Generic rootkit detector
First Claim
1. In a computer that includes a memory, an operating system that loads a first version of a library into the memory to provide services to an application program, and a storage device that stores a second version of the library in a protected state, a method of determining whether malware is infecting the first version of the library, the method comprising:
- (a) obtaining the properties of the first version of the library that was loaded into memory to provide services to the application program;
(b) obtaining the properties of the second version of the library that is stored in a protected state on the storage device; and
(c) comparing the properties of the first version of the library with the properties of the second version of the library.
2 Assignments
0 Petitions
Accused Products
Abstract
A generic RootKit detector is disclosed that identifies when a malware, commonly known as RootKit, is resident on a computer. In one embodiment, the generic RootKit detector performs a method that compares the properties of different versions of a library used by the operating system to provide services to an application program. In this regard, when a library is loaded into memory, an aspect of the generic RootKit detector compares two versions of the library; a potentially infected version in memory and a second version stored in a protected state on a storage device. If certain properties of the first version of the library are different from the second version, a determination is made that a RootKit is infection the computer.
78 Citations
20 Claims
-
1. In a computer that includes a memory, an operating system that loads a first version of a library into the memory to provide services to an application program, and a storage device that stores a second version of the library in a protected state, a method of determining whether malware is infecting the first version of the library, the method comprising:
-
(a) obtaining the properties of the first version of the library that was loaded into memory to provide services to the application program;
(b) obtaining the properties of the second version of the library that is stored in a protected state on the storage device; and
(c) comparing the properties of the first version of the library with the properties of the second version of the library. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-readable medium bearing computer-executable instructions which, when executed in a computer that includes an operating system configured to copy a library into a memory address space available to an application program, carries out a method for determining whether a routine in the library that satisfies an Application Program Interface call is infected with malware, the method comprising:
-
(a) obtaining a call address of the routine from a component of the operating system that calculates the call address using data in a first version of the library that is loaded in memory;
(b) obtaining an offset value from a second version of the library that is stored in a protected state on a storage device;
(c) calculating a call address for the routine using the offset value obtained from the second version of the library; and
(d) comparing the value of the call address obtained from a component of the operating system with the value of the call address calculated from the offset value calculated from data in the second version of the library. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A software system for determining whether a computer is infected with a RootKit, the software system comprising:
-
(a) an operating system that provides services to application programs installed on the computer;
(b) an integrity module operative to compare a first version of a library that is loaded in memory to provide services to the application program with a second version of the library stored in a protected state on the storage device;
(c) a scan engine configured to detect signatures that are associated with malware; and
(d) a handling routine configured to;
(i) trace the scheduled path of program execution to a set of instructions that do not control the flow of program execution; and
(ii) cause the scan engine to search the instructions for a signature that is characteristic of malware. - View Dependent Claims (17, 18, 19, 20)
-
Specification