System and method for neutralizing pestware that is loaded by a desirable process

US 20070094726A1
Filed: 10/26/2005
Published: 04/26/2007
Est. Priority Date: 10/26/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method of removing pestware, comprising:

identifying a pestware construct, wherein the pestware construct is loaded by a desirable process;

identifying at least one pestware thread that is loaded by the pestware construct into the desirable process;

suspending the at least one pestware thread; and

neutralizing the pestware construct.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for managing pestware on a protected computer are described. In one implementation, a pestware construct is identified. Threads loaded by the pestware construct into a desirable process are identified and suspended. Neutralization of the pestware construct is accomplished by preventing code underlying pestware functions exported by the pestware construct from executing. In variations of the invention, registry entries associate with the pestware construct are detected and deleted, and the pestware construct is scheduled for deletion after the next reboot of a protected computer.

Citations

24 Claims

1. A method of removing pestware, comprising:
- identifying a pestware construct, wherein the pestware construct is loaded by a desirable process;
  
  identifying at least one pestware thread that is loaded by the pestware construct into the desirable process;
  
  suspending the at least one pestware thread; and
  
  neutralizing the pestware construct.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the pestware construct is a dynamic link library, the desirable process is a system-level process selected from the group consisting of winlogon.exe, systemidle.exe, systemreg.exe, lsass.exe, spool.exe and svchost.exe, and the identifying the pestware construct includes using a technique selected from the group consisting of a definition matching approach, a heuristics approach, and a dynamic offset scanning approach.
  - 3. The method of claim 1, wherein the identifying the at least one pestware thread loaded by the pestware construct into the desirable process comprises:
    - comparing a start address of each of a plurality of threads running in the desirable process to an address range of the pestware construct; and
      
      marking, as the at least one pestware thread, any of the plurality of threads that has a start address within the address range of the pestware construct.
  - 4. The method of claim 3, wherein the comparing a start address of each of the plurality of threads running in the desirable process to an address range of the pestware construct comprises:
    - populating a list, the list including the start address of each of the plurality of threads; and
      
      advancing through the list to determine whether any of the plurality of threads has a start address within the address range of the pestware construct.
  - 5. The method of claim 1, wherein the neutralizing the pestware construct is accomplished without removing the pestware construct.
  - 6. The method of claim 1, wherein neutralizing the pestware construct comprises:
    - accessing each function exported by the pestware construct; and
      
      writing an instruction into memory for each of the exported functions that renders each of the exported functions substantially ineffective.
  - 7. The method of claim 6, wherein the accessing each function exported by the pestware construct comprises:
    - reading a list of addresses for each of the export functions;
      
      populating a second list with the export function addresses; and
      
      advancing through the second list to access each of the export functions.
  - 8. The method of claim 1, wherein the identifying the pestware construct, identifying at least one pestware thread loaded by the pestware construct into the desirable process, suspending the at least one pestware function, and neutralizing the pestware construct, are performed at a computer, the method further comprising:
    - deleting registry entries associated with the pestware construct; and
      
      scheduling the pestware construct for deletion after the next reboot.

9. A computer-readable medium comprising executable instructions to:
- identify a pestware construct, wherein the pestware construct is loaded by a desirable process;
  
  identify at least one pestware thread that is loaded by the pestware construct into the desirable process;
  
  suspend the at least one pestware thread; and
  
  neutralize the pestware construct.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable medium of claim 9, wherein the pestware construct includes a dynamic link library, the desirable process is a system-level process selected from the group consisting of winlogon.exe, systemidle.exe, systemreg.exe, lsass.exe, spool.exe and svchost.exe, and the executable instructions to identify the pestware construct include instructions selected from the group consisting of definition matching instructions, heuristics-approach instructions, and dynamic offset scanning instructions.
  - 11. The computer-readable medium of claim 9, wherein the executable instructions to identify the at least one pestware thread loaded by the pestware construct into the desirable process include executable instructions to:
    - compare a start address of each of a plurality of threads running in the desirable process to an address range of the pestware construct; and
      
