ebook img

Systems and methods for using reputation data to detect shared-object-based security threats PDF

19 Pages·2013·1.77 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Systems and methods for using reputation data to detect shared-object-based security threats

US008225406B1 (12) United States Patent (10) Patent N0.: US 8,225,406 B1 Nachenberg (45) Date of Patent: Jul. 17, 2012 (54) SYSTEMS AND METHODS FOR USING 2008/0141240 A1 6/2008 Uthe REPUTATION DATA TO DETECT 2009/0133126 A1* 5/2009 Jang et al. ..................... .. 726/24 2009/0138856 A1 5/2009 Oja et al. SHARED-OBJECT-BASED SECURITY 2010/0162391 A1* 6/2010 Loveland et al. ............. .. 726/22 THREATS 2011/0185429 A1* 7/2011 Sallam ............. .. 2011/0225655 A1* 9/2011 Niemela et al. ............... .. 726/24 (75) Inventor: Carey S. Nachenberg, Manhattan OTHER PUBLICATIONS Beach, CA (U S) Satish, Sourabh; U.S. Appl. No. 12/056,379, ?led Mar. 27, 2008. (73) Assignee: Symantec Corporation, Mountain View, Satish, Sourabh; U.S. Appl. No. 12/049,751, ?led Mar. 17, 2008. Non-Final Of?ce Action inU.S. Appl. No. 12/049,751; Jun. 24, 201 1. CA (U S) Final Of?ce Action in US. Appl. No. 12/049,751; Jan. 19,2012. William E. Sobel et al.; US. Appl. No. 12/059,003, ?led Mar. 31, ( * ) Notice: Subject to any disclaimer, the term of this 2008. patent is extended or adjusted under 35 Non-Final Of?ce Action in US. Appl. No. 12/059,003; Aug. 18, U.S.C. 154(b) by 557 days. 2011. Sourabh Satish et al.; US. Appl. No. 11/394,846, ?led Mar. 31, 2006. (21) App1.No.: 12/415,s34 Non-Final Of?ce Action in US. Appl. No. 11/394,846; Mar. 6, 2009. (Continued) (22) Filed: Mar. 31, 2009 Primary Examiner * Samson Lemma (51) Int. Cl. (74) Attorney, Agent, or Firm * Advantedge LaW Group G06F 11/00 (2006.01) (52) U.S. Cl. ............... .. 726/24; 726/22; 726/23; 726/25 (57) ABSTRACT (58) Field of Classi?cation Search .................. .. 726/24, 726/22, 23, 25; 713/188 Computer-implemented methods and systems for using repu See application ?le for complete search history. tation data to detect shared-object-based security threats are disclosed. In one example, an exemplary method for perform (56) References Cited ing such a task may comprise: 1) identifying a process, 2) identifying an executable ?le associated With the process, 3) U.S. PATENT DOCUMENTS identifying at least one shared object loaded by the process, 4) obtaining reputation data for both the executable ?le and the 6,618,735 B1* 9/2003 Krishnaswamiet al. ........... .. 1/1 7,269,851 B2 9/2007 Ackroyd shared object from a reputation service, 5) determining that 7,814,471 B2* 10/2010 Jodh ........................... .. 717/163 the shared object represents a potential security risk by com 7,831,412 B1 11/2010 Sobeletal. paring the reputation data for the executable ?le With the 7,917,481 B1* 3/2011 Kale et al. ................... .. 707/693 reputation data for the shared object and determining that the 7,966,278 B1 6/2011 Satish reputation data for the shared object is signi?cantly different 2002/0174358 A1* 11/2002 Wolffet al. ................. .. 713/200 2004/0205167 A1 10/2004 Grumann from the reputation data for the executable ?le, and then 6) 2005/0021733 A1 1/2005 Clinton et al. performing a security operation on the shared object. Corre 2005/0283622 A1 12/2005 Hall et al. sponding server-side methods and systems for identifying 2005/0283831 A1 12/2005 Ryu etal. malicious shared objects based on reputation data are also 2006/0253584 A1 11/2006 Dixon et al. disclosed. 2007/0016953 A1* 1/2007 Morris et al. ................. .. 726/24 2007/0162458 A1 7/2007 Fasciano 2007/0300215 A1 12/2007 Bardsley 20 Claims, 7 Drawing Sheets System lllQ Modules Databases J92 .1212 Process-Identi?cation Module Proeess-Meladam Database 10A Q Reputation-Data Module Reputation-Data Database 1% m Securky Module m US 8,225,406 B1 Page 2 OTHER PUBLICATIONS Non-Final Of?ce Action in US. Appl. No. 11/394,846; Dec. 9, 2010. Final Of?ce Action in US. Appl. No. 11/394,846; May 12, 2011. Final Of?ce Action in US APP1~ N<>~ 11694346; Sen 1, 2009 Keith Newstadt et al.; US. Appl. No. 13/291,773,?1edNov. 