The present disclosure relates to a system and method for detecting the execution of malicious instructions injected into the memory of a computing device.
As computing devices become increasingly complex, viruses and malware also are becoming increasingly complex and difficult to detect and prevent. While the prior art includes many approaches for scanning non-volatile storage such as a hard disk drive for such threats, the prior art includes few satisfactory solutions for detecting malicious code loaded into memory or the processor itself.
In
While prior art techniques are well-suited for detecting known malicious programs stored in storage device 130, there is no satisfactory technique for detecting malicious instructions that have been injected into memory 120 but not stored in storage device 130.
What is needed is a mechanism for detecting malicious instructions that have been injected into processor 110 or memory 120 but not stored in storage device 130 and generating an alert upon such detection and/or suspending execution of the malicious instructions.
In the embodiments described herein, a malicious code detection module identifies potentially malicious instructions in memory of a computing device. The malicious code detection module examines the call stack for each thread running within the operating system of the computing device. Within each call stack, the malicious code detection module identifies the originating module for each stack frame and determines whether the originating module is backed by an image on disk. If an originating module is not backed by an image on disk, the thread containing that originating module is flagged as potentially malicious, execution of the thread optionally is suspended, and an alert is generated for the user or administrator.
Additional aspects of prior art systems will now be described. In
In this simplified example, call stack 312 comprises variables 331, 332, and 335 and parameter 333, which were placed in call stack 312 by thread 302. Return address 334 also was placed on call stack 312 by thread 302. Return address 334 is the address corresponding to the instruction in thread 302 that placed stack frame 341 in call stack 312. A stack frame is a collection of data placed in a call stack as part of a procedure. Here, stack frame 341 comprises variables 331 and 332, parameter 333, and return address 334.
Operating system 140 further comprises application programming interface (API) module 320, which is a mechanism by which threads can invoke APIs specific to operating system 140.
With reference now to
The embodiments detect malicious code based on three characteristics that typically are present in malicious code. First, malicious code usually owns a thread of execution. Second, this thread of execution originates or operates from code that is not backed by a file on disk. Third, the thread of execution must call the operating system API module_320 directly in order for the malicious code to affect appreciable activity on the system. That is, in order for the malicious code to inflict harm, it inevitably must call operating system API module_320 directly. Although there are some exceptions, these three features generally are not found in benign application or operating system 140 itself.
Malicious code detection module 510 first enumerates the call stacks of each thread of execution. In one embodiment, malicious code detection module 510 assigns a unique identifier to each call stack. Once enumerated, each call stack is analyzed to determine if it is malicious in nature.
In the simplified example of
Malicious code detection module continues down call stack 312 and determines the originating module for each stack frame in the reverse order in which the stack frames were added to call stack 312. Here, stack frames 502 and 501 are shown. Malicious code detection module 510 determines the return address for stack frames 502 and 501, which here are return addresses 512 and 511, and determines the procedure within thread 302 associated with the return address. Malicious code detection module 510 then consults attribute information 410 to determine whether the code in which that procedure is contained is backed by a file in storage device 130. If it is (as would be the case if the procedure is part of application program 412), then the procedure and the thread containing it are deemed non-malicious. If it is not (as would be the case if the procedure is part of program 413), then the procedure and the thread containing it are deemed potentially malicious.
With reference to
If suspended, thread 302 will not resume execution unless and until a user or administrator expressly instructs computing device 500 to proceed with execution of thread 302.
Alert 610 can take any variety of forms. Alert 610 can be a message displayed on a display operated by a user or administrator. Alert 610 also might be an email, SMS message, MMS message, or other message sent to a device operated by a user or administrator. Alert 610 also might be an audible sound generated by computing device 500.
With reference again to
The foregoing merely illustrates the principles of the disclosure. Various modifications and alterations to the described embodiments will be apparent to those skilled in the art in view of the teachings herein. It will thus be appreciated that those skilled in the art will be able to devise numerous systems, arrangements, and procedures which, although not explicitly shown or described herein, embody the principles of the disclosure and can be thus within the spirit and scope of the disclosure. Various different exemplary embodiments can be used together with one another, as well as interchangeably therewith, as should be understood by those having ordinary skill in the art. In addition, certain terms used in the present disclosure, including the specification, drawings and claims thereof, can be used synonymously in certain instances, including, but not limited to, for example, data and information. It should be understood that, while these words, and/or other words that can be synonymous to one another, can be used synonymously herein, that there can be instances when such words can be intended to not be used synonymously. Further, to the extent that the prior art knowledge has not been explicitly incorporated by reference herein above, it is explicitly incorporated herein in its entirety. All publications referenced are incorporated herein by reference in their entireties.
This patent application is a continuation of, and claims priority benefit of, U.S. patent application Ser. No. 15/648,972, filed Jul. 13, 2017, entitled “System and Method for Detecting Malware Injected Into Memory of a Computing Device,” which is hereby incorporated by reference herein in its entirety including all references and appendices cited therein.
