Abstract: Embodiments described herein are capable of preventing the installation of unwanted software bundled with a desired application at runtime, while allowing the installation of the desired application to continue as expected. For example, the embodiments described herein create a decoy in memory that preempts unwanted code. The decoy attracts any illegitimate code and diverts it into a dead end (e.g., the code is isolated, thereby preventing it from properly executing), while installation of the legitimate code (i.e., the desired application) flows as expected. The foregoing detects that a reflective loading process of DLL associated with the unwanted application has occurred, identifies the entity that attempted to perform the reflective loading process, and prevents the entity from completing the reflective loading process without terminating the main installer.

Abstract: Embodiments described herein enable the detection, analysis and signature determination of obfuscated malicious code. Such malicious code comprises a deobfuscation portion that deobfuscates the obfuscated portion during runtime to generate deobfuscated malicious code. The techniques described herein deterministically detect and suspend the deobfuscated malicious code when it attempts to access memory resources that have been morphed in accordance with embodiments described herein. This advantageously enables the deobfuscated malicious code to be suspended at its initial phase. By doing so, the malicious code is not given the opportunity to delete its traces in memory regions it accesses, thereby enabling the automated exploration of such memory regions to locate and extract runtime memory characteristics associated with the malicious code.

Abstract: Various automated techniques are described herein for the runtime detection/neutralization of malware executing on a computing device. The foregoing is achievable during a relatively early phase, for example, before the malware manages to encrypt any of the user's files. For instance, a malicious process detector may create decoy file(s) in a directory. The decoy file(s) may have attributes that cause such file(s) to reside at the beginning and/or end of a file list. By doing so, a malicious process targeting files in the directory will attempt to encrypt the decoy file(s) before any other file. The detector monitors operations to the decoy file(s) to determine whether a malicious process is active on the user's computing device. In response to determining that a malicious process is active, the malicious process detector takes protective measure(s) to neutralize the malicious process.

Abstract: Techniques are provided for neutralizing attacks by malicious code on a computer system. In an embodiment, this is achieved by modifying certain aspects of an operating system. For example, a system call table storing pointers to system functions is duplicated to create a shadow system call table. The original table is modified with traps resulting the neutralization of processes that access the table, whereas processes that access the shadow system call table are enabled to execute properly. In order for valid applications to operate with the shadow system call table, index numbers corresponding to the different system function calls are randomized in a system library that maintains function calls to such system functions. Valid applications may be patched in order to reference such randomized index numbers, whereas malicious processes continue to reference the original non-randomized index numbers.

Abstract: Various automated techniques are described herein for protecting computing devices from malicious code injection and execution by providing a malicious process with incorrect information regarding the type and/or version and/or other characteristics of the operating system and/or the targeted program and/or the targeted computing device. The falsified information tricks the malicious process into injecting shellcode that is incompatible with the targeted operating system, program and/or computing device. When the incompatible, injected shellcode attempts to execute, it fails as a result of the incompatibility, thereby protecting the computing device.

Abstract: The invention relates to a system for protecting IoT devices from malicious code, which comprises: (a) a memory extracting module at each of said IoT devices, for extracting a copy of at least a portion of the memory content from the IoT device, and sending the same to an in-cloud server; and (b) an in-cloud server for receiving said memory content, and performing an integrity check for a possible existance of malicious code within said memory content.

Abstract: Embodiments described herein are capable of preventing the installation of unwanted software bundled with a desired application at runtime, while allowing the installation of the desired application to continue as expected. For example, the embodiments described herein create a decoy in memory that preempts unwanted code. The decoy attracts any illegitimate code and diverts it into a dead end (e.g., the code is isolated, thereby preventing it from properly executing), while installation of the legitimate code (i.e., the desired application) flows as expected. The foregoing detects that a reflective loading process of DLL associated with the unwanted application has occurred, identifies the entity that attempted to perform the reflective loading process, and prevents the entity from completing the reflective loading process without terminating the main installer.

