Obfuscated malware detection
US8176559B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Dec 16, 2009 |
| Grant date | May 8, 2012 |
| Priority date | — |
| Expiry date | Nov 11, 2030 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F21/577
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes executing from a binary executable a call instruction and a plurality of instruction subsequent to a target of the call instruction, determining if the value identified by the stack pointer of the call stack is equal to a default value stored in the call stack prior to emulation, determining if there is a non-obfuscation signal resulting from the execution of the call instructions and the plurality of instructions, and if the value identified by the stack pointer is the default value and there is no obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; Additionally, the method includes determining that if the number of call instructions identified as possibly obfuscated call instructions exceeds a threshold number, identifying the binary executable as an obfuscated executable.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.