Title:
OBFUSCATED MALWARE DETECTION
Document Type and Number:
WIPO Patent Application WO/2011/084614
Kind Code:
A3
Abstract:
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes executing from a binary executable a call instruction and a plurality of instruction subsequent to a target of the call instruction, determining if the value identified by the stack pointer of the call stack is equal to a default value stored in the call stack prior to emulation, determining if there is a non-obfuscation signal resulting from the execution of the call instructions and the plurality of instructions, and if the value identified by the stack pointer is the default value and there is no obfuscation signal,, identifying the call instruction as a possibly obfuscated call instruction; Additionally, the method includes determining that if the number of call instructions identified as possibly obfuscated call instructions exceeds a threshold number, identifying the binary executable as an obfuscated executable.
More Like This:
| JP2012503802 | Policy management system and method |
| JP2008135029 | WEB APPLICATION ASSESSMENT BASED ON INTELLIGENT GENERATION OF ATTACK STRING |
| WO/2012/144723 | APPARATUS FOR PROTECTING A WEB SERVER |
Inventors:
MATHUR RACHIT (US)
COCHIN CEDRIC (US)
COCHIN CEDRIC (US)
Application Number:
PCT/US2010/060798
Publication Date:
November 10, 2011
Filing Date:
December 16, 2010
Export Citation:
Assignee:
MCAFEE INC (US)
MATHUR RACHIT (US)
COCHIN CEDRIC (US)
MATHUR RACHIT (US)
COCHIN CEDRIC (US)
International Classes:
G06F21/20
Domestic Patent References:
| WO2009014779A2 | 2009-01-29 |
Foreign References:
| US20080127114A1 | 2008-05-29 | |||
| US20060101047A1 | 2006-05-11 | |||
| US7640583B1 | 2009-12-29 |
Other References:
See also references of EP 2513836A4
Attorney, Agent or Firm:
FRANZ, Paul E. (P.O. Box 1022Minneapolis, Minnesota, US)
Download PDF: