Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by using fictitious buddies

US 20070006308A1
Filed: 07/01/2005
Published: 01/04/2007
Est. Priority Date: 07/01/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-assisted method of reducing the spread of malware in an instant message (IM) system, comprising:

intercepting a buddy list sent from an IM server to an IM client;

adding one or more fictitious buddies to the intercepted buddy list;

forwarding the buddy list with the one or more fictitious buddies to the IM client; and

identifying a computer that hosts the IM client as a source of malware based on messages sent by the IM client to at least one of the fictitious buddies.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for reducing the spread of malware in communication between an instant message (IM) client and an IM server are described. An IM filter module (IM FM) is configured to intercept a buddy list sent from an IM server to an IM client, add one or more fictitious buddies to the intercepted buddy list, and forward the buddy list with the one or more fictitious buddies to the IM client. The IM FM is further configured to identify a computer that hosts the IM client as a source of malware based on messages sent by the IM client to at least one of the fictitious buddies and to determine that the host computer of the IM client is a source of malware if a content of the messages sent to the at least one of the fictitious buddies contains malware.

61 Citations

View as Search Results

40 Claims

1. A computer-assisted method of reducing the spread of malware in an instant message (IM) system, comprising:
- intercepting a buddy list sent from an IM server to an IM client;
  
  adding one or more fictitious buddies to the intercepted buddy list;
  
  forwarding the buddy list with the one or more fictitious buddies to the IM client; and
  
  identifying a computer that hosts the IM client as a source of malware based on messages sent by the IM client to at least one of the fictitious buddies.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 3. The method of claim 1 further comprising:
    - blocking messages originating from the IM client if the host computer of the IM client has been identified as a source of malware.
  - 4. The method of claim 1 further comprising:
    - interactively confirming with a user of the IM client whether the user intended to send the messages to the at least one of the fictitious buddies; and
      
      identifying the host computer of the IM client as a source of malware if the user denies sending the messages to the at least one of the fictitious buddies.
  - 5. The method of claim 1 further comprising:
    - sending a test message to the IM client using an account name of one of the fictitious buddies.
  - 6. The method of claim 5 further comprising:
    - determining that the host computer of the IM client is a source of malware if the IM client sends a message in response to the test message.
  - 7. The method of claim 5 further comprising:
    - sending a confirmation message to a user of the IM client if the IM client sends a message in response to the test message; and
      
      identifying the host computer of the IM client as a source of malware if the user denies sending the response message.
  - 8. The method of claim 5 further comprising:
    - identifying the host computer of the IM client as a source of malware when a response to the test message by the IM client is too fast to be a response by a person.
  - 9. The method of claim 1 further comprising:
    - storing, into a database, unique identifiers of messages sent by the IM client if the host computer of the IM client has been identified as a source of malware.
  - 10. The method of claim 9 further comprising:
    - blocking any message that is sent by a user of the IM server having an identical or similar unique identifier with any unique identifiers stored in the database.
  - 11. The method of claim 1 further comprising:
    - storing, into a database, contents of messages sent by the IM client if the host computer of the IM client has been identified as a source of malware.
  - 12. The method of claim 11 further comprising:
    - blocking any message that contains an identical or similar content with contents of messages stored in the database.
  - 13. The method of claim 1 further comprising:
    - identifying, sources of malware, a plurality of computers each hosting an IM client if messages with identical contents are sent from each of the plurality of host computers.
  - 14. The method of claim 13 further comprising:
    - blocking any message that contains an identical or similar content with contents of messages send by the plurality of host computers identified as sources of malware.

2. The method of clam 1, wherein the act of identifying the host computer of the IM client as a source of malware further comprising:
- determining that the host computer of the IM client is a source of malware if a content of the messages sent to the at least one of the fictitious buddies contains malware.

15. A computer-assisted system of reducing the spread of malware in an instant message (IM) system, comprising:
- an IM filter module configured to intercept a buddy list sent from an IM server to an IM client, add one or more fictitious buddies to the intercepted buddy list, and forward the buddy list with the one or more fictitious buddies to the IM client; and
  
