Abstract: Disclosed herein are systems and methods for detecting an unapproved use of a computing device of a user. In one aspect, an exemplary method comprises, by a security application: detecting a script executing in a browser on the computing device of the user, intercepting messages being exchanged during an interaction of the script with a server, wherein the intercepted messages comprise at least one of messages sent from the script to the server and from the server to the script, analyzing the intercepted messages to determine whether or not attributes of an unapproved use of resources of the computing device of the user are present, detecting the unapproved use of the resources of the computing device of the user when at least one of said attributes is detected.

Abstract: The present disclosure is directed towards systems and methods for detecting hidden behavior in browser extensions. In one aspect, a method is provided including launching a browser in a protected environment, performing one or more actions in the browser, tracking events occurring during the performing of the one or more actions, identifying extension events from the events that are initiated by a browser extension, analyzing the extension events for indications of change that correspond to behavior not previously declared by the browser extension, and determining that the browser extension is performing hidden behavior when indications of change are found.

Abstract: Disclosed are systems and methods for execution of program code by an interpreter. One exemplary method comprises: generating intermediate instructions based on a unified grammar from instructions of the program code, beginning execution of the intermediate instructions in an emulated computer environment, in response to detecting an instruction of the program code associated with an object for which a rule of interpretation is not found, halting further execution of the intermediate instructions, obtaining an auxiliary code corresponding to the object, wherein a result of execution of the auxiliary code corresponds to the result of the execution of the object, and wherein the auxiliary code contains objects for which the interpreter has a rule of interpretation, executing the instructions of the auxiliary code; and after completion of the execution of the auxiliary code, resuming the execution of the intermediate instructions.

Abstract: The present disclosure is directed towards systems and methods for detecting hidden behavior in browser extensions. In one aspect, a method is provided comprising launching a browser in a protected environment, performing one or more actions in the browser, tracking events occurring during the performing of the one or more actions, identifying extension events from the events that are initiated by a browser extension, analyzing the extension events for indications of change that correspond to behavior not previously declared by the browser extension, and determining that the browser extension is performing hidden behavior when indications of change are found.

Abstract: Disclosed are systems and methods for execution of program code by an interpreter. One exemplary method comprises: generating intermediate instructions based on a unified grammar from instructions of the program code, beginning execution of the intermediate instructions in an emulated computer environment, in response to detecting an instruction of the program code associated with an object for which a rule of interpretation is not found, halting further execution of the intermediate instructions, obtaining an auxiliary code corresponding to the object, wherein a result of execution of the auxiliary code corresponds to the result of the execution of the object, and wherein the auxiliary code contains objects for which the interpreter has a rule of interpretation, executing the instructions of the auxiliary code; and after completion of the execution of the auxiliary code, resuming the execution of the intermediate instructions.

Abstract: Disclose are systems and methods for execution of program code by an interpreter. One exemplary method comprises: executing, by the interpreter, instructions of the program code in an emulated computer environment; when detecting, by the interpreter, an instruction of the program code associated with an unknown object for which the interpreter lacks a rule of interpretation, halting by the interpreter further execution of the instructions of the program code; obtaining, by the interpreter, an auxiliary code whose result of execution corresponds to the result of the execution of the unknown object, wherein the auxiliary code contains known objects for which the interpreter has a rule of interpretation; executing, by the interpreter, the instructions of the auxiliary code; and after completion of the execution of the auxiliary code, by the interpreter, resuming the execution of the instructions of the program code.

Abstract: Systems and methods to detect malicious executable files having a script language interpreter by combining a script emulator and a machine code emulator. A system includes an analyzer configured to convert a script into pseudocode and monitor an emulation process of the pseudocode, a script emulator configured to sequentially emulate the pseudocode and write emulation results to an emulator operation log, and a machine code emulator configured to emulate the pseudocode if a transition from pseudocode to machine code is detected by the analyzer, such that the analyzer can analyze the emulator operation log to determine if the executable file is malicious.

Abstract: Disclose are systems and methods for execution of program code by an interpreter. One exemplary method comprises: executing, by the interpreter, instructions of the program code in an emulated computer environment; when detecting, by the interpreter, an instruction of the program code associated with an unknown object for which the interpreter lacks a rule of interpretation, halting by the interpreter further execution of the instructions of the program code; obtaining, by the interpreter, an auxiliary code whose result of execution corresponds to the result of the execution of the unknown object, wherein the auxiliary code contains known objects for which the interpreter has a rule of interpretation; executing, by the interpreter, the instructions of the auxiliary code; and after completion of the execution of the auxiliary code, by the interpreter, resuming the execution of the instructions of the program code.

Abstract: Disclosed are exemplary aspects of systems and methods for blocking execution of scripts. An exemplary method comprises: intercepting a request for a script from a client to a server; generating a bytecode of the intercepted script; computing a hash sum of the generated bytecode; determining a degree of similarity between the hash sum of the bytecode and a plurality of hash sums of malicious and clean scripts stored in a database; identifying a similar hash sum from the database whose degree of similarity with the hash sum of the bytecode is within a threshold of similarity; determining a coefficient of trust of the similar hash sum; determining whether the requested script is malicious based on the degree of similarity and the coefficient of trust of the similar hash sum; and blocking the execution of the malicious script on the client.

Abstract: Systems and methods to detect malicious executable files having a script language interpreter by combining a script emulator and a machine code emulator. A system includes an analyzer configured to convert a script into pseudocode and monitor an emulation process of the pseudocode, a script emulator configured to sequentially emulate the pseudocode and write emulation results to an emulator operation log, and a machine code emulator configured to emulate the pseudocode if a transition from pseudocode to machine code is detected by the analyzer, such that the analyzer can analyze the emulator operation log to determine if the executable file is malicious.

Abstract: Disclosed are exemplary aspects of systems and methods for blocking execution of scripts. An exemplary method comprises: intercepting a request for a script from a client to a server; generating a bytecode of the intercepted script; computing a hash sum of the generated bytecode; determining a degree of similarity between the hash sum of the bytecode and a plurality of hash sums of malicious and clean scripts stored in a database; identifying a similar hash sum from the database whose degree of similarity with the hash sum of the bytecode is within a threshold of similarity; determining a coefficient of trust of the similar hash sum; determining whether the requested script is malicious based on the degree of similarity and the coefficient of trust of the similar hash sum; and blocking the execution of the malicious script on the client.

Abstract: Systems and methods to detect malicious executable files having a script language interpreter by combining a script emulator and a machine code emulator. A system includes an analyzer configured to convert a script into pseudocode and monitor an emulation process of the pseudocode, a script emulator configured to sequentially emulate the pseudocode and write emulation results to an emulator operation log, and a machine code emulator configured to emulate the pseudocode if a transition from pseudocode to machine code is detected by the analyzer, such that the analyzer can analyze the emulator operation log to determine if the executable file is malicious.

Abstract: Disclosed are exemplary aspects of systems and methods for detection of phishing scripts. An exemplary method comprises: generating a bytecode of a script; computing a hash sum of the generated bytecode; determining a degree of similarity between the hash sum of the bytecode and hash sums in one or more groups of hash sums of known phishing scripts; identifying at least one group of hash sums that contains a hash sum whose degree of similarity with the hash sum of the bytecode is within a threshold; determining a coefficient of compactness of the identified group of hash sums and a coefficient of trust of the identified group of hash sums; and determining whether the script is a phishing script based on the degree of similarity, the coefficient of compactness and the coefficient of trust.