公开(公告)号：US20150379267A1

公开(公告)日：2015-12-31

申请号：US14318242

申请日：2014-06-27

申请人： Peter Szor ,  Rachit Mathur

发明人： Peter Szor ,  Rachit Mathur

IPC分类号： G06F21/56 ,  G06F21/55

CPC分类号： G06F21/566

摘要： Systems and methods are provided in example embodiments for mitigating malicious calls. The system can be configured to receive a function call, determine the location of a memory page that initiated the function call, determine if the memory page is associated with a trusted module, and block the function call if the memory page is not associated with the trusted module. In addition, the system can determine the return address for the function call and block the function call if the return address does not belong to the trusted module. Further, the system can determine a parameter for the function call, determine if the parameter is a known parameter used by the process that called the function, and block the function call if the parameter is not the known parameter used by the process that called the function.

摘要翻译： 在用于减轻恶意呼叫的示例实施例中提供了系统和方法。 该系统可被配置为接收功能调用，确定发起功能调用的存储器页面的位置，确定存储器页面是否与可信任的模块相关联，并且如果存储器页面与 可信模块 此外，如果返回地址不属于受信任的模块，系统可以确定函数调用的返回地址并阻止函数调用。 此外，系统可以确定函数调用的参数，确定参数是否是调用函数的进程使用的已知参数，如果参数不是调用该函数的进程使用的已知参数，则阻止函数调用 功能。

公开(公告)号：US08732296B1

公开(公告)日：2014-05-20

申请号：US12436723

申请日：2009-05-06

申请人： Vinoo Thomas ,  Nitin Jyoti ,  Cedric Cochin ,  Rachit Mathur

发明人： Vinoo Thomas ,  Nitin Jyoti ,  Cedric Cochin ,  Rachit Mathur

IPC分类号： G06F15/16 ,  H04L29/06

CPC分类号： H04L63/1491 ,  H04L51/04 ,  H04L51/12 ,  H04L63/0227 ,  H04L63/1441 ,  H04L2463/144

摘要： A system, method, and computer program product are provided for redirecting internet relay chat (IRC) traffic identified utilizing a port-independent algorithm and controlling IRC based malware. In use, IRC traffic communicated via a network is identified utilizing a port-independent algorithm. Furthermore, the IRC traffic is redirected to a honeypot.

摘要翻译： 提供了一种系统，方法和计算机程序产品，用于重定向使用与端口无关的算法识别的互联网中继聊天（IRC）流量并控制基于IRC的恶意软件。 在使用中，通过网络传送的IRC流量通过端口独立算法来识别。 此外，IRC流量被重定向到蜜罐。

公开(公告)号：US20150180883A1

公开(公告)日：2015-06-25

申请号：US14126872

申请日：2013-10-22

申请人： Erdem Aktas ,  Rachit Mathur

发明人： Erdem Aktas ,  Rachit Mathur

IPC分类号： H04L29/06

CPC分类号： H04L63/145 ,  G06F9/46 ,  G06F17/30601 ,  G06F21/564 ,  H04L63/1408

摘要： A software sample is identified that includes code and a control flow graph is generated for each of a plurality of functions included in the sample. Features are identified in each of the functions that correspond to instances of a set of control flow fragment types. A feature set is generated for the sample from the identified features.

摘要翻译： 识别包括代码的软件样本，并且为样本中包括的多个功能中的每一个生成控制流程图。 在与一组控制流片段类型的实例相对应的每个功能中标识特征。 从标识的特征为样本生成一个特征集。

公开(公告)号：US20110283358A1

公开(公告)日：2011-11-17

申请号：US12781263

申请日：2010-05-17

申请人： Cedric Cochin ,  Rachit Mathur ,  Tracy E. Camp

发明人： Cedric Cochin ,  Rachit Mathur ,  Tracy E. Camp

IPC分类号： G06F21/00 ,  G06F11/00

CPC分类号： G06F21/56 ,  G06F21/554 ,  G06F2221/033

摘要： A method for detecting removal of a filter driver includes performing an operation on an element of a kernel mode of an operating system, the operation initiated by a user mode entity, obtaining the result of performing the operation, and comparing the result of performing the operation against an expected result of the operation. If the result of performing the operation matches the expected result of the operation, it is determined that a file system filter driver in the kernel mode of the operating system is working correctly. If the result of performing the operation does not match the expected result of the operation, it is determined that a file system filter driver in the kernel mode of the operating system has been compromised by malware.