  the IM filter module further configured to identify a computer that hosts the IM client as a source of malware based on messages sent by the IM client to at least one of the fictitious buddies.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 16. The system of claim 15, wherein the IM filter module is further configured to determine that the host computer of the IM client is a source of malware if a content of the messages sent to the at least one of the fictitious buddies contains malware.
  - 17. The system of claim 15, wherein the IM filter module is further configured to block messages originating from the IM client if the host computer of the IM client has been identified as a source of malware.
  - 18. The system of claim 15, wherein the IM filter module is further configured to interactively confirm with a user of the IM client whether the user intended to send the messages to the at least one of the fictitious buddies, and identify the host computer of the IM client as a source of malware if the user denies sending the messages to the at least one of the fictitious buddies.
  - 19. The system of claim 15, wherein the IM filter module is further configured to send a test message to the IM client using an account name of one of the fictitious buddies.
  - 20. The system of claim 19, wherein the IM filter module is further configured to determine that the host computer of the IM client is a source of malware if the IM client sends a message in response to the test message.
  - 21. The system of claim 19, wherein the IM filter module is further configured to send a confirmation message to a user of the IM client if the IM client sends a message in response to the test message, and identify the host computer of the IM client as a source of malware if the user denies sending the response message.
  - 22. The system of claim 19, wherein the IM filter module is further configured to identify the host computer of the IM client as a source of malware when a response to the test message by the IM client is too fast to be a response by a person.
  - 23. The system of claim 15 further comprising:
    - a database configured to store unique identifiers of messages sent by the IM client if the host computer of the IM client has been identified as a source of malware.
  - 24. The system of claim 23, wherein the IM filter module is further configured to block any message that is sent by a user of the IM server having an identical or similar unique identifier with any unique identifiers stored in the database.
  - 25. The system of claim 15 further comprising:
    - a database configured to store contents of messages sent by the IM client if the host computer of the IM client has been identified as a source of malware.
  - 26. The system of claim 25, wherein the IM filter module is further configured to block any message that contains an identical or similar content with contents of messages stored in the database.

27. A computer program product, residing on a computer-readable medium, the computer program product comprising computer instructions for configuring a computer to perform the acts of:
- intercepting a buddy list sent from an IM server to an IM client;
  
  adding one or more fictitious buddies to the intercepted buddy list;
  
  forwarding the buddy list with the one or more fictitious buddies to the IM client; and
  
  identifying a computer that hosts the IM client as a source of malware based on messages sent by the IM client to at least one of the fictitious buddies.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 28. The product of claim 27, wherein the instructions for performing the act of identifying the host computer of the IM client as a source of malware further comprising the instructions for performing the act of:
    - determining that the host computer of the IM client is a source of malware if a content of the messages sent to the at least one of the fictitious buddies contains malware.
  - 29. The product of claim 27 further comprising the instructions for performing the act of:
    - blocking messages originating from the IM client if the host computer of the IM client has been identified as a source of malware.
  - 30. The product of claim 27 further comprising the instructions for performing the act of:
    - interactively confirming with a user of the IM client whether the user intended to send the messages to the at least one of the fictitious buddies; and
      
      identifying the host computer of the IM client as a source of malware if the user denies sending the messages to the at least one of the fictitious buddies.
  - 31. The product of claim 27 further comprising the instructions for performing the act of:
    - sending a test message to the IM client using an account name of one of the fictitious buddies.
  - 32. The product of claim 31 further comprising the instructions for performing the act of:
    - determining that the host computer of the IM client is a source of malware if the IM client sends a message in response to the test message.
  - 33. The product of claim 31 further comprising the instructions for performing the act of:
    - sending a confirmation message to a user of the IM client if the IM client sends a message in response to the test message; and
      
      identifying the host computer of the IM client as a source of malware if the user denies sending the response message.
  - 34. The product of claim 31 further comprising the instructions for performing the act of:
    - identifying the host computer of the IM client as a source of malware when a response to the test message by the IM client is too fast to be a response by a person.
  - 35. The product of claim 27 further comprising the instructions for performing the act of:
    - storing, into a database, unique identifiers of messages sent by the IM client if the host computer of the IM client has been identified as a source of malware.
  - 36. The product of claim 35 further comprising the instructions for performing the act of:
    - blocking any message that is sent by a user of the IM server having an identical or similar unique identifier with any unique identifiers stored in the database.
  - 37. The product of claim 27 further comprising the instructions for performing the act of:
    - storing, into a database, contents of messages sent by the IM client if the host computer of the IM client has been identified as a source of malware.
  - 38. The product of claim 37 further comprising the instructions for performing the act of:
    - blocking any message that contains an identical or similar content with contents of messages stored in the database.
  - 39. The product of claim 27 further comprising the instructions for performing the act of:
    - identifying, sources of malware, a plurality of computers each hosting an IM client if messages with identical contents are sent from each of the plurality of host computers.
  - 40. The method of claim 39 further comprising further comprising the instructions for performing the act of:
    - blocking any message that contains an identical or similar content with contents of messages send by the plurality of host computers identified as sources of malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
IMlogic, Inc. (Gen Digital Inc.)
Inventors
Shah, Milan, Roychowdhary, Anandamoy, Sakoda, Jon, Lorenzo, Eric, Gilliland, Arthur, Desouza, Francis

Granted Patent

US 7,600,258 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

H04L 51/04   Real-time or near real-time...

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by using fictitious buddies

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by using fictitious buddies

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links