      identify, as the at least one pestware thread, any of the plurality of threads that has a start address within the address range of the pestware construct.
  - 12. The computer-readable medium of claim 11, wherein the executable instructions to compare a start address of each of the plurality of threads running in the desirable process to an address range of the pestware construct include executable instructions to:
    - populate a list including the start addresses of each of the plurality of threads; and
      
      advance through the list to determine whether any of the plurality of threads has a start addresses within the address range of the pestware construct.
  - 13. The computer-readable medium of claim 9, wherein the executable instructions to neutralize the pestware construct include instructions to neutralize the pestware construct without removing the pestware construct.
  - 14. The computer-readable medium of claim 9, wherein the executable instructions to neutralize the pestware construct include executable instructions to:
    - access each function exported by the pestware construct; and
      
      write an instruction into memory for each of the exported functions that renders each of the exported functions substantially ineffective.
  - 15. The computer-readable medium of claim 14, wherein the executable instructions to access each function exported by the pestware construct include executable instructions to:
    - read a list of addresses for each of the export functions;
      
      populate a second list with the export function addresses; and
      
      advance through the second list to access each of the export functions.
  - 16. The computer-readable medium of claim 9, further comprising executable instructions to:
    - delete registry entries associated with the pestware construct; and
      
      schedule the pestware construct for deletion after the next reboot.

17. A system of removing pestware, comprising:
- a detection module configured to;
  
  identify a pestware construct that is loaded by a desirable process; and
  
  identify at least one pestware thread loaded by the pestware construct into the desirable process; and
  
  a removal module configured to;
  
  suspend the at least one pestware thread; and
  
  neutralize the pestware construct.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system of claim 17, wherein the pestware construct is a dynamic link library, the desirable process is a system-level process selected from the group consisting of winlogon.exe, systemidle.exe, systemreg.exe, lsass.exe, spool.exe and svchost.exe, and the detection module is configured to identify the pestware construct by using a technique selected from the group consisting of a definition matching approach, a heuristics approach, and a dynamic offset approach.
  - 19. The system of claim 17, wherein the detection module is configured to identify the at least one pestware thread loaded by the pestware construct into the desirable process by:
    - comparing a start address of each of a plurality of threads running in the desirable process to an address range of the pestware construct; and
      
      identifying, as the at least one pestware thread, any of the plurality of threads that has a start address within the address range of the pestware construct.
  - 20. The system of claim 19, wherein the detection module is configured to compare a start address for each thread running in the desirable process to an address range of the pestware construct by:
    - populating a list with the start addresses of the threads; and
      
      advancing through the list to determine whether any of the threads have start addresses within the address range of the pestware construct.
  - 21. The system of claim 17, wherein the removal module is configured to neutralize the pestware construct without removing the pestware construct.
  - 22. The system of claim 17, wherein the removal module is configured to neutralize the pestware construct by:
    - accessing each function exported by the pestware construct; and
      
      writing an instruction into memory for each of the exported functions that renders each of the exported functions substantially ineffective.
  - 23. The system of claim 22, wherein the removal module is configured to access each function exported by the pestware construct by:
    - reading a list of addresses for each of the export functions;
      
      populating a second list with the export function addresses; and
      
      advancing through the second list to access each of the export functions.
  - 24. The system of claim 17, wherein the removal module is configured to:
    - delete registry entries associated with the pestware construct; and
      
      schedule the pestware construct for deletion after the next reboot.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Webroot Software Incorporated (Open Text Corporation)
Original Assignee
Webroot Software Incorporated (Open Text Corporation)
Inventors
Wilson, Michael, Horne, Jefferson

Application Number

US11/259,706
Publication Number

US 20070094726A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

System and method for neutralizing pestware that is loaded by a desirable process

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for neutralizing pestware that is loaded by a desirable process

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links