Tuning sandbox behavior based on static characteristics of malware
US-9355246-B1 · May 31, 2016 · US
Segregating executable files exhibiting network activity
US10083300B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10083300-B2 |
| Application number | US-201315039779-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 27, 2013 |
| Priority date | Dec 27, 2013 |
| Publication date | Sep 25, 2018 |
| Grant date | Sep 25, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An executable file is loaded into memory. The executable file is analyzed to determine whether one or more dynamically linked libraries are referenced in an import table of the file. It can then be determined whether one or more dynamically linked libraries is adapted to contact a network.
First claim
Opening claim text (preview).
What is claimed is: 1. An apparatus comprising: one or more processing elements; and a memory, coupled to the one or more processing elements; a dynamically linked library (DLL) analyzer loadable into the memory, comprising instructions that when executed cause the one or more processing elements to: determine whether one or more DLLs used by an executable file are adapted to perform network activity; scan an import descriptor data structure module of the executable file for a reference to a dynamically linked library known to perform network activity; an executable file analyzer loadable into the memory, comprising instructions that when executed cause the one or more processing elements to: determine whether the executable file is packed or unpacked; enumerate the executable file responsive to a determination that the executable file is unpacked; detect use of one or more DLLs responsive to a determination that the executable file is packed; invoke the DLL analyzer to process the executable file, responsive to detecting use of one or more executable DLLs; and perform malware analysis responsive to the determination by the DLL analyzer that the one or more DLLs are adapted to perform network activity. 2. The apparatus of claim 1 , wherein the DLL analyzer further comprises instructions that when executed cause the one or more processing elements to: identify one or more dynamically linked libraries adapted to perform network activity referenced by the executable file; and determine whether the one or more dynamically linked libraries perform network activity. 3. The apparatus of claim 1 , wherein the DLL analyzer further comprises instructions that when executed cause the one or more processing elements to: hook processing of the executable file responsive to determining at least one dynamically linked library adapted to perform network activity is used by the executable file. 4. The apparatus of claim 1 , wherein the memory further comprises instructions to cause the one or more processing elements to: allow execution of the executable file responsive to determining no dynamically linked library adapted to perform network activity is used by the executable file. 5. The apparatus of claim 4 , wherein the DLL analyzer further comprises instructions that when executed cause the one or more processing elements to: hook execution of the executable file responsive to identifying network activity by a dynamically linked library. 6. The apparatus of claim 1 , wherein the executable file comprises a portable executable file. 7. A non-transitory computer readable storage medium comprising computer readable code comprising: a dynamically linked library (DLL) analyzer, comprising instructions that when executed cause the one or more processing elements to: determine whether one or more DLLs used by an executable file are adapted to perform network activity; scan an import descriptor data structure module of the executable file for a reference to a dynamically linked library known to perform network activity; an executable file analyzer, comprising instructions that when executed cause the one or more processing elements to: determine whether the executable file is packed or unpacked; enumerate the executable file responsive to a determination that the executable file is unpacked; detect use of one or more DLLs responsive to a determination that the executable file is packed; invoke the DLL analyzer to process the executable file, responsive to detecting use of one or more executable DLLs; and perform malware analysis responsive to the determination by the DLL analyzer that the one or more DLLs are adapted to perform network activity. 8. The non-transitory computer readable medium of claim 7 , wherein the DLL analyzer further comprises instructions that when executed cause the one or more processing elements to: identify one or more dynamically linked libraries adapted to perform network activity referenced by the executable file; and determine whether the one or more dynamically linked libraries perform network activity. 9. The non-transitory computer readable medium of claim 7 , wherein the DLL analyzer further comprises instructions that when executed cause the one or more processing elements to: hook processing of the executable file responsive to determining at least one dynamically linked library adapted to perform network activity is used by the executable file. 10. The non-transitory computer readable medium of claim 7 , further comprising instructions to cause the one or more processing elements to: allow execution of the executable file responsive to determining no dynamically linked library adapted to perform network activity is used by the executable file. 11. The non-transitory computer readable medium of claim 10 , wherein the DLL analyzer further comprises instructions that when executed cause the one or more processing elements to: hook execution of the executable file responsive to identifying network activity by a dynamically linked library. 12. The non-transitory computer readable medium of claim 7 , wherein the executable file comprises a portable executable file. 13. A method comprising: determining whether one or more dynamically linked libraries (DLLs) used by an executable file are adapted to perform network activity; scanning an import descriptor data structure module of the executable file for a reference to a dynamically linked library known to perform network activity; determining whether the executable file is packed or unpacked; enumerating the executable file responsive to a determination that the executable file is unpacked; detecting use of one or more DLLs responsive to a determination that the executable file is packed; invoking a DLL analyzer to process the executable file, responsive to detecting use of one or more executable DLLs; and performing malware analysis responsive to the determination by the DLL analyzer that the one or more DLLs are adapted to perform network activity. 14. The method of claim 13 , further comprising: identifying one or more dynamically linked libraries adapted to perform network activity referenced by the executable file; and determining whether the one or more dynamically linked libraries perform network activity. 15. The method of claim 13 , further comprising: hooking processing of the executable file responsive to determining at least one dynamically linked library adapted to perform network activity is used by the executable file. 16. The method of claim 13 , further comprising: allowing execution of the executable file responsive to determining no dynamically linked library adapted to perform network activity is used by the executable file. 17. The method of claim 16 , further comprising: hooking execution of the executable file responsive to identifying network activity by a dynamically linked library. 18. The method of claim 13 , wherein the executable file comprises a portable executable file.
Assignees
Inventors
Classifications
- G06F21/56Primary
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
Test or assess a computer or a system · CPC title
Program or device authentication · CPC title
for detecting or protecting against malicious traffic · CPC title
- G06F21/566Primary
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10083300B2 cover?
- An executable file is loaded into memory. The executable file is analyzed to determine whether one or more dynamically linked libraries are referenced in an import table of the file. It can then be determined whether one or more dynamically linked libraries is adapted to contact a network.
- Who is the assignee on this patent?
- Mcafee Inc, Mcafee Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/56. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Sep 25 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).