Abstract: Techniques for detecting container threats are described. A method of detecting container threats includes receiving, by a scanning agent on a scanner container on a host in a provider network, event data from a plurality of collection agents corresponding to a plurality of customer containers on the host, determining, by the scanning agent, the event data matches at least one known threat, and generating, by the scanning agent, event findings associated with the event data.

Abstract: The disclosed computer-implemented method for managing endpoint security states using passive data integrity attestations may include (i) receiving passively collected network data from an endpoint device of a computing environment, (ii) determining a security state of the endpoint device using the passively collected network data from the endpoint device, (iii) determining that the security state of the endpoint device is below a threshold, and (iv) in response to determining that the security state of the endpoint device is below a threshold, performing a security action to protect the computing environment against malicious actions. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for locating functions for later interception may include (i) identifying a function to be intercepted during an execution of a file that comprises an instance of the function, (ii) procuring, from a description of the function, a string that, when located in any given file within a set of files, indicates a location of the function within the given file, (iii) scanning the file to identify a location of the string within the file, (iv) determining, based on the location of the string within the file, a location of the instance of the function within the file, and (v) intercepting a call made by a process during the execution of the file to the instance of the function based on having located the instance of the function within the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting malicious processes on computing devices may include (i) identifying a portion of data on a computing device that is stored in an unrestricted section of memory and accessed by processes while running on the computing device, (ii) allocating a restricted section of memory within the computing device and indicating that the portion of data is located in the restricted section of memory, (iii) detecting an attempt by a process running on the computing device to access the portion of data within the restricted section of memory using an unexpected access method, (iv) determining, based at least in part on the process attempting to access the portion of data within the restricted section of memory using the unexpected access method, that the process is malicious, and (v) performing a security action on the computing device to prevent the malicious process from harming the computing device.

Abstract: The disclosed computer-implemented method for detecting gadgets on computing devices may include (i) identifying, on a computing device, a process containing multiple modules, (ii) identifying, within the process, each module that does not implement a security protocol that randomizes, each time the module executes, a memory location of at least one portion of data accessed by the module, (iii) copying each module that does not implement the security protocol to a section of memory dedicated to security analyses, (iv) determining, based on detecting at least one gadget-specific characteristic within at least one copied module, that the process contains a gadget that is capable of being maliciously exploited, and then (v) performing a security action on the computing device to prevent the gadget from being maliciously exploited. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting malicious processes on computing devices may include (i) identifying a portion of data on a computing device that is stored in an unrestricted section of memory and accessed by processes while running on the computing device, (ii) allocating a restricted section of memory within the computing device and indicating that the portion of data is located in the restricted section of memory, (iii) detecting an attempt by a process running on the computing device to access the portion of data within the restricted section of memory using an unexpected access method, (iv) determining, based at least in part on the process attempting to access the portion of data within the restricted section of memory using the unexpected access method, that the process is malicious, and (v) performing a security action on the computing device to prevent the malicious process from harming the computing device.

Abstract: A computer-implemented method for identifying external functions called by an untrusted application may comprise loading an untrusted application into an emulated computing environment, executing a first computer-readable instruction of the untrusted application within the emulated computing environment, intercepting a request to access an external-function-specific region of memory, and identifying, by analyzing the request, an external function to be called by the first computer-readable instruction. The method may also comprise identifying an address associated with the external function and/or identifying a name associated with the external function. The name associated with the external function may be used to recreate an import table for the untrusted application. Corresponding systems and computer-readable media are also disclosed.

Abstract: Malware detection systems and methods for determining whether a collection of data not expected to include executable code is suspected of containing malicious executable code. In some embodiments, a malware detection system may disassemble a collection of data to obtain a sequence of possible instructions and determine whether the collection of data is suspected of containing malicious executable code based, at least partially, on an analysis of the sequence of possible instructions. In one embodiment, the analysis of the sequence of possible instructions may comprise determining whether the sequence of possible instructions comprises an execution loop. In a further embodiment, a control flow of the sequence of possible instructions may be analyzed. In a further embodiment, the analysis of the sequence of possible instructions may comprise assigning a weight that is indicative of a level of suspiciousness of the sequence of possible instructions.

Abstract: A computer includes a virtual machine controlled by a hypervisor. The virtual machine runs a virtualized operating system with running processes. A security initialization module sets the state in the virtual machine to pass execution from the virtual machine to the hypervisor responsive to a process making a system call in the virtualized operating system. Responsive to execution being passed from the virtual machine to the hypervisor, a security module analyzes the process making the system call to determine whether it poses a security threat. If a security threat is found, the security module takes remedial action to address the threat.