Abstract: Embodiments described herein enable the detection, analysis and signature determination of obfuscated malicious code. Such malicious code comprises a deobfuscation portion that deobfuscates the obfuscated portion during runtime to generate deobfuscated malicious code. The techniques described herein deterministically detect and suspend the deobfuscated malicious code when it attempts to access memory resources that have been morphed in accordance with embodiments described herein. This advantageously enables the deobfuscated malicious code to be suspended at its initial phase. By doing so, the malicious code is not given the opportunity to delete its traces in memory regions it accesses, thereby enabling the automated exploration of such memory regions to locate and extract runtime memory characteristics associated with the malicious code.

Abstract: The invention relates to a system for protecting a computerized device from a malicious activity resulting from a malicious code, which comprises: (a) a first DC supply monitoring unit which is located within a separate computerized environment, namely an environment which is totally separated and isolated both physically and in terms of connectivity from the hardware and software of the computerized environment of the device; (b) a memory database for storing one or more signatures of known malicious events, each of said signatures describes the temporal effect of a malicious event, respectively, on the power consumption from the DC supply of the device; and (c) a microprocessor within said DC supply monitoring unit for continuously monitoring the power consumption from said DC supply of the device, comparing temporal characteristics of the power consumption with said malicious events signatures in said database, and alerting upon detection of a match, wherein said DC supply monitoring unit is at most physic

Abstract: The invention relates to a TEE (Trusted Environment Execution) structure which comprises: (a) a main domain defining a domain of operation for a main OS; (b) a privileged trusted domain defining a domain of operation for a trusted domain OS; and (c) a low level hypervisor which is separated from both of said main OS and said trusted domain OS, said hypervisor is used for: (c. 1) receiving packets from a network; (c.2) examining an address included in each of said received packets; and (c.3) based on the determined address in each of said packets, targeting respectively the packet to either said main OS or to said trusted domain OS, while in the latter case any interaction between the received packet and said main OS is eliminated.

Abstract: Various approaches are described herein for, among other things, detecting and/or neutralizing attacks by malicious code. For example, instance(s) of a protected process are modified upon loading by injecting a runtime protector that creates a copy of each of the process' imported libraries and maps the copy into a random address inside the process' address space to form a “randomized” shadow library. The libraries loaded at the original address are modified into a stub library. Shadow and stub libraries are also created for libraries that are loaded after the process creation is finalized. Consequently, when malicious code attempts to retrieve the address of a given procedure, it receives the address of the stub procedure, thereby neutralizing the malicious code. When the original program's code (e.g., the non-malicious code) attempts to retrieve the address of a procedure, it receives the correct address of the requested procedure (located in the shadow library).

Abstract: The invention relates to a method for providing a computerized system which is protected from unauthorized programs coming from an external source, the method comprises the steps of (a) secretly, and in a manner unknown to authors of external programs, providing a non-standard compiler which mutates (modifies) each high level program to one or more non-standard mutated machine code instructions that a standard CPU cannot properly execute! (b) subjecting all authorized programs to said non-standard compiler; and (c) providing a translator which converts each mutated machine code instruction resulting from said non-standard compiler to a respective standard instruction which the CPU can properly execute, whereas any program which is not subjected to both said non-standard compiler and said translator will result in one or more instructions that the CPU cannot properly execute.

Abstract: Various automated techniques are described herein for protecting computing devices from malicious code injection and execution by providing a malicious process with incorrect information regarding the type and/or version and/or other characteristics of the operating system and/or the targeted program and/or the targeted computing device. The falsified information tricks the malicious process into injecting shellcode that is incompatible with the targeted operating system, program and/or computing device. When the incompatible, injected shellcode attempts to execute, it fails as a result of the incompatibility, thereby protecting the computing device.

