Dynamic detection of computer worms

US 20040158725A1
Filed: 02/06/2003
Published: 08/12/2004
Est. Priority Date: 02/06/2003
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious computer code in a host computer, said method comprising the steps of:

determining whether data leaving the host computer is addressed to exit a port of the host computer where outbound executable content normally does not appear;

when the data is addressed to exit a port where outbound executable content normally does not appear, determining whether a string from a pre-established runtime database of executable threads is present in said data; and

when a string from said runtime database is present in said data, declaring a suspicion of presence of malicious computer code in said data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparati, and computer-readable media for detecting malicious computer code in a host computer (1). A method embodiment of the present invention comprises the steps of determining (32) whether data leaving the host computer (1) is addressed to exit a port (15) of the host computer (1) where outbound executable content normally does not appear; when the data is addressed to exit such a port (15), determining (33) whether a string (24) from a pre-established runtime database (9) of executable threads is present in said data; and when a string (24) from said runtime database (9) is present in said data, declaring (34) a suspicion of presence of malicious computer code in said data.

101 Citations

View as Search Results

39 Claims

1. A method for detecting malicious computer code in a host computer, said method comprising the steps of:
- determining whether data leaving the host computer is addressed to exit a port of the host computer where outbound executable content normally does not appear;
  
  when the data is addressed to exit a port where outbound executable content normally does not appear, determining whether a string from a pre-established runtime database of executable threads is present in said data; and
  
  when a string from said runtime database is present in said data, declaring a suspicion of presence of malicious computer code in said data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 2. The method of claim 1 wherein the data is in the form of packets.
  - 3. The method of claim 1 wherein the data is stream data.
  - 4. The method of claim 1 wherein a port where outbound executable content normally does not appear comprises an HTTP Internet port.
  - 5. The method of claim 1 wherein a port where outbound executable content normally does not appear comprises port 80.
  - 6. The method of claim 1 wherein said runtime database is generated in real time by a thread analyzer that analyzes threads being executed on said host computer.
  - 7. The method of claim 6 wherein the thread analyzer:
    - takes a hash of each thread being executed on said host computer; and
      
      stores said hash and a corresponding string from said thread in the runtime database only upon the condition that said hash is not already present in said runtime database.
  - 8. The method of claim 6 wherein the thread analyzer is coupled to a tracking module associated with a multi-threading operating system resident on the host computer.
  - 9. The method of claim 8 wherein the tracking module is a software module from the group of modules comprising tracker.sys and filter.sys.
  - 10. The method of claim 6 wherein the thread analyzer creates a record for each thread that executes on the host computer, each said record comprising a thread identification, a string representative of the thread, and a start address of the string.
  - 11. The method of claim 10 wherein each string in the runtime database has a pre-established fixed length.
  - 12. The method of claim 10 wherein each record further comprises a start address of the string, a location from the group of locations comprising a start address of the thread and a start address following a jump instruction within the thread.
  - 13. The method of claim 10 wherein each record further comprises a hash of the string.
  - 14. The method of claim 13 wherein just a portion of the string is hashed.
  - 15. The method of claim 1 wherein the step of determining whether a string from the runtime database is present in the outgoing packet comprises comparing strings in the runtime database with contents of the outgoing data.
  - 16. The method of claim 1 wherein the step of determining whether a string from the runtime database is present in the outgoing packet comprises:
    - calculating hashes of strings within the outgoing data; and
      
      comparing calculated hashes with prestored hashes of strings stored within the runtime database.
  - 17. The method of claim 16 wherein the step of determining whether a string from the runtime database is present in the outgoing data comprises:
    - determining whether a calculated hash matches a prestored hash; and
      
      when a calculated hash matches a prestored hash, determining whether a string in the outbound data matches a string stored in the runtime database.
  - 18. The method of claim 1 wherein a suspicion of presence of malicious code in the data is flagged to a user of the host computer.
  - 19. The method of claim 1 wherein data suspected of containing malicious code is subjected to a false positive mitigation procedure.
  - 20. The method of claim 19 wherein the false positive mitigation procedure comprises checking the data for the presence of a digital signature from a trusted party.
  - 21. The method of claim 19 wherein the false positive mitigation procedure comprises subjecting the data to further analysis.
  - 22. The method of claim 19 wherein the false positive mitigation procedure comprises allowing a process from a list of preapproved processes to pass unmolested to the port.
  - 23. The method of claim 22 wherein said list comprises the process calc.exe.
  - 24. The method of claim 1 further comprising the step of quarantining the data containing suspected malicious computer code.
  - 25. The method of claim 1 further comprising the step of repairing the malicious computer code.
  - 26. The method of claim 1 further comprising the step of deleting from the host computer a process corresponding to the string from the runtime database that has been found to be present in said data.
  - 27. The method of claim 1 further comprising the step of stopping the data containing the suspected malicious computer code from exiting the host computer.
  - 28. The method of claim 1 further comprising, prior to said second determining step, the step of decoding the data.
  - 29. The method of claim 1 further comprising, prior to said second determining step, the step of ascertaining whether the data is encoded.
  - 30. The method of claim 1 further comprising the step of specifying threads that are to be represented in the runtime database.
  - 31. The method of claim 1 further comprising the step of eliminating excess information from said runtime database.
  - 32. The method of claim 31 wherein said eliminating step comprises removing a string from the runtime database upon the command of an operating system executing on the host computer.
  - 33. The method of claim 31 wherein said eliminating step comprises removing a string from the runtime database when a thread corresponding to said string has not executed on the host computer for a preselected period of time.
  - 34. The method of claim 31 wherein said eliminating step comprises deleting a string from said runtime database when contents of said database exceed a preselected size.

35. A computer-readable medium containing computer program instructions for detecting malicious computer code in data leaving a host computer, said computer program instructions performing the steps of:
- determining whether data leaving the host computer is addressed to exit a port of the host computer where outbound executable content normally does not appear;
  
  when the data is addressed to exit a port where outbound executable content normally does not appear, determining whether a string from a pre-established runtime database of executable threads is present in said data; and
  
  when a string from said runtime database is present in said data, declaring a suspicion of presence of malicious computer code in said data.

36. Apparatus for detecting malicious computer code in a host computer, said apparatus comprising:
- a filter adapted to determine whether data leaving the host computer is addressed to exit a port of the host computer where outbound executable content normally does not appear;
  
  a runtime database containing strings from threads that have executed on said host computer; and
  
  coupled to the filter and to the runtime database, a matching module for determining whether a string from the runtime database is present in said data.
- View Dependent Claims (37, 38, 39)
- - 37. The apparatus of claim 36 further comprising a thread analyzer adapted to extract strings from threads executing on the host computer, and to place said strings into said runtime database.
  - 38. The apparatus of claim 36 further comprising:
    - a tracking module adapted to identify threads executing on the host computer; and
      
      a user interface coupled to the tracking module, said user interface adapted to permit a user of the host computer to instruct the tracking module as to threads that should be tracked by said tracking module.
  - 39. The apparatus of claim 36 further comprising, coupled to the runtime database, a garbage collector module for periodically purging contents of said runtime database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter

Granted Patent

US 7,293,290 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/188
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

H04L 63/145 the attack involving the pr...

Dynamic detection of computer worms

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

101 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic detection of computer worms

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links