68 results about "Malware analysis" patented technology

According to one embodiment, an electronic device comprises a memory to store information and a processor. The processor is adapted to receive information associated with content such as network traffic, to process the stored information and to conduct operations on the content. These operations may comprise determining, by a virtual machine processed by the processor, an occurrence of an event during malware analysis of an object associated with the content, and dynamically altering a virtual machine instrumentation of the virtual machine based on information associated with the event.

Techniques for behavior based malware analysis are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for behavior based analysis comprising receiving trace data, analyzing, using at least one computer processor, observable events to identify low level actions, analyzing a plurality of low level actions to identify at least one high level behavior, and providing an output of the at least one high level behavior.

Files received by a mobile device are sampled for malware tracking. The method includes configuring file transfer mechanisms that use short-range communication technology on the mobile device to appear, to other devices, to be open for accepting all attempts to transfer files. The method further comprises intercepting files transferred via the short-range communication technology to the mobile device from another device. The method also comprises quarantining the files transferred to the mobile device and logging identifying information about each of the files quarantined and about the other devices from which each of the files originated. The method further includes providing the logged identifying information for the files received to a security server. The method can also include, responsive to a request from the security server for more information about one of the files, providing a copy of that file to the security server for malware analysis and for updating a reputation system tracking mobile device malware.

Malware detection methods systems, and apparatus are described. Malware may be detected by obtaining a plurality of malware binary executables and a plurality of goodware binary executables, decompiling the plurality of malware binary executables and the plurality of goodware binary executable to extract corresponding assembly code for each of the plurality of malware binary executables and the plurality of goodware binary executable, constructing call graphs for each of the plurality of malware binary executables and the plurality of goodware binary executables from the corresponding assembly code, determining similarities between the call graphs using graph kernels applied to the call graphs for each of the plurality of malware binary executables and the plurality of goodware binary executables, building a malware detection model from the determined similarities between call graphs by applying a machine learning algorithm such as a deep neural network (DNN) algorithm to the determined similarities, and identifying whether a subject executable is malware by applying the built malware detection model to the subject executable.

A framework and method for creating malware analysis tools for dynamic and stealth coarse- and fine-grained malware analysis is provided. In one embodiment a method stalls the execution of a desired code on any form of access to memory or other devices. This can be used to monitor the behavior of the malware with respect to the system at a high level. Upon identification of a high level access, another method can be employed in order to decompose a desired range of code into its individual instructions as they execute thereby revealing the inner structure of the malware as it executes. Since the framework does not employ any processor debugging features, and its methods are self-resilient and completely invisible to the executing code, malware that employ any form of anti-debugging and/or anti-analysis strategy including using framework methods can be easily and effectively analyzed.

A system and method for implementing a software emulation environment is provided. In one example, a mobile application can interface with an emulation environment that can be used to test whether the mobile application includes malware that can compromise the security and integrity of an enterprise's computing infrastructure. When the mobile application issues a call for data, a device mimic module can intercept the call and determine if the call includes a call for one or more checkable artifacts that can reveal the existence of the emulation environment. If such a call for data occurs, the device mimic module can provide one or more spoofed checkable artifacts that have been recorded from a real-world mobile device. In this way, the existence of the emulation environment can be concealed so as to allow for a more thorough analysis of a mobile application for potential hidden malware.

A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior.

According to one embodiment, a computerized method comprises processing one or more objects by a first thread of execution that are part of a multi-thread process, monitoring events that occur during the processing of the one or more objects by the first thread, and storing information associated with the monitored events within an event log. The stored information comprises at least an identifier of the first thread to maintain an association between the monitored events and the first thread. Subsequently, the stored information within the event log is accessed for rendering a graphical display of the monitored events detected during processing of the one or more objects by the first thread on a display screen.

Generally discussed herein are systems, devices, and methods for malware analysis. In one or more embodiments, a method can include copying application layer data traffic to create copied application layer data traffic, forwarding at least a portion of the application layer data traffic to a destination client prior to a malware analysis of corresponding copied application layer data traffic, determining whether the copied application layer data traffic includes a specified property, and in response to a determination that the copied application layer data traffic includes the specified property, storing the copied application layer data traffic determined to include the specified property for subsequent malware analysis, the stored copied application layer data traffic including context data of the copied application layer data traffic.

Embodiments of the present invention may provide an Industrial Control System (ICS) Emulator for Malware Analysis. The ICS Emulator may be embodied in a software. The software may be developed by testing and operating thousands of ICS devices that are used every day in critical infrastructure from power to oil & gas. Then, based on the tests and operations, the software may be configured to identify if, when, and how malware may be attacking various industrial control systems.

Embodiments of the present invention may provide an Industrial Control System (ICS) Emulator for Malware Analysis. The ICS Emulator may be embodied in a software. The software may be developed by testing and operating thousands of ICS devices that are used every day in critical infrastructure from power to oil & gas. Then, based on the tests and operations, the software may be configured to identify if, when, and how malware may be attacking various industrial control systems.

