Generic rootkit detector

US 20070055711A1
Filed: 08/24/2005
Published: 03/08/2007
Est. Priority Date: 08/24/2005
Status: Active Grant

First Claim

Patent Images

1. In a computer that includes a memory, an operating system that loads a first version of a library into the memory to provide services to an application program, and a storage device that stores a second version of the library in a protected state, a method of determining whether malware is infecting the first version of the library, the method comprising:

(a) obtaining the properties of the first version of the library that was loaded into memory to provide services to the application program;

(b) obtaining the properties of the second version of the library that is stored in a protected state on the storage device; and

(c) comparing the properties of the first version of the library with the properties of the second version of the library.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A generic RootKit detector is disclosed that identifies when a malware, commonly known as RootKit, is resident on a computer. In one embodiment, the generic RootKit detector performs a method that compares the properties of different versions of a library used by the operating system to provide services to an application program. In this regard, when a library is loaded into memory, an aspect of the generic RootKit detector compares two versions of the library; a potentially infected version in memory and a second version stored in a protected state on a storage device. If certain properties of the first version of the library are different from the second version, a determination is made that a RootKit is infection the computer.

78 Citations

View as Search Results

20 Claims

1. In a computer that includes a memory, an operating system that loads a first version of a library into the memory to provide services to an application program, and a storage device that stores a second version of the library in a protected state, a method of determining whether malware is infecting the first version of the library, the method comprising:
- (a) obtaining the properties of the first version of the library that was loaded into memory to provide services to the application program;
  
  (b) obtaining the properties of the second version of the library that is stored in a protected state on the storage device; and
  
  (c) comparing the properties of the first version of the library with the properties of the second version of the library.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as recited in claim 1, wherein:
    - (a) if the properties of the first version of the library are different from the properties of the second version of the library, determining that the library is infected with malware; and
      
      (b) conversely, if the properties of the first version of the library are the same as the properties of the second version of the library, determining that the library is not infected with malware.
  - 3. The method as recited in claim 2, wherein the malware is a RootKit that is configured to conceal malicious instructions that are resident on the computer.
  - 4. The method as recited in claim 2, further comprising if the first version of the library is infected with malware:
    - (a) tracing the flow of program execution to a set of instructions that implement the malware; and
      
      (b) scanning the set of instructions that implement the malware for a signature that uniquely identifies the malware.
  - 5. The method as recited in claim 4, wherein if a malware is identified, causing a cleaning routine to be executed that removes the malware from the computer.
  - 6. The method as recited in claim 1, wherein the library is a dynamically linked library that is linked to a calling application program at runtime.
  - 7. The method as recited in claim 1, wherein obtaining the properties of the first version of the library includes determining whether the first version of the library references an instruction outside of the memory image allocated to the first version of the library by the operating system;
    - and wherein if the first version of the library references an instruction outside of the memory image allocated to the first version of the library, determining that the library is infected with malware.
  - 8. The method as recited in claim 1, wherein obtaining the properties of the first version of the library that was loaded into memory to provide services to the application program includes obtaining a call address of a routine in the first version of the library from a component of the operating system.
  - 9. The method as recited in claim 8, wherein obtaining the properties of the second version of the library that is stored in a protected state on the storage device includes:
    - (a) obtaining an offset value from the second version of the library that identifies a relative location of a routine in the library; and
      
      (b) calculating a call address using the offset value obtained from the second version of the library for the routine that identifies the memory location where the routine may be accessed
  - 10. The method as recited in claim 9, wherein comparing the properties of the first version of the library with the properties of the second version of the library includes comparing the value of the call address obtained from a component of the operating system using data from the first version of a library with the value of the call address calculated from the offset value obtained from the second version of the library.

11. A computer-readable medium bearing computer-executable instructions which, when executed in a computer that includes an operating system configured to copy a library into a memory address space available to an application program, carries out a method for determining whether a routine in the library that satisfies an Application Program Interface call is infected with malware, the method comprising:
- (a) obtaining a call address of the routine from a component of the operating system that calculates the call address using data in a first version of the library that is loaded in memory;
  
  (b) obtaining an offset value from a second version of the library that is stored in a protected state on a storage device;
  
  (c) calculating a call address for the routine using the offset value obtained from the second version of the library; and
  
  (d) comparing the value of the call address obtained from a component of the operating system with the value of the call address calculated from the offset value calculated from data in the second version of the library.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer-readable medium as recited in claim 11, further comprising if the value of the call address obtained from the component of the operating system is different from the call address calculated from data stored in the second version of the library, determining that the first version of the library is infected with malware.
  - 13. The computer-readable medium as recited in claim 11, further comprising if the first version of the library is infected with malware:
    - (a) tracing the flow of program execution to a set of instructions that implement the malware; and
      
      (b) scanning the set of instructions that implement the malware for a signature.
  - 14. The computer-readable medium as recited in claim 13, further comprising if a signature is identified:
    - (a) recording the value of the call address for the routine that was calculated using the offset value obtained from the second version of the library in a data store; and
      
      (b) using the recorded call address to locate the routine in memory when an Application Program Interface call is made that is handled by the routine.
  - 15. The computer-readable medium as recited in claim 11, wherein calculating a call address for the routine using the offset value obtained from the second version of the library includes determining whether the call address references a location that is outside the memory image of the library;
    - and wherein if the call address references a location outside of the memory image allocated to the first version of the library, determining that the library is infected with malware.

16. A software system for determining whether a computer is infected with a RootKit, the software system comprising:
- (a) an operating system that provides services to application programs installed on the computer;
  
  (b) an integrity module operative to compare a first version of a library that is loaded in memory to provide services to the application program with a second version of the library stored in a protected state on the storage device;
  
  (c) a scan engine configured to detect signatures that are associated with malware; and
  
  (d) a handling routine configured to;
  
  (i) trace the scheduled path of program execution to a set of instructions that do not control the flow of program execution; and
  
  (ii) cause the scan engine to search the instructions for a signature that is characteristic of malware.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The software system as recited in claim 16, further comprising a virtual export table operative to associates a routine in the library with a call address that identifies the memory location of the routine;
    - and wherein the integrity module is further configured to calculate the call address of the routine from data in the second version of the library and store the value of the call address in the virtual export table.
  - 18. The software system as recited in claim 17, wherein the operating system is further configured to identify the location of the routine in memory from data stored in the virtual export table.
  - 19. The software system as recited in claim 16, wherein the integrity module, the scan engine, and the handling routine are implemented in a component of the operating system that operates in kernel mode.
  - 20. The software system as recited in claim 16, wherein the integrity module, the scan engine, and the handling routine are implemented in an application program that operates in user mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Polyakov, Alexey, Cowie, Neil

Granted Patent

US 7,647,636 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Generic rootkit detector

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Generic rootkit detector

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others