Abstract: Malware detection systems and methods for determining whether a collection of data not expected to include executable code is suspected of containing malicious executable code. In some embodiments, a malware detection system may disassemble a collection of data to obtain a sequence of possible instructions and determine whether the collection of data is suspected of containing malicious executable code based, at least partially, on an analysis of the sequence of possible instructions. In one embodiment, the analysis of the sequence of possible instructions may comprise determining whether the sequence of possible instructions comprises an execution loop. In a further embodiment, a control flow of the sequence of possible instructions may be analyzed. In a further embodiment, the analysis of the sequence of possible instructions may comprise assigning a weight that is indicative of a level of suspiciousness of the sequence of possible instructions.

Abstract: A legitimate process utilizes thread local storage (TLS) functionality to prevent a malicious thread from executing in its address space. The legitimate process includes a thread white list that identifies the entry point addresses of threads executed by the process. When executed on a computer, the process interacts with the TLS functionality provided by the computer's operating system. The operating system sends the process a message each time a new thread is executed in the process's address space. Upon receiving the message, the process determines the entry point address of the new thread and checks to see if the address is in the white list. If the thread entry point address is not in the white list, the thread is probably malicious and the process therefore terminates the thread's execution.

Abstract: Subsets of non-paged pool unused pages entries are flushed from a translation lookaside buffer (TLB). An attempt to access malicious code within a not present page within the non-paged pool unused pages is made, e.g., by malicious code. The attempt to access the page generates a page fault, which is detected. The page is scanned for malicious code and a determination is made that the page contains malicious code. Protective action is taken to protect a host computer system from the malicious code. Accordingly, malicious code in a page marked not present, i.e., in a page that ordinarily would not be scanned for malicious code, is detected and defeated.

Abstract: A method and apparatus for scanning exclusively locked files uses a kernel mode driver to scan the operating system's table of applications and identify a handle that owns an exclusive lock for an exclusively locked file. In one embodiment, the kernel mode driver then copies the handle and passes the handle over to a handle list of the anti-virus application requesting access to the exclusively locked file and provides the anti-virus application with the access handle reference number. Armed with the access handle reference number for the copied handle, the anti-virus application can then open the exclusively locked file and scan the exclusively locked file as it would any other file.

Abstract: Accesses to critical tokens are monitored and malicious changes to the security privileges of those critical tokens are detected and prevented.

Abstract: A method and apparatus for ambiguous-state support in virtual machine emulators executes a suspect application in a core emulation model for all versions, variations, or generations of a given computer system component and then branches at the point where ambiguous behavior is detected, i.e., at the occurrence/request/trigger of a version variable behavior by the suspect application. The state of the emulation up to the version variable behavior branch point is then copied, and each variable behavior branch is further emulated using variable specific emulation models and only from the point of ambiguity, i.e., from the point of variable behavior, forward.

Abstract: Techniques are disclosed for detecting manipulations of user-kernel transition registers (such as the SYSENTER/SYSCALL critical registers of Intel/AMD processors, respectively), and other such registers. In one embodiment, a register monitor agent is deployed at system boot-up, and continues monitoring target registers for manipulation during system use. If a manipulation is detected, then exclusions are checked to see if that manipulation is legitimate (e.g., caused by a trusted source). If not a legitimate manipulation, then reporting and/or corrective action can be taken. The techniques can be used in real-time and in any number of behavior blocking, antivirus, and/or intrusion prevention applications.

Abstract: Call to driver load functions, including associated driver objects to be loaded, are stalled and evaluated for indications of a rootkit. When a rootkit is indicated, protective action is taken, and optionally a user or system administrator are notified. Calls not indicative of a rootkit are released and allowed to load. In one embodiment, calls to currently loaded drivers and calls related to installation of new hardware, are excluded from the evaluation for indications of a rootkit. In additional embodiments, sensitive structures and calls to sensitive structures of a computer system are also evaluated for indications of a rootkit.

Abstract: An executable file containing malicious software can be packed using a packer to make the software difficult to detect. The executable file is loaded into the computer's memory and executed as a process. A memory dump module analyzes the address space for the process and identifies an executable file image within it. The memory dump module creates a memory dump file on the computer's storage device containing the file image and modifies the file to make it resemble a normal executable file. A signature scanning module scans the memory dump file for signatures of malicious software. If a signature is found in the file, a reporting module sends the host file for the process and the memory dump file to a security server for analysis.

Abstract: A method includes stalling execution of a model specific register write function to write to a model specific register of a processor having a no-execute processor feature enabled, determining that the model specific register is a no-execute model specific register of the processor, and determining whether a no-execute field in the no-execute model specific register is being altered. Upon a determination that the no-execute field is being altered, the method further includes taking protective action to prevent disabling of the no-execute processor feature.