Abstract: Generating a set of attempted external contacts associated with a malware sample is disclosed. A malware sample is executed in an accelerated computing environment. In the accelerated computing environment, a guest time is advanced more quickly than a time by which a host time is advanced. A set of one or more attempted external contacts generated by the executing malware sample is recorded. The set of attempted external contacts includes at least one generated domain name. A remedial action is taken with respect to the generated domain name.

Abstract: Generating a set of attempted external contacts associated with a malware sample is disclosed. A malware sample is executed, in an accelerated computing environment. In the accelerated computing environment, a guest time is advanced more quickly than a time by which a host time is advanced. A set of one or more attempted external contacts generated by the executing malware sample is recorded. The set of attempted external contacts is provided as output.

Abstract: Generating a set of attempted external contacts associated with a malware sample is disclosed. A malware sample is executed in an accelerated computing environment. In the accelerated computing environment, a guest time is advanced more quickly than a time by which a host time is advanced. A set of one or more attempted external contacts generated by the executing malware sample is recorded. The set of attempted external contacts includes at least one generated domain name. A remedial action is taken with respect to the generated domain name.

Abstract: Techniques for automatic repair of corrupt files (e.g., malware sample files) for a detonation engine are disclosed. In some embodiments, a system, process, and/or computer program for automatic repair of corrupt files for a detonation engine includes receiving a malware sample from a network device; determining whether the malware sample includes a corrupt file; and in an event that the malware sample is determined to include the corrupt file, repairing the corrupt file for the detonation engine.

Abstract: Detecting duplicate malware samples is disclosed. A first guest clock is set to a first value in a first virtual machine instance. A first malware sample is executed in the first virtual machine instance. A second guest clock value is set to the first value in a second virtual machine instance. A second malware sample is executed in the second virtual machine instance. A determination is made as to whether the first malware sample and the second malware sample are the same, based at least in part on performing a comparison of attempted external contacts generated by executing each of the respective first and second malware samples.

Abstract: Techniques for automatic repair of corrupt files (e.g., malware sample files) for a detonation engine are disclosed. In some embodiments, a system, process, and/or computer program for automatic repair of corrupt files for a detonation engine includes receiving a malware sample from a network device; determining whether the malware sample includes a corrupt file; and in an event that the malware sample is determined to include the corrupt file, repairing the corrupt file for the detonation engine.

Abstract: Generating a set of attempted external contacts associated with a malware sample is disclosed. A malware sample is executed, in an accelerated computing environment. In the accelerated computing environment, a guest time is advanced more quickly than a time by which a host time is advanced. A set of one or more attempted external contacts generated by the executing malware sample is recorded. The set of attempted external contacts is provided as output.

Abstract: Techniques for automatic repair of corrupt files (e.g., malware sample files) for a detonation engine are disclosed. In some embodiments, a system, process, and/or computer program for automatic repair of corrupt files for a detonation engine includes receiving a malware sample from a network device; determining whether the malware sample includes a corrupt file; and in an event that the malware sample is determined to include the corrupt file, repairing the corrupt file for the detonation engine.

Abstract: Detecting duplicate malware samples is disclosed. A first guest clock is set to a first value in a first virtual machine instance. A first malware sample is executed in the first virtual machine instance. A second guest clock value is set to the first value in a second virtual machine instance. A second malware sample is executed in the second virtual machine instance. A determination is made as to whether the first malware sample and the second malware sample are the same, based at least in part on performing a comparison of attempted external contacts generated by executing each of the respective first and second malware samples.

Abstract: Methods and systems allow the use of hypervisors to use software breakpoints in the same manner as hardware breakpoints. A program to be tested is executed by a hypervisor running a virtual machine. A memory page containing the location of a breakpoint is copied to a temporary memory page. Then a new page is written containing breakpoint instructions at specified memory locations. The new page is tagged as execute only, so the program to be tested is unaware of any changes to the program. If the program attempts to read from the changed memory page, it will read from the temporary memory page instead. Such a method can be used to search websites for malware in relative safety because of the inability of the malware to write to memory locations that are located on a page that is execute only.

Abstract: This disclosure addresses systems and methods for the protection of hardware and software in a computing environment. A hypervisor-monitor may be nested between the hardware of a host system and a hypervisor that is capable of supporting one or more guest virtual machines. The hypervisor-monitor may intercept exceptions generated by one or more processors in the host system and inspect software instructions for the hypervisor and the guests. Inspection may include performing a hash of the software instructions and a comparison of the hash with authorized software modules or a set of known malware. In this manner the hypervisor-monitor may monitor prevent the execution of malware by the hypervisor or the guests or provide a record of when code of an unknown origin was executed.

Abstract: Methods and systems allow the use of hypervisors to use software breakpoints in the same manner as hardware breakpoints. A program to be tested is executed by a hypervisor running a virtual machine. A memory page containing the location of a breakpoint is copied to a temporary memory page. Then a new page is written containing breakpoint instructions at specified memory locations. The new page is tagged as execute only, so the program to be tested is unaware of any changes to the program. If the program attempts to read from the changed memory page, it will read from the temporary memory page instead. Such a method can be used to search websites for malware in relative safety because of the inability of the malware to write to memory locations that are located on a page that is execute only.

Abstract: Embodiments of a system and method for live computer forensics are generally described herein. The system can include a first hypervisor configured to halt a computer system, the computer system including a central processing unit, a drive, a volatile memory, and a non-volatile memory. The first hypervisor can be configured to collect data representative of the state of the computer system at the time the computer system was halted. The data representative of the state of the computer system can include the contents of the volatile and non-volatile memory at the time the computer system was halted, wherein at least a portion of the collected data is representative of the state of the central processing unit and the contents of the drive, at the time the computer system was halted.

Abstract: This disclosure addresses systems and methods for the protection of hardware and software in a computing environment. A hypervisor-monitor may be nested between the hardware of a host system and a hypervisor that is capable of supporting one or more guest virtual machines. The hypervisor-monitor may intercept exceptions generated by one or more processors in the host system and inspect software instructions for the hypervisor and the guests. Inspection may include performing a hash of the software instructions and a comparison of the hash with authorized software modules or a set of known malware. In this manner the hypervisor-monitor may monitor prevent the execution of malware by the hypervisor or the guests or provide a record of when code of an unknown origin was executed.