Intrusion prevention and remedy system
First Claim
Patent Images
1. A computerized method, comprising:
- intercepting an incoming message from a remote source directed to an endpoint device, the incoming message is in response to a callback message sent from malware operating on the endpoint device;
overwriting a first portion of information within the incoming message with a second portion of information including a neutralized version of at least a portion of the malware and the second portion of information includes at least (a) a callback identifier including an address of a destination device operating as a Command and Control (CnC) server or (b) a callback time used by the malware to determine when to attempt a subsequent communication with the destination device; and
forwarding the incoming message including the second portion of the information to the endpoint device.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a computerized method is directed to neutralizing callback malware. This method involves intercepting an incoming message from a remote source directed to a compromised endpoint device. Next, a first portion of information within the incoming message is substituted with a second portion of information. The second portion of information is designed to mitigate operability of the callback malware. Thereafter, the modified incoming message, which includes the second portion of the information, is returned to the compromised endpoint device.
644 Citations
26 Claims
-
1. A computerized method, comprising:
-
intercepting an incoming message from a remote source directed to an endpoint device, the incoming message is in response to a callback message sent from malware operating on the endpoint device; overwriting a first portion of information within the incoming message with a second portion of information including a neutralized version of at least a portion of the malware and the second portion of information includes at least (a) a callback identifier including an address of a destination device operating as a Command and Control (CnC) server or (b) a callback time used by the malware to determine when to attempt a subsequent communication with the destination device; and forwarding the incoming message including the second portion of the information to the endpoint device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computerized method comprising:
-
scanning memory of an endpoint device; performing virtual analysis on information obtained from the scanned memory to (1) determine whether the information is malware and (2) generate callback check information corresponding to the malware; in response to a malicious callback session being detected based on the callback check information, intercepting an incoming message directed to the endpoint device, the incoming message being a response to a callback message from the endpoint device, substituting a first portion of information within the incoming message with a second portion of information, the second portion of information includes a code update that, when transmitted to the endpoint device, is configured to overwrite at least a portion of the malware at the endpoint device to mitigate operability of the malware by disrupting subsequent communication between the malware and a Command and Control (CnC) server, and providing the incoming message including the second portion of the information to the endpoint device, wherein the substituting of the first portion of information within the incoming message with the second portion of information comprises overwriting the first portion of information with the second portion of information changing either (i) a callback identifier including at least an address of the CnC server to preclude the subsequent communication to the CnC server or (ii) a callback time used by the malware to determine when to attempt the subsequent communication with the CnC server. - View Dependent Claims (18)
-
-
19. A system comprising:
-
one or more hardware processors; and a non-transitory storage medium comprises; interface logic to receive an incoming message from a remote source directed to an endpoint device in response to the endpoint device being previously detected as including a malware by detecting a callback message being sent from the endpoint device and the incoming message is in response to the callback message; and a first analysis engine in communication with the interface logic, the first analysis engine to (i) intercept the incoming message, (ii) overwrite a first portion of information within the incoming message with a second portion of information including a neutralized version of at least a portion of the malware where the second portion of information includes at least (a) a callback identifier including an address of a destination device operating as a Command and Control (CnC) server or (b) a callback time used by the malware to determine when to attempt a subsequent communication with the destination device, and (iii) provide the incoming message including the second portion of the information to the endpoint device. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
-
Specification