Abstract: A system, method and media are shown for emulating potentially malicious code involving emulating a first ring of an operating system, emulating a second ring of the operating system, where the second ring has greater access to system resources than the first ring and where the first and second rings are separately emulated, executing a code payload in the emulated first ring, checking the behavior of the executing code payload for suspect behavior, and identifying the code payload as malicious code if suspect behavior is detected. Some examples emulate the second ring by operating system or microarchitecture functionality such that the second ring emulation returns results to the executing code payload, but does not actually perform the functionality in a host platform. Some examples execute the code payload in the emulated first shell at one or more offsets.

Abstract: System, method and media are shown for detecting potentially malicious code by iteratively emulating potentially malicious code, that involve, for each offset of a memory image, emulating execution of an instruction at the offset on a first platform and, if execution fails, determining whether the instruction at the offset has relevance to at least a second platform and, if so, emulating execution of the instruction at the offset on the second platform. If execution succeeds, it involves checking the behavior of the executing code for suspect behavior, and identifying the executing code as malicious code if suspect behavior is detected. Refinements involve applying this process to also determine aspects of information related to the target of any discovered code, malicious or otherwise.

Abstract: Systems and methods are shown for detecting potential attacks on a domain, where one or more servers, in response to a failure event, obtain a lambda value from a baseline model of historical data associated with a current time interval corresponding to the failure event, determine a probability of whether a total count of failure events for the current time interval is within an expected range using a cumulative density function based on the lambda value, and identify a possible malicious attack if the probability is less than or equal to a selected alpha value.

Abstract: Methods, systems and media are shown for detecting omnientrant code segments to identify potential malicious code involving, for each offset of a code segment, disassembling the code segment from the offset, determining whether the disassembled code is executable, and incrementing an offset execution value. This approach also involves checking whether the offset execution value exceeds an alert threshold value and generating a malicious code alert for the code segment if the offset execution value exceeds the alert threshold value. Some examples further involve, for each executable offset, identifying a final execution address of the offset, comparing the final execution addresses of the offsets for the code segment, and generating the malicious code alert for the code segment if a proportion of the executable offsets have a common value for the final execution address exceeds a frequency threshold.

Abstract: Systems, methods and media are shown for detecting a stack pivot programming exploit that involve extracting return addresses from a call stack from a snapshot of a running program and, for each extracted return address, identifying a stack frame and following frame from stack pointer information, checking whether the stack is consistent with the type of stack generated by the operating system and architecture conventions, and alerting that a stack pivot is likely if an anomaly in stack layout is found. Some examples involve determining whether the stack frame and following frame follow consistently in one of ascending or descending addresses. Some examples involve, given a consistent directional polarity and metadata about the directional polarity of the stack specified by one of the microarchitecture, operating system, software, or other configuration, determining whether the observed directional polarity corresponds to the expected directional polarity.

Abstract: Methods, systems and media are shown for detecting a heap spray event involving examining user allocated portions of heap memory for a process image, determining a level of entropy for the user allocated portions, and, if the level of entropy is below a threshold, performing secondary heuristics, and detecting a heap spray event based on results of the secondary heuristics. In some examples, performing the secondary heuristics may include analyzing a pattern of memory allocation for the user allocated portions, analyzing data content of the user allocated portions of heap memory, or analyzing a heap allocation size for the user allocated portions of heap memory.

Abstract: Methods, systems and media are shown for detecting omnientrant code segments to identify potential malicious code involving, for each offset of a code segment, disassembling the code segment from the offset, determining whether the disassembled code is executable, and incrementing an offset execution value. This approach also involves checking whether the offset execution value exceeds an alert threshold value and generating a malicious code alert for the code segment if the offset execution value exceeds the alert threshold value. Some examples further involve, for each executable offset, identifying a final execution address of the offset, comparing the final execution addresses of the offsets for the code segment, and generating the malicious code alert for the code segment if a proportion of the executable offsets have a common value for the final execution address exceeds a frequency threshold.

Abstract: System, method and media are shown for detecting potentially malicious code by iteratively emulating potentially malicious code, that involve, for each offset of a memory image, emulating execution of an instruction at the offset on a first platform and, if execution fails, determining whether the instruction at the offset has relevance to at least a second platform and, if so, emulating execution of the instruction at the offset on the second platform. If execution succeeds, it involves checking the behavior of the executing code for suspect behavior, and identifying the executing code as malicious code if suspect behavior is detected. Refinements involve applying this process to also determine aspects of information related to the target of any discovered code, malicious or otherwise.

Abstract: Systems, methods and media are shown for generating a profile score for an attacker involving a detection unit configured to identify one or more malicious code elements in a payload, a weighting unit configured to associate a weighting value with each identified malicious code element, and a classification unit configured to sum the weighting values associated with the identified malicious code elements and associate a classification with the attacker based on scored based the weighting values.

Abstract: Systems, methods and media are shown for detecting a stack pivot programming exploit that involve extracting return addresses from a call stack from a snapshot of a running program and, for each extracted return address, identifying a stack frame and following frame from stack pointer information, checking whether the stack is consistent with the type of stack generated by the operating system and architecture conventions, and alerting that a stack pivot is likely if an anomaly in stack layout is found. Some examples involve determining whether the stack frame and following frame follow consistently in one of ascending or descending addresses. Some examples involve, given a consistent directional polarity and metadata about the directional polarity of the stack specified by one of the microarchitecture, operating system, software, or other configuration, determining whether the observed directional polarity corresponds to the expected directional polarity.

Abstract: A system, method and media are shown for emulating potentially malicious code involving emulating a first ring of an operating system, emulating a second ring of the operating system, where the second ring has greater access to system resources than the first ring and where the first and second rings are separately emulated, executing a code payload in the emulated first ring, checking the behavior of the executing code payload for suspect behavior, and identifying the code payload as malicious code if suspect behavior is detected. Some examples emulate the second ring by operating system or microarchitecture functionality such that the second ring emulation returns results to the executing code payload, but does not actually perform the functionality in a host platform. Some examples execute the code payload in the emulated first shell at one or more offsets.

Abstract: Systems and methods are shown for detecting potential attacks on a domain, where one or more servers, in response to a failure event, obtain a lambda value from a baseline model of historical data associated with a current time interval corresponding to the failure event, determine a probability of whether a total count of failure events for the current time interval is within an expected range using a cumulative density function based on the lambda value, and identify a possible malicious attack if the probability is less than or equal to a selected alpha value.

Abstract: Methods, systems and media are shown for detecting a heap spray event involving examining user allocated portions of heap memory for a process image, determining a level of entropy for the user allocated portions, and, if the level of entropy is below a threshold, performing secondary heuristics, and detecting a heap spray event based on results of the secondary heuristics. In some examples, performing the secondary heuristics may include analyzing a pattern of memory allocation for the user allocated portions, analyzing data content of the user allocated portions of heap memory, or analyzing a heap allocation size for the user allocated portions of heap memory.