Abstract: System, method and media are shown for detecting potentially malicious code by iteratively emulating potentially malicious code, that involve, for each offset of a memory image, emulating execution of an instruction at the offset on a first platform and, if execution fails, determining whether the instruction at the offset has relevance to at least a second platform and, if so, emulating execution of the instruction at the offset on the second platform. If execution succeeds, it involves checking the behavior of the executing code for suspect behavior, and identifying the executing code as malicious code if suspect behavior is detected. Refinements involve applying this process to also determine aspects of information related to the target of any discovered code, malicious or otherwise.

Abstract: Systems, methods and media are shown for automatically detecting a use-after-free exploit based attack that involve receiving crash dump data relating to a fault event, determining whether the fault event instruction is a call type instruction and, if so, identifying a UAF attack by checking whether it includes a base address in a first register that stores a pointer to free memory and, if so, generating a UAF alert. In some examples, generating a use-after-free alert includes automatically sending a message that indicates a UAF attack or automatically triggering a system defense to the UAF attack. Some examples may include, for a call type faulting instruction, identifying a UAF attack, checking whether a base address in the first register includes a pointer in a second register to a free memory location associated with the base address.

Abstract: Methods, systems and media are shown for detecting a heap spray event involving examining user allocated portions of heap memory for a process image, determining a level of entropy for the user allocated portions, and, if the level of entropy is below a threshold, performing secondary heuristics, and detecting a heap spray event based on results of the secondary heuristics. In some examples, performing the secondary heuristics may include analyzing a pattern of memory allocation for the user allocated portions, analyzing data content of the user allocated portions of heap memory, or analyzing a heap allocation size for the user allocated portions of heap memory.

Abstract: Methods, systems and media are shown for detecting omnientrant code segments to identify potential malicious code involving, for each offset of a code segment, disassembling the code segment from the offset, determining whether the disassembled code is executable, and incrementing an offset execution value. This approach also involves checking whether the offset execution value exceeds an alert threshold value and generating a malicious code alert for the code segment if the offset execution value exceeds the alert threshold value. Some examples further involve, for each executable offset, identifying a final execution address of the offset, comparing the final execution addresses of the offsets for the code segment, and generating the malicious code alert for the code segment if a proportion of the executable offsets have a common value for the final execution address exceeds a frequency threshold.

Abstract: System, method and media are shown for detecting potentially malicious code by iteratively emulating potentially malicious code, that involve, for each offset of a memory image, emulating execution of an instruction at the offset on a first platform and, if execution fails, determining whether the instruction at the offset has relevance to at least a second platform and, if so, emulating execution of the instruction at the offset on the second platform. If execution succeeds, it involves checking the behavior of the executing code for suspect behavior, and identifying the executing code as malicious code if suspect behavior is detected. Refinements involve applying this process to also determine aspects of information related to the target of any discovered code, malicious or otherwise.

Abstract: A system, method and media are shown for emulating potentially malicious code involving emulating a first ring of an operating system, emulating a second ring of the operating system, where the second ring has greater access to system resources than the first ring and where the first and second rings are separately emulated, executing a code payload in the emulated first ring, checking the behavior of the executing code payload for suspect behavior, and identifying the code payload as malicious code if suspect behavior is detected. Some examples emulate the second ring by operating system or microarchitecture functionality such that the second ring emulation returns results to the executing code payload, but does not actually perform the functionality in a host platform. Some examples execute the code payload in the emulated first shell at one or more offsets.

Abstract: Systems, methods and media are shown for detecting a stack pivot programming exploit that involve extracting return addresses from a call stack from a snapshot of a running program and, for each extracted return address, identifying a stack frame and following frame from stack pointer information, checking whether the stack is consistent with the type of stack generated by the operating system and architecture conventions, and alerting that a stack pivot is likely if an anomaly in stack layout is found. Some examples involve determining whether the stack frame and following frame follow consistently in one of ascending or descending addresses. Some examples involve, given a consistent directional polarity and metadata about the directional polarity of the stack specified by one of the microarchitecture, operating system, software, or other configuration, determining whether the observed directional polarity corresponds to the expected directional polarity.

Abstract: Examples of systems, methods and media are shown for iteratively emulating potentially malicious code involving, for each offset of a microarchitecture for the code, emulating a first ring of an operating system, executing a segment of code in the emulated first ring, checking the behavior of the executing code for suspect behavior, and identifying the executing code as malicious code if suspect behavior is detected. Some examples include emulating a second ring of the operating system having a higher level of privilege than the first ring, such that the second ring emulation returns results to the executing code segment, but does not actually perform the functionality in a host platform.

Abstract: Systems, methods and media are shown for detecting branch oriented program code involving searching one or more pages of memory to identify a list of code pointers. They also involve, for each code pointer in the list of code pointers, disassembling a segment of code corresponding to the code pointer, determining whether the segment of code terminates in a branch instruction, and removing the segment of code from the list if it does not terminate in a branch instruction. For each remaining code pointer in the list of code pointers, they involve searching a predetermined window of code to determine whether the branch instruction and a target address of the branch instruction both fall within the window, and removing the code pointer from the list if the branch instruction and target address are not both within the window.

Abstract: Systems, methods and media are shown for generating a profile score for an attacker involving a detection unit configured to identify one or more malicious code elements in a payload, a weighting unit configured to associate a weighting value with each identified malicious code element, and a classification unit configured to sum the weighting values associated with the identified malicious code elements and associate a classification with the attacker based on scored based the weighting values.

Abstract: System, method and media are shown for automatically detecting an attempted V-table exploit based attack involving receiving crash dump data relating to a fault event, identifying code instructions and associated parameters in the crash dump data, analyzing the identified code instructions and associated parameters to detect whether an instruction with a dynamic branch fault is present in the crash dump data, if a dynamic branch fault is found, analyzing the instruction with the dynamic branch fault for invalid data relating to the dynamic branch, and generating an alert if the instruction with the dynamic branch fault includes invalid data. Some examples include automatically sending a message to a network administrator indicating a type of attack and a code module or instruction that faulted. Other examples include automatically triggering system defenses to respond to the attack includes at least one of limiting and blocking access to vulnerable code.

Abstract: Methods, systems and media are shown for detecting a heap spray event involving examining user allocated portions of heap memory for a process image, determining a level of entropy for the user allocated portions, and, if the level of entropy is below a threshold, performing secondary heuristics, and detecting a heap spray event based on results of the secondary heuristics. In some examples, performing the secondary heuristics may include analyzing a pattern of memory allocation for the user allocated portions, analyzing data content of the user allocated portions of heap memory, or analyzing a heap allocation size for the user allocated portions of heap memory.

Abstract: Systems, methods and media are shown for automatically detecting a use-after-free exploit based attack that involve receiving crash dump data relating to a fault event, determining whether the fault event instruction is a call type instruction and, if so, identifying a UAF attack by checking whether it includes a base address in a first register that stores a pointer to free memory and, if so, generating a UAF alert. In some examples, generating a use-after-free alert includes automatically sending a message that indicates a UAF attack or automatically triggering a system defense to the UAF attack. Some examples may include, for a call type faulting instruction, identifying a UAF attack, checking whether a base address in the first register includes a pointer in a second register to a free memory location associated with the base address.

Abstract: Systems and methods are shown for detecting potential attacks on a domain, where one or more servers, in response to a failure event, obtain a lambda value from a baseline model of historical data associated with a current time interval corresponding to the failure event, determine a probability of whether a total count of failure events for the current time interval is within an expected range using a cumulative density function based on the lambda value, and identify a possible malicious attack if the probability is less than or equal to a selected alpha value.