suspicious by an electronic message malware detection device, and the detected URL address determined to be suspicious is identified as malicious by a web malware detection device.
  - 10. The method of claim 6, wherein the detected URL address determined to be suspicious is transmitted from the electronic message malware detection device to the web malware detection device.
  - 11. The method of claim 1, further comprising:
    - configuring a virtual environment component within a virtual environment to provide a real application configured to process suspicious network content comprising the web content corresponding to the suspicious URL address, the virtual environment configured within a network content processing system;
      
      processing the suspicious network content using the virtual environment component within the virtual environment; and
      
      identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component.
  - 12. The method of claim 11, where the suspicious network content includes a file attached to an electronic message, the virtual environment component including an application configured to process the file.
  - 13. The method of claim 12, where the file is a Microsoft Word type document, the virtual environment component including a Microsoft Word program.
  - 14. The method of claim 12, where the file is a Microsoft Excel type document, the virtual environment component including a Microsoft Excel program.
  - 15. The method of claim 12, where the file is a Microsoft Powerpoint type document, the virtual environment component including a Microsoft Powerpoint program.
  - 16. The method of claim 12, where the file is a Portable Document Format (PDF) document, the virtual environment component including an Adobe PDF Reader program.
  - 17. The method of claim 1, further comprising monitoring changes to a virtual environment operating system by an agent, the suspicious URL address detected within the message content of the electronic email message identified as malicious based on detected improper changes to the virtual environment operating system.
  - 18. The method of claim 1, wherein the suspicious URL address is identified as malicious when results of the executing of the suspicious URL address indicate malicious network content is embedded within data associated with a web page referenced by the suspicious URL address.
  - 19. The method of claim 1, wherein executing the suspicious URL address further comprises:
    - configuring a web browser in the virtual environment; and
      
      sending the content request to the suspicious URL address by the web browser in the virtual environment.
  - 20. The method of claim 1, wherein the received electronic email message is a copy of an electronic email message delivered to a recipient.
  - 21. The method of claim 1, wherein the message content is an electronic email message attachment.
  - 22. The method of claim 1, wherein the virtual environment simulates a particular client device targeted to receive the electronic email message and comprises an operating system corresponding to an operating system of the particular client device.
  - 23. The method of claim 1, wherein the virtual environment simulates a particular client device targeted to receive the electronic email message and comprises an application corresponding to an application that controls selecting of the URL.
  - 24. The method of claim 1, wherein the results of the executing of the suspicious URL address comprises an occurrence of one or more undesirable behaviors during execution of the web content received in response to the request, the one or more undesirable behaviors comprises an attempt to install or execute a file.
  - 25. The method of claim 1, wherein the results of the executing of the suspicious URL address comprises actions that occur responsive to processing of the web content within the virtual environment, the actions include at least changing a configuration of an operating system of the virtual environment.
  - 26. The method of claim 1, wherein:
    - the analyzing of the electronic email message comprises detecting a plurality of URL addresses including the URL address and assigning priority for analysis to each of the plurality of URL addresses; and
      
      the determining whether the detected URL address within the message content is suspicious comprises determining whether a first URL address of the plurality of URL addresses is suspicious prior to determining whether a second URL of the plurality of URL addresses is suspicious when the first URL address is assigned a higher priority than the second URL address.
  - 27. The method of claim 26, wherein the executing of the first URL address being the suspicious URL address and the identifying the suspicious URL address as malicious is conducted prior to the determining whether the second URL address within the message content is suspicious.

28. A non-transitory computer readable storage medium implemented within a computing device and having stored thereon instructions that, when executed by a processor, performs operations for detecting malicious network content, comprising:
- receiving an electronic email message;
  
  analyzing the electronic email message to detect a uniform resource locator (URL) address within message content of the electronic email message;
  
  determining whether the detected URL address within the message content is suspicious;
  
  in response to a determination that the detected URL address is suspicious, executing the suspicious URL address detected within the message content of the electronic email message, wherein executing the suspicious URL address comprises executing, within a virtual environment, web content received in response to a request for the web content; and
  
  identifying the suspicious URL address detected within the electronic email message content as malicious based on results of the executing of the suspicious URL address detected within the electronic email message content in the virtual environment.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 29. The non-transitory computer readable storage medium of claim 28, where the instructions upon execution by the processor, perform further operations comprising:
    - comparing the detected URL address to a first list of URLs; and
      