摘要翻译： 用于检测去除过滤器驱动器的方法包括对操作系统的内核模式的元素执行操作，由用户模式实体发起的操作，获得执行操作的结果以及执行操作的结果 反对预期的操作结果。 如果执行操作的结果与操作的预期结果相符合，则确定操作系统的内核模式中的文件系统过滤驱动器正常工作。 如果执行操作的结果与操作的预期结果不符，则确定操作系统的内核模式中的文件系统过滤器驱动程序已被恶意软件破坏。

公开(公告)号：US20130247182A1

公开(公告)日：2013-09-19

申请号：US12427463

申请日：2009-04-21

申请人： Seagen James Levites ,  Rachit Mathur ,  Aditya Kapoor

发明人： Seagen James Levites ,  Rachit Mathur ,  Aditya Kapoor

IPC分类号： G06F21/00 ,  G06F17/30 ,  G06F15/177 ,  G06F12/14 ,  H04L29/06

CPC分类号： H04L63/1416 ,  G06F21/55 ,  G06F21/554 ,  G06F21/56

摘要： A system, method, and computer program product are provided for detecting hidden or modified data objects. In use, a first set of data objects stored in a device is enumerated, where the enumeration of the first set of data objects is performed within an operating system of the device. Additionally, a second set of data objects stored in the device is enumerated, where the enumeration of the second set of data objects is performed outside of the operating system of the device. Further, the first set of data objects and the second set of data objects are compared for identifying hidden or modified data objects.

摘要翻译： 提供了一种用于检测隐藏或修改的数据对象的系统，方法和计算机程序产品。 在使用中，枚举存储在设备中的第一组数据对象，其中在设备的操作系统内执行第一组数据对象的枚举。 此外，枚举存储在设备中的第二组数据对象，其中第二组数据对象的枚举在设备的操作系统之外执行。 此外，比较第一组数据对象和第二组数据对象以识别隐藏或修改的数据对象。

公开(公告)号：US08370941B1

公开(公告)日：2013-02-05

申请号：US12116063

申请日：2008-05-06

申请人： Khai N. Pham ,  Aditya Kapoor ,  Harinath V. Ramachetty ,  Rachit Mathur

发明人： Khai N. Pham ,  Aditya Kapoor ,  Harinath V. Ramachetty ,  Rachit Mathur

IPC分类号： G06F11/00

CPC分类号： G06F21/56

摘要： A rootkit scanning system, method, and computer program product are provided. In use, at least one hook is traversed. Further, code is identified based on the traversal of the at least one hook. In addition, the code is scanned for at least one rootkit.

摘要翻译： 提供了一个rootkit扫描系统，方法和计算机程序产品。 在使用中，至少有一个钩子被穿过。 此外，基于至少一个钩的遍历来识别代码。 此外，代码扫描至少一个rootkit。

公开(公告)号：US08176559B2

公开(公告)日：2012-05-08

申请号：US12639465

申请日：2009-12-16

申请人： Rachit Mathur ,  Cedric Cochin

发明人： Rachit Mathur ,  Cedric Cochin

IPC分类号： G06F11/28 ,  G06F11/30 ,  G08B23/00 ,  G06F12/14

CPC分类号： G06F21/52 ,  G06F21/577

摘要： Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes executing from a binary executable a call instruction and a plurality of instruction subsequent to a target of the call instruction, determining if the value identified by the stack pointer of the call stack is equal to a default value stored in the call stack prior to emulation, determining if there is a non-obfuscation signal resulting from the execution of the call instructions and the plurality of instructions, and if the value identified by the stack pointer is the default value and there is no obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; Additionally, the method includes determining that if the number of call instructions identified as possibly obfuscated call instructions exceeds a threshold number, identifying the binary executable as an obfuscated executable.

摘要翻译： 方法，系统和装置，包括在计算机存储介质上编码的计算机程序，用于混淆的恶意软件。 一方面，一种方法包括从二进制可执行程序执行呼叫指令和跟随呼叫指令的目标之后的多个指令，确定由所述调用堆栈的堆栈指针识别的值是否等于存储在所述调用堆栈中的默认值 在仿真之前的呼叫堆栈，确定是否存在由执行呼叫指令和多个指令而产生的非混淆信号，并且如果由堆栈指针识别的值是默认值并且没有混淆信号， 将呼叫指令识别为可能的模糊化呼叫指令。 另外，该方法包括确定被识别为可能的模糊化呼叫指令的呼叫指令的数量是否超过阈值数，将二进制可执行文件识别为混淆的可执行文件。

公开(公告)号：US08499352B2

公开(公告)日：2013-07-30

申请号：US13440595

申请日：2012-04-05

申请人： Rachit Mathur ,  Cedric Cochin

发明人： Rachit Mathur ,  Cedric Cochin

IPC分类号： G06F11/28 ,  G06F11/30 ,  G08B23/00 ,  G06F12/14

CPC分类号： G06F21/52 ,  G06F21/577

摘要： Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting obfuscated malware. In one aspect, a method includes identifying call instructions in a binary executable; executing the call instruction; executing instructions subsequent to a target of the call instruction; determining that an address identified by a stack pointer is different from the return address; in response to the determination that the address is different, determining if there is a non-obfuscation signal; if there is a non-obfuscation signal, identifying the call instruction as a non-obfuscated call instruction; if there is not a non-obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; determining whether the call instructions identified as possibly obfuscated call instructions exceeds a threshold; in response to the determination that the call instructions identified as possibly obfuscated call instructions exceeds the threshold, identifying the executable as an obfuscated executable.