Disclosed are systems, methods and computer program products for detecting unknown malware. A method comprises generating genes for known malicious and clean objects; analyzing object genes using different malware analysis methods; computing a level of successful detection of malicious objects by one or a combination of malware analysis methods based on analysis of genes of the known malicious objects; computing a level of false positive detections of malicious objects by one or a combination of malware analysis methods based on analysis of genes of known clean objects; measuring effectiveness of each one or the combination of malware analysis methods as a function of the level of successful detections and the level of false positive detections; and selecting one or a combination of the most effective malware analysis methods for analyzing unknown object for malware.

A system and methods for sandboxed malware analysis and automated patch development, deployment and validation, comprising a business operating system, vulnerability scoring engine, binary translation engine, sandbox simulation engine, at least one network endpoint, at least one database, a network, and a combination of machine learning and vulnerability probing techniques, to analyze software, locate any vulnerabilities or malicious behavior, and attempt to patch and prevent undesired behavior from occurring, autonomously.

Sensor enrollment management is conducted where features and capabilities for one or more broker computing nodes within the cluster are received by an enrollment service operating within a management system. The enrollment service is configured to receive advertised features and capabilities for computing nodes that are part of a cluster and provide address information associated with the enrollment service to the sensor. Based on information supplied by the sensor, the enrollment service authenticates the sensor, and upon authentication, forwards keying material associated with the sensor to a computing node selected that is selected for supporting communications to the cluster from the sensor. Also, the enrollment service provides a portion of the advertised features and capabilities associated with the computing node to the sensor to enable the sensor to establish a secure communication path with the computing node for malware analysis of suspicious objects within network traffic monitored by the sensor.

The invention discloses a system and a method used for detecting malicious code of a random access memory. The embodiment is characterized in that a hardware processor is used to detect the process of the untrusted application; the hardware processor is used to identify the function call including the inter-process function call from the generating of the process to the target process generated by the process of the untrusted application; the hardware processor is used to determine whether the execute the malicious software analysis executing the code in the address space of the target process called by the inter-process function generated by the process of the untrusted application; when the malicious software analysis is decided to be executed, the anti-virus software executed by the hardware processor can be used to analyze the code in the address space of the target process called by the inter-process function generated by the process of the untrusted application.

Disclosed are systems, methods and computer program products for efficient and reliable analysis, optimization and detection of obfuscated malware. One disclosed example method for malware detection includes loading an executable software code on a computer system and disassembling the software code into an assembly language or other low-level programming language. The method then proceeds to simplifying complex assembly instructions and constructing a data flow model of the simplified software code. The dependencies and interrelations of code elements of the data flow model are analyzed to identify obfuscated software codes therein. The identified obfuscated codes are then optimized. Based on the results of optimization, determination is made whether the software code is malicious and/or whether further antimalware analysis of the optimized software code is necessary.

A server access log includes data records each describing a previous query regarding a suspect computer file of a client computer. Each record includes the CRC code for the suspect computer file, the result of the malware analysis performed on the backend server and other attributes and values. The log is analyzed to retrieve relevant attributes and values from each record. Key attributes and values are generated such as region and continuous query. All CRC codes are grouped according to attribute values. Each group is analyzed to determine the network traffic associated with downloading the entire group to all user computers and the network traffic associated with not downloading the group but responding to future malware queries regarding CRC codes in the group. CRC codes are removed from each group if necessary. CRC code-result pairs for each group are downloaded to all user computers as a pre-fetch cache.

Malware analysis and root-cause analysis, and information security insights based on Operating System sampled data. Sampled data includes structured logs, Operating System Snapshots, programs and/or processes and/or kernel crashes, crash dumps, memory dumps, stackshots, simulated crashes or samples. The sampled data contains payload for extraction for the purpose of detection, evaluation and reproduction of threats, infection vector, threat actors and persistence methods in the form of backdoors or Trojans or exploitable vulnerabilities used for initial infiltration or lateral movement.

Methods and apparatuses for malware analysis and root-cause analysis, and information security insights based on Operating System sampled data such as structured logs, Operating System Snapshots, programs and/or processes and/or kernel crash dumps or samples containing payload for extraction for the purpose of detection and evaluation of threats, infection vector, threat actors and persistence methods in the form of backdoors or Trojans or unknown exploitable vulnerabilities used.

According to one embodiment, a computerized method features monitoring behaviors of an object during processing within a guest system of a virtual machine. Within a guest system, a rule-based analysis of data associated with the monitored behaviors is conducted. The rule-based analysis includes prioritizing data associated with the monitored behaviors that correspond to an exception, and thereafter, storing the data associated with the monitored behaviors that correspond to the exception into a prescribed area of a virtual image file. The prescribed area is accessible by (i) logic within the guest system and (ii) logic within a host system of the virtual machine.