8,2011. Non-Final Of?ceAction in US. Appl. No. 11/394,846;Feb. 23,2010. Final Of?ce Action in US. Appl. No. 11/394,846; Jul. 22, 2010. * Cited by examiner US. Patent Jul. 17, 2012 Sheet 1 017 US 8,225,406 B1 System m Modules Databases Q Q Process-Identification Module Process-Metadata Database M E Reputation-Data Module Reputation-Data Database M m Security Module M FIG. 1 US. Patent Jul. 17, 2012 Sheet 2 017 US 8,225,406 B1 m139i386 2885560 E22:6: % a m|NN 2292E896 2835560 .NUI % % 2229E396 EUcooo=o0w 2@289560 % 3 H com US. Patent Jul. 17, 2012 Sheet 3 of7 US 8,225,406 B1 300 \ Start Identify a process E V Identify an executable file associated with the process & Identify at least one shared object loaded by the process E 1 Obtain reputation data for both the process and the shared object m V Determine that the shared object represents a potential security risk by determining that the reputation data for the executable file and the shared object are significantly different m Perform a security operation on the shared object & End FIG. 3 US. Patent Jul. 17, 2012 Sheet 4 017 US 8,225,406 B1 8m5g” Ecozm?saam m 5ni6a5?5zi % ““cmo9xz0mm0iSw 2.E5“6.wa2: 2886.%5 0 .vQI E8:m33aa m Now > EcozmmSanw m 3 $H6.g2 22923E86 Q“cm02o20mm20m:w US. Patent Jul. 17, 2012 Sheet 5 017 US 8,225,406 B1 500 Start V Receive process metadata from a plurality of user devices within a community, the process metadata identifying an executable file and a shared object associated with a process E V Access reputation data for both the executable file and the shared object M V Determine that the shared object represents a potential security risk by determining that the reputation data for the executable file and the shared object are significantly different E End FIG. 5 US. Patent Jul. 17, 2012 Sheet 7 017 US 8,225,406 B1 2%.:25 Spoon 2254m6m % @250 can“ HZENN h A A k A 62mm 62mm % ml: r E26 3 a E20 3 9{30022,56023 OE/ US 8,225,406 B1 1 2 SYSTEMS AND METHODS FOR USING mation, and/ or digital-signer information for both the execut REPUTATION DATA TO DETECT able ?le and each of the shared objects to determine Whether SHARED-OBJECT-BASED SECURITY there are any signi?cant differences. In some examples, upon THREATS comparing either reputation/ prevalence information and/ or ?le metadata, the client-side system may send the results of BACKGROUND such comparisons to the reputation service. As detailed above, exemplary backend methods for using Computer-security researchers have estimated that up to reputation data to identify shared objects that pose potential 50% of computer-security threats have some form of shared security threats are also disclosed. A backend implementation object-based component. These threats typically “inject” of such a method may comprise: 1) receiving process meta malicious shared objects (e.g., DLLs) into otherWise legiti data (i.e., information that identi?es, for a process, an execut mate processes. The malicious code contained Within the able ?le associated With the process and each of the shared injected shared object may then perform malicious actions objects loaded by the process) from a plurality of user devices under the cover of an otherWise legitimate process. Within a community, 2) accessing reputation/prevalence For example, a malWare developer may register a malicious information for both the executable ?le and each of the shared DLL (by, for example, tricking a user into running a malicious objects, and then 3) comparing the reputation/prevalence executable ?le or by exploiting a buffer over?ow in a legiti information for both the executable ?le and each of the shared mate application) for loading by an otherWise legitimate objects to identify shared objects that represent potential application, such as MICROSOFT WORD for WINDOWS. security threats, as detailed above. In this example, When MICROSOFT WORD loads, the mali 20 In some examples, the backend system may be able to cious DLL Will also load and launch, potentially scheduling determine, by analyZing the process metadata received from background threats that launch attacks directly from the pro the plurality (and potentially millions) of user devices Within cess space associated With MICROSOFT WORD. the community, that the shared object is rarely loaded by the Because the code contained Within malicious DLLs may process, rarely associated With shared objects that are com run under the cover of an otherWise legitimate process, it is 25 monly loaded by the process, frequently loaded by compro sometimes dif?cult to detect and eliminate malicious DLLs mised user devices, and/or frequently loaded by processes Without also harming their legitimate host process. As such, With loW reputation scores. The backend system may also the instant disclosure identi?es a need for systems and meth update an existing reputation score for the shared object based ods for detecting and eliminating shared-object-based secu on any of these ?ndings. rity threats. 