摘要翻译： 方法，系统和装置，包括在计算机存储介质上编码的计算机程序，用于检测混淆的恶意软件。 一方面，一种方法包括识别二进制可执行文件中的调用指令; 执行呼叫指令; 执行所述呼叫指令的目标之后的指令; 确定由堆栈指针识别的地址不同于返回地址; 响应于地址不同的确定，确定是否存在非混淆信号; 如果存在非混淆信号，则将该呼叫指令识别为非混淆呼叫指令; 如果没有非混淆信号，则将该呼叫指令识别为可能的模糊化呼叫指令; 确定被识别为可能的模糊化呼叫指令的呼叫指令是否超过阈值; 响应于确定被识别为可能的模糊化呼叫指令的呼叫指令超过阈值，将可执行文件识别为混淆的可执行文件。

公开(公告)号：US20120198554A1

公开(公告)日：2012-08-02

申请号：US13440595

申请日：2012-04-05

申请人： Rachit Mathur ,  Cedric Cochin

发明人： Rachit Mathur ,  Cedric Cochin

IPC分类号： G06F21/00 ,  G06F11/28

CPC分类号： G06F21/52 ,  G06F21/577

摘要： Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting obfuscated malware. In one aspect, a method includes identifying call instructions in a binary executable; executing the call instruction; executing instructions subsequent to a target of the call instruction; determining that an address identified by a stack pointer is different from the return address; in response to the determination that the address is different, determining if there is a non-obfuscation signal; if there is a non-obfuscation signal, identifying the call instruction as a non-obfuscated call instruction; if there is not a non-obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; determining whether the call instructions identified as possibly obfuscated call instructions exceeds a threshold; in response to the determination that the call instructions identified as possibly obfuscated call instructions exceeds the threshold, identifying the executable as an obfuscated executable.

摘要翻译： 方法，系统和装置，包括在计算机存储介质上编码的计算机程序，用于检测混淆的恶意软件。 一方面，一种方法包括识别二进制可执行文件中的调用指令; 执行呼叫指令; 执行所述呼叫指令的目标之后的指令; 确定由堆栈指针识别的地址不同于返回地址; 响应于地址不同的确定，确定是否存在非混淆信号; 如果存在非混淆信号，则将该呼叫指令识别为非混淆呼叫指令; 如果没有非混淆信号，则将该呼叫指令识别为可能的模糊化呼叫指令; 确定被识别为可能的模糊化呼叫指令的呼叫指令是否超过阈值; 响应于确定被识别为可能的模糊化呼叫指令的呼叫指令超过阈值，将可执行文件识别为混淆的可执行文件。

公开(公告)号：US20110145921A1

公开(公告)日：2011-06-16

申请号：US12639465

申请日：2009-12-16

申请人： Rachit Mathur ,  Cedric Cochin

发明人： Rachit Mathur ,  Cedric Cochin

IPC分类号： G06F11/00 ,  G06F21/00

CPC分类号： G06F21/52 ,  G06F21/577

摘要： Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes executing from a binary executable a call instruction and a plurality of instruction subsequent to a target of the call instruction, determining if the value identified by the stack pointer of the call stack is equal to a default value stored in the call stack prior to emulation, determining if there is a non-obfuscation signal resulting from the execution of the call instructions and the plurality of instructions, and if the value identified by the stack pointer is the default value and there is no obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; Additionally, the method includes determining that if the number of call instructions identified as possibly obfuscated call instructions exceeds a threshold number, identifying the binary executable as an obfuscated executable.

摘要翻译： 方法，系统和装置，包括在计算机存储介质上编码的计算机程序，用于混淆的恶意软件。 一方面，一种方法包括从二进制可执行程序执行呼叫指令和跟随呼叫指令的目标之后的多个指令，确定由所述调用堆栈的堆栈指针识别的值是否等于存储在所述调用堆栈中的默认值 在仿真之前的呼叫堆栈，确定是否存在由执行呼叫指令和多个指令而产生的非混淆信号，并且如果由堆栈指针识别的值是默认值并且没有混淆信号， 将呼叫指令识别为可能的模糊化呼叫指令。 另外，该方法包括确定被识别为可能的模糊化呼叫指令的呼叫指令的数量是否超过阈值数，将二进制可执行文件识别为混淆的可执行文件。