Method and apparatus for determination of the non-replicative behavior of a malicious program
Abstract
Disclosed is a method, a computer system and a computer readable media product that contains a set of computer executable software instructions for directing the computer system to execute a process for determining a non-replicative behavior of a program that is suspected of containing an undesirable software entity. The process causes execution of the program in at least one known environment and automatically examines the at least one known environment to detect if a change has occurred in the environment as a result of the execution of the program. If a change is detected, the process automatically analyzes the detected change (i.e., the process performs a side effects analysis) to determine if the change resulted from execution of the program or from execution of the undesirable software entity. The process then uses the result of the analysis at least for undoing a detected change that results from execution of the undesirable software entity. The result of the analysis can also be used for informing a user of an anti-virus system of the non-replicative changes made to the environment.
Claims
exact text as granted — not AI-modified1 . A method, comprising:
executing a program suspected of containing an undesirable software entity exhibiting non-replicative behavior in at least one known environment; automatically examining the at least one known environment to detect if a change has occurred in the environment as a result of the execution of the program and, if a change is detected, automatically analyzing the detected change to determine if the change resulted from execution of the program or from execution of the undesirable software entity; and using a result of the analysis for at least one of undoing a detected change that results from execution of the undesirable software entity and informing a user of the changes that have been observed to result from the execution of the undesired software entity.
2 . A method as in claim 1 , where a number of times that the program is executed is a function of the type of the detected changes and the consistency of the detected changes between executions of the program.
3 . A method as in claim 1 , where another program infected during the execution of the program is exercised in the same environment for differentiating between malicious and non-malicious program changes.
4 . A method as in claim 1 , further comprising disinfecting the program; and exercising the disinfected program in the same environment for differentiating between malicious and non-malicious program changes.
5 . A method as in claim 1 , further comprising locating a non-infected copy of the program using at least one of a pattern of changes made to the environment during execution of a malicious program and a look and feel of the program.
6 . A method as in claim 1 , where the program is executed in an environment where requests made by the program to interact with the environment have a potential to create a side effect.
7 . A method as claim 6 , further comprising always granting a request by the program to interact with the environment.
8 . A method as claim 6 , further comprising always granting a request by the program for access to an environmental resource.
9 . A method as claim 6 , further comprising always granting a request by the program for access to a resource located external to the environment.
10 . A method as in claim 1 , where the program is suspected of containing a virus program.
11 . A method as in claim 1 , where the program is suspected of containing a worm program.
12 . A method as in claim 1 , where the program is suspected of containing a Trojan Horse program or being a Trojan Horse program.
13 . A method as in claim 1 , where the step of automatically examining includes comparing a current state of the environment after the program is executed at least once to a state of the environment before the program was executed.
14 . A method as in claim 1 , where the step of automatically examining includes comparing a current state of the environment after the program is executed at least once to a state of the environment that results from the execution of a known non-infected version of the program, and ignoring side effects that result normally from program execution.
15 . A method as in claim 1 , where the step of automatically examining comprises comparing a current state of the environment after the program is executed at least once to a state of the environment that results from the execution of a generically repaired version of the program, and ignoring side effects that result normally from program execution.
16 . A method as in claim 1 , where the step of automatically examining comprises comparing a current state of the environment after the program is executed at least once to a state of the environment that is ascertained from a look and feel analysis of the operation of a graphical user interface of the program to determine the identity of the original uninfected program, and ignoring side effects that result normally from program execution.
17 . A method as in claim 1 , where the step of executing the program comprises steps of:
infecting a plurality of goat files; selecting an infected goat file deemed to be most effective for soliciting side effects generations based on at least one criterion; and executing the selected infected goat file; where the step of automatically examining the at least one known environment comprises comparing the system state that results from the execution of the selected infected goat file with a system state that results from the execution of a non-infected version of the selected goat file.
18 . A method as in claim 17 , where if the step of infecting a plurality of goat files is unsuccessful, the step of executing the program executes the program and a generically repaired version of the program, and the step of automatically examining the at least one known environment comprises comparing the system state that results from the execution of the program with a system state that results from the execution of the generically repaired version of the program.
19 . A method as in claim 1 , where the step of automatically examining comprises comparing a current state of the environment after the program is executed at least once to a state of the environment that results from the execution of a plurality of commonly used programs, and ignoring side effects that result normally from program execution.
