Abstract: According to one embodiment, a computerized method comprises operations of instantiating a first virtual machine instance and a second virtual machine instance to run concurrently with the first virtual machine instance. The first virtual machine instance provides a first virtual operating environment while the second virtual machine instance is adapted to share the resources allocated to the first virtual machine instance. The second virtual machine instance is further adapted to allocate additional resources upon conducting a Copy-On Write operation.

Abstract: According to one embodiment, a threat detection platform is integrated with at least one virtual machine that automatically performs a dynamic analysis of a received object and monitors the processing during the dynamic analysis for a change to a file system within the virtual machine wherein the change involves a lure file placed in the file system. The file system is configured based on a received configuration file. Upon detection of a change in the file system associated with a lure file, the changes associated with the lure file during processing are compared to known file activity patterns of changes caused by file altering malware to determine whether the object includes file altering malware.

Abstract: A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.

Abstract: A modularized architecture using vertical partitioning of a database is configured to store object metadata and processing results of one or more objects analyzed by a state machine, such as an analysis engine of a malware detection system. The database may include a plurality of data structures, such as one or more master blocks, state sub-blocks, and state co-tables, as well as state transition queues. The modularized architecture may organize the database as one or more stages of a state machine, wherein each stage includes a state sub-block, a state co-table and a state transition queue. The modularized architecture may further organize the database such that each stage corresponds to an action, i.e., module, of the state machine on the object.

Abstract: A system and method operable to programmatically perform runtime de-obfuscation of obfuscated software via virtual machine introspection and manipulation of virtual machine guest memory permissions.

Abstract: According to one embodiment, a virtualized malware detection system is integrated with a virtual machine host including a plurality of virtual machines and a security virtual machine. Logic within the virtual machines are configured to perform a dynamic analysis of an object and monitor for the occurrence of a triggering event. Upon detection of a triggering event within a virtual machine, the logic within the virtual machine provides the security virtual machine with information associated with the triggering event for further analysis. Based on the further analysis, the object may then be classified as “non-malicious,” or “malicious.

Abstract: A computerized method for classifying objects in a malware system is described. The method includes detecting behaviors of an object for classification after processing of the object has begun. Data associated with the detected behaviors is collected, and a fuzzy hash for the received object is generated. The generation of the fuzzy hash may include (i) removing a portion of the data associated with the detected behaviors, and (ii) performing a hash operation on a remaining portion of the data associated with the detected behaviors. Thereafter, the fuzzy hash for the received object is compared to a fuzzy hash of an object in a preexisting cluster to generate a similarity measure. The received object is associated with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value. Thereafter, the results are reported.

Abstract: Systems and methods for analyzing malicious PDF network content are provided herein. According to some embodiments, a PDF parser examines a body portion of a PDF document received over a network and intended for a digital device and determines if one or more suspicious characteristics indicative of malicious network content are included in the examined body portion of the PDF document. The examined body portion of the PDF document is lesser in size than an entirety of the body portion of the PDF document. When the portion of the body section of the PDF document is determined to include one or more suspicious characteristics indicative of malicious network content, the PDF document is provided to one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the portion of the body section of the PDF document.

Abstract: According to one embodiment, a threat detection platform is integrated with at least one virtual machine that automatically performs a dynamic analysis of a received document object and monitors the processing during the dynamic analysis. The dynamic analysis includes a detection of embedded objects and may automatically process the embedded objects, while maintaining a context of the embedding, within the virtual machine processing the document object. The virtual machine may monitor the processing of both the document object and the embedded object. The results of the processing may be analyzed to determine whether the document object includes malware and/or a threat level of the document object.

Abstract: According to one embodiment, a threat detection system is integrated with at least a dynamic analysis engine. The dynamic analysis engine is configured to automatically to detect potential shellcode at a first storage location within a region of memory allocated for an application, conduct a first search at one or more storage locations prior to the first storage location within the region of allocated memory for at least one or more patterns, conduct a second search at one or more storage locations subsequent to the first storage location within the region of allocated memory for at least one or more patterns, detect a first pattern at one or more storage locations prior to the first storage location within the region of allocated memory, and detect a second pattern at one or more storage locations subsequent to the first storage location with the region of allocated memory, wherein at least one of the first pattern or the second pattern is absent from a predefined list of patterns.