Number | Name | Date | Kind |
---|---|---|---|
5481684 | Richter et al. | Jan 1996 | A |
7085928 | Schmid et al. | Aug 2006 | B1 |
7640589 | Mashevsky et al. | Dec 2009 | B1 |
8555385 | Bhatkar et al. | Oct 2013 | B1 |
8555386 | Belov | Oct 2013 | B1 |
9055093 | Borders | Jun 2015 | B2 |
9292689 | Chuo | Mar 2016 | B1 |
9356944 | Aziz | May 2016 | B1 |
9407648 | Pavlyushchik et al. | Aug 2016 | B1 |
9509697 | Salehpour | Nov 2016 | B1 |
9690606 | Ha et al. | Jun 2017 | B1 |
9892253 | Mehr | Feb 2018 | B1 |
10045218 | Stapleton | Aug 2018 | B1 |
10397255 | Bhalotra et al. | Aug 2019 | B1 |
11120106 | Spisak | Sep 2021 | B2 |
11151247 | Desimone | Oct 2021 | B2 |
11151251 | Desimone | Oct 2021 | B2 |
20030200464 | Kidron | Oct 2003 | A1 |
20040199763 | Freund | Oct 2004 | A1 |
20050102601 | Wells | May 2005 | A1 |
20050160313 | Wu | Jul 2005 | A1 |
20050228836 | Bacastow | Oct 2005 | A1 |
20060026569 | Oerting et al. | Feb 2006 | A1 |
20060143707 | Song et al. | Jun 2006 | A1 |
20070180509 | Swartz et al. | Aug 2007 | A1 |
20080034429 | Schneider | Feb 2008 | A1 |
20080052468 | Speirs et al. | Feb 2008 | A1 |
20080127292 | Cooper et al. | May 2008 | A1 |
20080201778 | Guo | Aug 2008 | A1 |
20090049550 | Shevchenko | Feb 2009 | A1 |
20090077664 | Hsu et al. | Mar 2009 | A1 |
20090187396 | Kinno et al. | Jul 2009 | A1 |
20090222923 | Dixon | Sep 2009 | A1 |
20100100774 | Ding et al. | Apr 2010 | A1 |
20100293615 | Ye | Nov 2010 | A1 |
20110023019 | Aniszczyk | Jan 2011 | A1 |
20110167434 | Gaist | Jul 2011 | A1 |
20110271343 | Kim et al. | Nov 2011 | A1 |
20120054299 | Buck | Mar 2012 | A1 |
20120054721 | Dadiomov | Mar 2012 | A1 |
20120159625 | Jeong | Jun 2012 | A1 |
20120210305 | Bates | Aug 2012 | A1 |
20120246204 | Nalla et al. | Sep 2012 | A1 |
20130283030 | Drew | Oct 2013 | A1 |
20130332932 | Teruya et al. | Dec 2013 | A1 |
20130347111 | Karta et al. | Dec 2013 | A1 |
20140032915 | Muzammil et al. | Jan 2014 | A1 |
20140137184 | Russello et al. | May 2014 | A1 |
20140310714 | Chan et al. | Oct 2014 | A1 |
20140380477 | Li | Dec 2014 | A1 |
20150020198 | Mirski et al. | Jan 2015 | A1 |
20150150130 | Fiala et al. | Oct 2015 | A1 |
20150264077 | Berger et al. | Oct 2015 | A1 |
20150278513 | Krasin et al. | Oct 2015 | A1 |
20150295945 | Canzanese | Oct 2015 | A1 |
20150339480 | Lutas et al. | Nov 2015 | A1 |
20160149947 | Bronshtein | May 2016 | A1 |
20160180089 | Dalcher | Jun 2016 | A1 |
20160232347 | Badishi | Aug 2016 | A1 |
20160275289 | Sethumadhavan et al. | Sep 2016 | A1 |
20160328560 | Momot | Nov 2016 | A1 |
20160357958 | Guidry | Dec 2016 | A1 |
20160364236 | Moudgill et al. | Dec 2016 | A1 |
20170004309 | Pavlyushchik et al. | Jan 2017 | A1 |
20170126704 | Nandha Premnath et al. | May 2017 | A1 |
20180032728 | Spisak | Feb 2018 | A1 |
20180307840 | David et al. | Oct 2018 | A1 |
20190018958 | Desimone | Jan 2019 | A1 |
20190018962 | Desimone | Jan 2019 | A1 |
Number | Date | Country |
---|---|---|
2784716 | Oct 2014 | EP |
3652639 | May 2020 | EP |
3652667 | May 2020 | EP |
WO2018026658 | Feb 2018 | WO |
WO2019014529 | Jan 2019 | WO |
WO2019014546 | Jan 2019 | WO |
Entry |
---|
“International Search Report” and “Written Opinion of the International Searching Authority,” Patent Cooperation Treaty Application No. PCT/US2018/042005, Oct. 1, 2018, 7 pages. |
“International Search Report” and “Written Opinion of the International Searching Authority,” Patent Cooperation Treaty Application No. PCT/US2018/041976, Sep. 28, 2018, 5 pages. |
“International Search Report” and “Written Opinion of the International Searching Authority,” Patent Cooperation Treaty Application No. PCT/US2017/044478, Oct. 10, 2017, 7 pages. |
Canzanese et al., “System Call-Based Detection of Malicious Processes”, 2015 IEEE International Converence on Software Quality, Reliability and Security, Aug. 3-5, 2015, IEEE, 6 pages. |
“Extended European Search Report”, European Patent Application No. 18831224.3, Mar. 29, 2021, 8 pages. |
“Extended European Search Report”, European Patent Application No. 18832453.7, Mar. 18, 2021, 9 pages. |
Number | Date | Country | |
---|---|---|---|
20210342445 A1 | Nov 2021 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 15648972 | Jul 2017 | US |
Child | 17373001 | US |