Abstract: Techniques for performing static and dynamic analysis on a mobile device application are disclosed. Static analysis is performed on a mobile device application using a static analysis engine. A static analysis report is generated. Dynamic analysis of the application is performed using a dynamic analysis engine. The dynamic analysis performed is customized based on results of the static analysis. A determination of whether the application is malicious is made based at least on the dynamic analysis.

Abstract: Evaluating a potentially malicious sample using a copy-on-write overlay is disclosed. A first virtual machine instance is initialized as a copy-on-write overlay associated with an original virtual machine image. The first virtual machine image is started and a first sample is executed. A second virtual machine instance is initialized as a copy-on-write overlay associated with a second original virtual machine image. The second virtual machine image is started and a second sample is executed. The first and second samples are executed at an overlapping time.

Abstract: A computer-implemented method, the method includes identifying a piece of data to be served from a server system to a client device that is remote from the server system; creating a plurality of expressions that, when executed, provide a result that corresponds to the piece of data; and providing the plurality of expressions to the client device with code for executing the plurality of expressions.

Abstract: Methods and apparatus are described for automatically modifying web page code. Specific implementations relate to the modification of web page code for the purpose of combatting Man-in-the-Browser (MitB) attacks.

Abstract: Detecting malware is disclosed. A candidate malware application is caused to be executed using a virtual machine. Traffic analysis is performed on network traffic associated with the execution of the candidate malware application. A determination is made as to whether the candidate malware application is malicious or not, based at least in part on the traffic analysis and an application type associated with the candidate malware application.

Abstract: Techniques for malware domain detection using passive Domain Name Service (DNS) are disclosed. In some embodiments, malware domain detection using passive DNS includes generating a malware association graph that associates a plurality of malware samples with malware source information, in which the malware source information includes a first domain; generating a reputation score for the first domain using the malware association graph and passive DNS information; and determining whether the first domain is a malware domain based on the reputation score for the first domain.

Abstract: A computer-implemented method, the method includes identifying a piece of data to be served from a server system to a client device that is remote from the server system; creating a plurality of expressions that, when executed, provide a result that corresponds to the piece of data; and providing the plurality of expressions to the client device with code for executing the plurality of expressions.

Abstract: Techniques for malware detection using clustering with malware source information are disclosed. In some embodiments, malware detection using clustering with malware source information includes generating a first cluster of source information associated with a first malware sample, in which the first malware sample was determined to be malware, and the first malware sample was determined to be downloaded from a first source; and determining that a second source is associated with malware based on the first cluster.

Abstract: A computer-implemented method, the method includes identifying a piece of data to be served from a server system to a client device that is remote from the server system; creating a plurality of expressions that, when executed, provide a result that corresponds to the piece of data; and providing the plurality of expressions to the client device with code for executing the plurality of expressions.

Abstract: Techniques for performing static and dynamic analysis on a mobile device application are disclosed. Static analysis is performed on a mobile device application using a static analysis engine. A static analysis report is generated. Dynamic analysis of the application is performed using a dynamic analysis engine. The dynamic analysis performed is customized based on results of the static analysis. A determination of whether the application is malicious is made based at least on the dynamic analysis.

Abstract: Analysis of potentially malicious software samples in a virtualized environment is disclosed. One or more modifications are applied to a first virtual machine instance. The first virtual machine instance is initialized as a copy-on-write overlay associated with an original virtual machine image. Further, at least one modification includes the installation of startup instructions. The modified virtual machine instance is stared. A first set of modifications resulting from executing the first virtual machine instance is captured.

Abstract: In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score.

Abstract: A candidate malware that potentially includes at least one malicious element is received. The candidate malware is executed using a virtualized environment. A determination is made that the candidate malware, while executing using the virtualized environment, has taken at least one anti-virtual machine action, wherein the anti-virtual machine action is indicative of an attempt by the candidate malware to evade detection of the malicious element by the system when the candidate malware is executed using a virtualized environment. In response to the determination, an alert that the candidate malware is malicious is generated as output.

Abstract: Techniques for malware domain detection using passive Domain Name Service (DNS) are disclosed. In some embodiments, malware domain detection using passive DNS includes generating a malware association graph that associates a plurality of malware samples with malware source information, in which the malware source information includes a first domain; generating a reputation score for the first domain using the malware association graph and passive DNS information; and determining whether the first domain is a malware domain based on the reputation score for the first domain.

Abstract: Techniques for malware detection using clustering with malware source information are disclosed. In some embodiments, malware detection using clustering with malware source information includes generating a first cluster of source information associated with a first malware sample, in which the first malware sample was determined to be malware, and the first malware sample was determined to be downloaded from a first source; and determining that a second source is associated with malware based on the first cluster.

Abstract: A computer-implemented method includes providing, for use by a third-party, injectable computer code that is capable of being served with other code provided by the third-party to client computing devices; receiving data from client computing devices that have been served the code by the third-party, the data including data that characterizes (a) the client computing devices and (b) user interaction with the client computing devices; classifying the client computing devices as controlled by actual users or instead by automated software based on analysis of the received data from the client computing devices; and providing to the third party one or more reports that characterize an overall level of automated software activity among client computing devices that have been served code by the third party.

Abstract: Analysis of potentially malicious software samples in a virtualized environment is disclosed. One or more modifications are applied to a first virtual machine instance. The first virtual machine instance is initialized as a copy-on-write overlay associated with an original virtual machine image. Further, at least one modification includes the installation of startup instructions. The modified virtual machine instance is stared. A first set of modifications resulting from executing the first virtual machine instance is captured.

Abstract: A computer-implemented method involves identifying an initial element for serving by a web server system to a client device and recoding the element by creating a plurality of different elements that each represent a portion of the initial element. The different elements are then served in place of the initial element. A response is received form the client device and has portions that correspond to the different elements, and a combined response is created by combining the received portions in a manner that corresponds to a manner in which the initial element was recoded to create the plurality of different elements.

Abstract: Various techniques for exploit detection based on heap spray detection are disclosed. In some embodiments, exploit detection based on heap spray detection includes executing a program in a virtual environment; and detecting heap spray in memory while executing the program in the virtual environment. In some embodiments, exploit detection based on heap spray detection includes executing a program in a virtual environment; and detecting heap spray related malware in response to a modification of an execution environment in the virtual environment.

Abstract: A computer-implemented method includes identifying, in web code to be served to a client, presence of code for generating a form; generating additional, executable code to be run on the client device, the additional, executable code being arranged to identify user input on the client device and modify the form so that data from the user input is received into one or more alternative fields of the form other than a first field to which a user performing the input directed the input; receiving a request from the client device based on completion of input into the form; and converting data from the received request so that data for the one or more alternative fields of the form is directed to the first field of the form for processing by a web server system that initially generated the web code.