Abstract: In an embodiment, a threat detection and prevention system comprises a network-traffic static analysis logic and a classification engine. The network-traffic static analysis logic is configured to conduct an analysis of a multi-flow object by analyzing characteristics of the multi-flow object and determining if the characteristics of the multi-flow object is associated with a malicious attack such as being indicative of an exploit for example. The classification engine is configured to receive results of the analysis of the multi-flow object and, based on the results of the analysis of the multi-flow object, determine whether the multi-flow object is associated with a malicious attack.

Abstract: Techniques may automatically detect bots or botnets running in a computer or other digital device by detecting command and control communications, called “call-backs,” from malicious code that has previously gained entry into the digital device. Callbacks are detected using a distributed approach employing one or more local analyzers and a central analyzer. The local analyzers capture packets of outbound communications, generate header signatures, and analyze the captured packets using various techniques. The techniques may include packet header signature matching against verified callback signatures, deep packet inspection. The central analyzer receives the header signatures and related header information from the local analyzers, may perform further analysis (for example, on-line host reputation analysis); determines using a heuristics analysis whether the signatures correspond to callbacks; and generally coordinates among the local analyzers.

Abstract: A processing technique provides an improved indexing arrangement that enables storage, filtering and querying of metadata used to retrieve packets captured from a network and persistently stored in a data repository. A packet capture engine records the packets in packet capture (PCAP) formats from a network link at a substantially high packet transfer rate to persistent storage of the data repository in a sustained manner. Efficient filtering and querying of the metadata to retrieve the stored packets may be achieved, in part, by organizing the metadata as one or more metadata repositories. The processing technique uses the Berkeley Packet Filter (BPF) language as an interface of a BPF engine to search or index the stored packets in response to queries. The BPF engine processes BPF expressions used as precursors to the indexing arrangement to enable access to the repositories when searching and locating stored packets matching the expressions.

Abstract: A system and method to detect and contain threatening executable code by employing a threat monitor, verifier, endpoint agent, and a security information and event management module. The system and method are a departure from and an improvement over conventional systems in that, among other things, the system and method allow an investigator to determine whether a threat has persisted or executed, and allow that information to be communicated back to the detection mechanism (or other system) such that a user (or machine) may make a decision to take further action such as to contain the threat quickly and/or permit the system to do so automatically.

Abstract: In an embodiment, a dynamic analysis engine is configured to receive an identifier associated with a source for network traffic including at least one object having at least a prescribed probability of being associated with an exploit. Deployed within a detection cloud, the dynamic analysis engine comprises one or more virtual machines and monitoring logic. The virtual machines are adapted to virtually process the identifier by establishing a communication session with a server hosting a website accessible by the identifier. In communication with the virtual machines, the monitoring logic is adapted to detect anomalous behaviors by the virtual machines during the communication session with the server.

Abstract: A method is described that involves receiving an application and generating a representation of the application that describes states of the application and transitions between the states. The method further includes referring to one or more rules and/or information from an inference engine that is observing the application's run time behavior to identify a region of interest within the application and reaching the region of interest by performing the following: identifying a path from the application's present state to the region of interest; representing states of the application along the path as logic expressions; solving the expressions to generate solutions to the expressions; causing stimuli to be provided to the application, where the stimuli correspond to the solutions.

Abstract: According to one embodiment, a computerized method comprises receiving a set of indicators of compromise (IOCs) associated with a known malware of a first message type from a first source and receiving one or more IOCs (IOC(s)) from a second source that is different from the first source. Thereafter, a determination is made as to whether the received IOC(s) from the second source correspond to the set of IOCs received from the first source. If so, information associated with at least the set of IOCs is used to locate a malware of the first message type that is undetected at the second source.

Abstract: Techniques for malicious content detection using memory dump are described herein. According to one embodiment, a monitoring module is configured to monitor activities of a malicious content suspect executed within a sandboxed operating environment. In response to detection of one or more predetermined events triggered by the malicious content suspect, a memory dump module is configured to generate a memory dump of the malicious content suspect. An analysis module is configured to analyze the memory dump to determine whether the malicious content suspect should be declared as malicious based on a set of one or more rules.

Abstract: The system comprises a traffic analysis device in communication with a network device. The traffic analysis device can analyze network traffic received over a communication network and duplicate at least select network communications within the network traffic having characteristics associated with malicious traffic when the network communications are determined through heuristic analysis to satisfy a heuristic threshold.

Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.