Mandiant, Inc.
Detecting delayed activation malware using a primary controller and plural time controllers

Abstract:

A malicious content detection (MCD) system and a computerized method for manipulating time uses two or more time controllers operating within the MCD system in order to capture the behavior of delayed activation malware (time bombs). Each time controller may include a monitoring agent located in a software layer of a computer runtime environment configured to intercept software calls (e.g., API calls or system calls) and/or other time checks that seek to obtain a "current time," and time-dilation action logic located in a different layer (e.g., a hypervisor layer) configured to respond to the software calls by providing a "false" current time that indicates considerably more time has transpired than the real clock. Additionally, a primary controller may be used in some embodiments to configure and manage, the time controllers.