Abstract: Various automated techniques are described herein for the runtime detection/neutralization of malware executing on a computing device. The foregoing is achievable during a relatively early phase, for example, before the malware manages to encrypt any of the user's files. For instance, a malicious process detector may create decoy file(s) in a directory. The decoy file(s) may have attributes that cause such file(s) to reside at the beginning and/or end of a file list. By doing so, a malicious process targeting files in the directory will attempt to encrypt the decoy file(s) before any other file. The detector monitors operations to the decoy file(s) to determine whether a malicious process is active on the user's computing device. In response to determining that a malicious process is active, the malicious process detector takes protective measure(s) to neutralize the malicious process.

Abstract: Various approaches are described herein for the automated classification of exploit(s) based on snapshots of runtime environmental features of a computing process in which the exploit(s) are attempted. The foregoing is achieved with a server and local station(s). Each local station is configured to neutralize operation of malicious code being executed thereon, obtain snapshot(s) indicating the state thereof at the time of the exploitation attempt, and perform a classification process using the snapshot(s). The snapshot(s) are analyzed with respect to a local classification model maintained by the local station to find a classification of the exploit therein. If a classification is found, an informed decision is made as to how to handle the classified exploit. If a classification is not found, the snapshot(s) are provided to the server for classification thereby. The server provides an updated classification model containing a classification for the exploit to the local station(s).

Abstract: The invention relates to a system for protecting a computerized device from activities within the device bootstrap, which comprises: (a) a DC supply monitoring unit for monitoring power consumption of the DC supply of the device during bootstrap; and (b) a database for storing one or more valid bootstrap signatures, each of said valid bootstrap signatures describes a valid variation of power consumption pattern, respectively, from the DC supply of the device; wherein, during bootstrapping of the device, said DC supply monitoring unit continuously monitors the power consumption from said DC supply of the device, compares characteristics of the power consumption with said one or more valid bootstrap signatures in said database, and alerts upon detection of a mismatch.

Abstract: The invention relates to a system for protecting IoT devices from malicious code, which comprises: (a) a memory extracting module at each of said IoT devices, for extracting a copy of at least a portion of the memory content from the IoT device, and sending the same to an in-cloud server; and (b) an in-cloude server for receiving said memory content, and performing an integrity check for a possible existance of malicious code within said memory content.

Abstract: The invention relates to a TEE (Trusted Environment Execution) structure which comprises: (a) a main domain defining a domain of operation for a main OS; (b) a privileged trusted domain defining a domain of operation for a trusted domain OS; and (c) a low level hypervisor which is separated from both of said main OS and said trusted domain OS, said hypervisor is used for: (c. 1) receiving packets from a network; (c.2) examining an address included in each of said received packets; and (c.3) based on the determined address in each of said packets, targeting respectively the packet to either said main OS or to said trusted domain OS, while in the latter case any interaction between the received packet and said main OS is eliminated.

Abstract: Various approaches are described herein for the automated classification of exploit(s) based on snapshots of runtime environmental features of a computing process in which the exploit(s) are attempted. The foregoing is achieved with a server and local station(s). Each local station is configured to neutralize operation of malicious code being executed thereon, obtain snapshot(s) indicating the state thereof at the time of the exploitation attempt, and perform a classification process using the snapshot(s). The snapshot(s) are analyzed with respect to a local classification model maintained by the local station to find a classification of the exploit therein. If a classification is found, an informed decision is made as to how to handle the classified exploit. If a classification is not found, the snapshot(s) are provided to the server for classification thereby. The server provides an updated classification model containing a classification for the exploit to the local station(s).

Abstract: The invention relates to a system for protecting a computerized device from a malicious activity resulting from a malicious code, which comprises: (a) a first DC supply monitoring unit which is located within a separate computerized environment, namely an environment which is totally separated and isolated both physically and in terms of connectivity from the hardware and software of the computerized environment of the device; (b) a memory database for storing one or more signatures of known malicious events, each of said signatures describes the temporal effect of a malicious event, respectively, on the power consumption from the DC supply of the device; and (c) a microprocessor within said DC supply monitoring unit for continuously monitoring the power consumption from said DC supply of the device, comparing temporal characteristics of the power consumption with said malicious events signatures in said database, and alerting upon detection of a match, wherein said DC supply monitoring unit is at most physic