30 Features from any of the above-mentioned embodiments may be used in combination With one another in accordance SUMMARY With the general principles described herein. These and other embodiments, features, and advantages Will be more fully Various client-side and backend systems and methods for understood upon reading the folloWing detailed description in using reputation data to detect shared-object-based security 35 conjunction With the accompanying draWings and claims. threats are disclosed herein. As Will be described in greater detail beloW, an exemplary client-side method for performing BRIEF DESCRIPTION OF THE DRAWINGS such a task may comprise: 1) identifying a process (e.g., at loadtime or runtime), 2) identifying a primary executable ?le The accompanying draWings illustrate a number of exem that is associated With the process, 3) identifying each shared 40 plary embodiments and are a part of the speci?cation. object (e. g., DLL) that is loaded by the process, 4) obtaining Together With the folloWing description, these draWings dem reputation and/or prevalence information for both the execut onstrate and explain various principles of the instant disclo able ?le and each of the shared objects from a reputation sure. service (based on, for example, hashes of the executable ?le FIG. 1 is a block diagram of an exemplary system for using and the shared objects), and then 5) comparing the reputation/ 45 reputation data to detect shared-object-based security threats. prevalence information for both the executable ?le and each FIG. 2 is a block diagram of an exemplary system for using of the shared objects. reputation data to detect shared-object-based security threats. If the reputation/prevalence information for at least one of FIG. 3 is a How diagram of an exemplary method for using the shared objects is signi?cantly loWer than that of either the reputation data to detect shared-object-based security threats. executable ?le or the majority of the remaining shared objects 50 FIG. 4 is an exemplary illustration of reputation data (e.g., if a shared object has a signi?cantly loWer reputation received from a reputation service for both an executable ?le score and/or is much less prevalent than either the executable and a plurality of shared objects. ?le or a majority of the remaining shared objects loaded by FIG. 5 is a How diagram of an exemplary method for using the process), then the client-side system may determine that reputation data to identify shared objects that pose potential this shared object represents a potential security risk. In this 55 security threats. example, the client-side system may perform a security FIG. 6 is a block diagram of an exemplary computing operation on the identi?ed shared object by, for example, system capable of implementing one or more of the embodi quarantining or removing the shared object, preventing the ments described and/ or illustrated herein. shared object from loading, ?agging the shared object for FIG. 7 is a block diagram of an exemplary computing further evaluation, and/or removing references to the shared 60 netWork capable of implementing one or more of the embodi object (e.g., load points for the shared object stored in a ments described and/ or illustrated herein. computing device’s registry) from the computing device. Throughout the draWings, identical reference characters In some examples, the client-side system may also corre and descriptions indicate similar, but not necessarily identi late mismatches in reputation/prevalence information With cal, elements. While the exemplary embodiments described mismatches in ?le metadata associated With the executable 65 herein are susceptible to various modi?cations and alternative ?le and/ or shared objects. For example, the client-side system forms, speci?c embodiments have been shoWn by Way of may compare publisher information, publication-date infor example in the draWings and Will be described in detail

Description:
7,269,851 B2 9/2007 Ackroyd. 7,814,471 B2* 10/2010 2008/0141240 A1. 6/2008 Uthe sponding server-side methods and systems for identifying malicious shared . application, such as MICROSOFT WORD for WINDOWS.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.