      identifying the detected URL address as suspicious if the detected URL address is not in the first list of URLs.
  - 30. The non-transitory computer readable storage medium of claim 29, wherein the first list includes URLs associated with malware.
  - 31. The non-transitory computer readable storage medium of claim 29, wherein the first list includes URLs known to not be associated with malware.
  - 32. The non-transitory computer readable storage medium of claim 28, wherein the virtual application component is a virtual network browser application.
  - 33. The non-transitory computer readable storage medium of claim 28, wherein the detected URL address is determined to be suspicious by an electronic message malware detection device, and the detected URL address determined to be suspicious is identified as malicious by a web malware detection device.
  - 34. The non-transitory computer readable storage medium of claim 28, wherein the virtual environment simulates a particular client device targeted to receive the electronic email message and comprises an operating system corresponding to an operating system of the particular client device.
  - 35. The non-transitory computer readable storage medium of claim 28, wherein the results of the executing of the suspicious URL address comprises an occurrence of one or more undesirable behaviors during execution of the web content received in response to the request.
  - 36. The non-transitory computer readable storage medium of claim 35, wherein the one or more undesirable behaviors include an attempt to transmit data from the computing device.
  - 37. The non-transitory computer readable storage medium of claim 28, wherein the instructions, when executed by a processor, perform operations comprising:
    - the analyzing of the electronic email message comprises detecting a plurality of URL addresses including the URL address and assigning priority for analysis to each of the plurality of URL addresses; and
      
      the determining whether the detected URL address being the first URL address is suspicious and the identifying that the first URL address is malicious occurs prior to determining whether a second URL of the plurality of URL addresses is suspicious, when the first URL address is assigned a higher priority than the second URL address.

38. A system for detecting malicious network content, comprising:
- a memory; and
  
  a processor coupled with the memory and configured to receive an electronic email message;
  
  an electronic message malware detector comprising the processor and configured toanalyze the electronic email message to detect a uniform resource locator (URL) address within message content of the electronic email message, anddetermine whether the detected URL address within the message content is suspicious;
  
  a web malware detector coupled with the electronic message malware detector and configured toin response to a determination that the detected URL address is suspicious, execute the suspicious URL address detected within the message content of the electronic email message, wherein executing the suspicious URL address comprises executing, within a virtual environment, web content received in response to a request for the web content, andidentifying the suspicious URL address detected within the electronic email message content as malicious based on results of the executing of the suspicious URL address detected within the electronic email message content in the virtual environment.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 39. The system of claim 38, wherein the processor is further configured to execute the electronic malware detection logic to compare the detected URL address to a first list of URLs, and identify the detected URL address as suspicious if the detected URL address is not in the first list of URLs.
  - 40. The system of claim 39, wherein the first list includes URLs associated with malware.
  - 41. The system of claim 39, wherein the first list includes URLs known to not be associated with malware.
  - 42. The system of claim 39, further comprising a computing device including the electronic message malware detector and the web malware detector.
  - 43. The system of claim 38, wherein the virtual application component is a virtual network browser application.
  - 44. The system of claim 38,wherein the web malware detector comprises a virtual environment component within the virtual environment that provides a real application configured to process suspicious network content comprising the web content corresponding to the suspicious URL address, the virtual environment configured within a network content processing system;
    - andwherein the web malware detector is further configured to process the suspicious network content using the virtual environment component within the virtual environment, and to identify the suspicious network content as malicious network content based on a behavior of the virtual environment component.
  - 45. The system of claim 44, wherein the web malware detector further comprises monitoring changes to the virtual environment by an agent, the suspicious URL address detected within the message content of the electronic email message identified as malicious based on detected improper changes to the virtual environment.
  - 46. The system of claim 38, wherein the web malware detector to execute the web content within the virtual environment that simulates a particular client device targeted to receive the electronic email message and comprises an operating system corresponding to an operating system of the particular client device.
  - 47. The system of claim 38, wherein the results of the executing of the suspicious URL address by the web malware detector comprises an occurrence of one or more undesirable behaviors during execution of the web content received in response to the request, the one or more undesirable behaviors comprises an attempt to install or execute a file.
  - 48. The system of claim 38, wherein the results of the executing of the suspicious URL address by the web malware detector comprises an occurrence of one or more undesirable behaviors during execution of the web content received in response to the request, the one or more undesirable behaviors comprises changing of a registry value.
  - 49. The system of claim 38, wherein the results of the executing of the suspicious URL address by the web malware detector that includes execution of the web content comprises actions that occur responsive to processing of the web content within the virtual environment, the actions include at least changing a configuration of an operating system of the virtual environment.
  - 50. The system of claim 38, wherein:
    - the analyzing of the electronic email message by the electronic message malware detector comprises detecting a plurality of URL addresses including the detected URL address and assigning priority for analysis to each of the plurality of URL addresses; and
      
      the determining whether the detected URL address is suspicious by the electronic message malware detector comprises determining whether a first URL address of the plurality of URL addresses is suspicious prior to determining whether a second URL of the plurality of URL addresses is suspicious when the first URL address is assigned a higher priority than the second URL address.
  - 51. The system of claim 50, wherein the executing of the first URL address being the suspicious URL address and the identifying the suspicious URL address as malicious by the web malware detector is conducted prior to the determining whether the second URL address within the message content is suspicious by the electronic message malware detector.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar, Uyeno, Henry, Manni, Jay, Amin, Muhammad, Staniford, Stuart
Primary Examiner(s)
HOFFMAN, BRANDON S

Application Number

US13/089,191
Publication Number

US 20110314546A1
Time in Patent Office

1,576 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

H04L 51/212   using filtering or selectiv...

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/168   above the transport layer

Electronic message analysis for malware detection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

565 Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic message analysis for malware detection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

565 Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links