Detection of spyware threats within virtual machine

Assignee

• University of Washington through its Center for Commercialization · US

Inventors

• Steven Gribble · Seattle, US
• Henry M. Levy · Seattle, US
• Alexander Moshchuk · Seattle, US
• Tanya Bragin · Seattle, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/1491
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

A system analyzes content accessed at a network site to determine whether it is malicious. The system employs a tool able to identify spyware that is piggy-backed on executable files (such as software downloads) and is able to detect “drive-by download” attacks that install software on the victim's computer when a page is rendered by a browser program. The tool uses a virtual machine (VM) to sandbox and analyze potentially malicious content. By installing and running executable files within a clean VM environment, commercial anti-spyware tools can be employed to determine whether a specific executable contains piggy-backed spyware. By visiting a Web page with an unmodified browser inside a clean VM environment, predefined “triggers,” such as the installation of a new library, or the creation of a new process, can be used to determine whether the page mounts a drive-by download attack.