| 摘要 |
A system analyzes content accessed at a network site to determine whether it is malicious. The system employs a tool able to identify spyware that is piggy-backed on executable files (such as software downloads) and is able to detect “drive-by download” attacks that install software on the victim's computer when a page is rendered by a browser program. The tool uses a virtual machine (VM) to sandbox and analyze potentially malicious content. By installing and running executable files within a clean VM environment, commercial anti-spyware tools can be employed to determine whether a specific executable contains piggy-backed spyware. By visiting a Web page with an unmodified browser inside a clean VM environment, predefined “triggers,” such as the installation of a new library, or the creation of a new process, can be used to determine whether the page mounts a drive-by download attack. |
| 主权项 |
1. A method for preventing sources of content that are accessible over a network from installing spyware or other undesired items into a user environment, the method comprising:
producing a virtual machine on a computing device and installing an operating system on the virtual machine to create a virtual machine environment configured to test a potential source of content accessible on the network, to determine if the potential source of content attempts to install spyware; automatically loading the content from the potential source of content within the virtual machine environment; determining whether or not the potential source of content has at least attempted to install spyware in the virtual machine environment, by—
detecting whether at least one of a plurality of predefined triggers are fired, andin the case where at least one of the plurality of predefined triggers is detected, determining that the potential source of content is at least attempting to perform an attack in the virtual machine environment;wherein the predefined triggers comprise at least one of—
determining which processes of the virtual machine are either a browser process or known helper processes associated with the browser process and detecting that a new process is launched, excluding the browser process and known helper processes;determining which folders are safe folders and detecting that a file is created or modified outside of the determined safe folders;determining which processes of the virtual machine are either the browser process or known helper processes associated with the browser process and detecting that a process besides the determined browser process and its known helper processes performed a file creation or modification;determining which registry entries are sensitive registry entries and detecting that one of the sensitive registry entries is modified;determining that the browser process or an operating system process has crashed or has stopped responding; orany combination thereof; and communicating results of the determining whether or not the potential source of content has at least attempted to install spyware in the virtual machine environment, the results indicating either that the potential source of content has not at least attempted to install spyware in the virtual machine environment or that the potential source of content has at least attempted to install spyware in the virtual machine environment; wherein producing the virtual machine, automatically loading the content, and determining whether or not the potential source of content has at least attempted to install spyware are each performed by a spyproxy module executing on a machine remote from a machine executing at least part of the user environment, wherein the machine remote from the machine executing at least part of the user environment comprises at least one of a web-server, an internet service provider, a firewall server, a third-party service provider, or any combination thereof. |