20 . A method as in claim 1 , where the step of automatically examining comprises comparing a content of a registry after the program is executed at least once to a saved content of the registry that results from the execution of at least one of a known non-infected version of the program and a generically repaired version of the program, and identifying differences in the registry contents as side effects that are used for at least one of undoing a detected change that results from execution of the undesirable software entity and informing a user of the side effects.
21 . A method as in claim 1 , where the step of automatically examining comprises comparing system initialization files after the program is executed at least once to saved system initialization files that result from the execution of at least one of a known non-infected version of the program and a generically repaired version of the program, and identifying differences in the system initialization files as side effects that are used for at least one of undoing a detected change that results from execution of the undesirable software entity and informing a user of the side effects.
22 . A computer readable media product containing a set of computer executable software instructions for directing said computer to execute a process for determining a non-replicative behavior of a program suspected of containing an undesirable software entity, said process causing execution of the program in at least one known environment; for performing an automatic examination of the at least one known environment to detect if a change has occurred in the environment as a result of the execution of the program and, if a change is detected, said process further causing an automatic analysis of the detected change to determine whether the change resulted from execution of the program or from execution of the undesirable software entity and for recording a result of the analysis as side effects that are used for at least one of undoing a detected change that results from execution of the undesirable software entity and informing a user of the side effects.
23 . A computer system comprising means for determining a non-replicative behavior of a program suspected of containing an undesirable software entity, said computer system comprising execution means for executing the program in at least one known environment; said computer system further comprising means for performing an automatic examination of the at least one known environment to detect if a change has occurred in the environment as a result of the execution of the program and, responsive to a condition that a change is detected, for automatically analyzing the detected change to determine whether the change resulted from execution of the program or from execution of the undesirable software entity, said computer system further comprising means for recording a result of the analysis as side effects that are used for at least one of undoing a detected change that results from execution of the undesirable software entity and informing a user of the side effects.
24 . A computer system as in claim 23 , where said examining means comprises comparison means for comparing a current state of the environment after the program is executed at least once to a state of the environment before the program was executed.
25 . A computer system as in claim 23 , where said examining means comprises comparison means for comparing a current state of the environment after the program is executed at least once to a state of the environment that results from the execution of a known non-infected version of the program.
26 . A computer system as in claim 23 , where said examining means comprises comparison means for comparing a current state of the environment after the program is executed at least once to a state of the environment that results from the execution of a generically repaired version of the program.
27 . A computer system as in claim 23 , where said examining means comprises comparison means for comparing a current state of the environment after the program is executed at least once to a state of the environment resulting from execution of a program selected on the basis of its look and feel, as determined from operation of a graphical user interface of the program.
28 . A computer system as in claim 23 , further comprising means for infecting a plurality of goat files and for selecting an infected goat file deemed to most effective for soliciting side effects generations based on at least one criterion, where said execution means executes the selected infected goat file; where said means for automatically examining compares the system state that results from the execution of the selected infected goat file with a system state that results from the execution of a non-infected version of the selected goat file.
29 . A computer system as in claim 28 , where if at least one goat file in not infected, said executing means executes the program and a generically repaired version of the program, where said means for automatically examining compares the system state that results from the execution of the program with a system state that results from the execution of the generically repaired version of the program.
30 . A computer system as in claim 23 , where said examining means comprises comparison means for comparing a current state of the environment after the program is executed at least once to a state of the environment that results from the execution of a plurality of commonly used programs.
31 . A computer system as in claim 23 , where said examining means comprises comparison means for comparing a content of a registry means after the program is executed at least once to a saved content of said registry means that results from the execution of at least one of a known non-infected version of the program and a generically repaired version of the program, said examining and analyzing means identifying differences in registry means contents as side effects that are used for at least one of undoing a detected change that results from execution of the undesirable software entity and informing a user of the side effects.
32 . A computer system as in claim 23 , where said examining means comprises comparison means for comparing system initialization files after the program is executed at least once to saved system initialization files that result from the execution of at least one of a known non-infected version of the program and a generically repaired version of the program, said examining and analyzing means identifying differences in the system initialization files as side effects that are used for at least one of undoing a detected change that results from execution of the undesirable software entity and informing a user of the side effects.
33 - 40 . (canceled)Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.