| CPC H04L 63/1425 (2013.01) [G06F 21/53 (2013.01); H04L 63/0263 (2013.01); H04L 63/1483 (2013.01)] | 17 Claims |
|
1. A system for deobfuscating malware with abstract execution, comprising:
a processor; and
a memory coupled to the processor and stores instructions executed by the processor configured to:
receive a sample;
perform an abstract execution of a script included in the sample, comprising to:
parse the script to generate an abstract syntax tree;
select a function of the abstract syntax tree; and
build, for the selected function, a control flow graph for analysis of all branches of the abstract syntax tree, comprising to:
for a node that remains to be analyzed of the abstract syntax tree:
determine that the node corresponds to an unknown branch point;
in response to a determination that the node corresponds to the unknown branch point, add both side of the node to a set of nodes that remains to be analyzed;
determine whether a loop exists based on the set of nodes that remains to be analyzed; and
in response to a determination that the loop exists, unroll the loop to predict an exact control flow within the function;
identify the sample as malware based on the abstract execution of the script included in the sample;
generate a log of results from the abstract execution of the script included in the sample;
determine whether the sample is malicious based on the generated log of results from the abstract execution of the script included in the sample; and
in response to a determination that the sample is malicious, generate a signature to detect a new malware family.
|