System and method for neutralizing pestware residing in executable memory

US 20070094733A1
Filed: 10/26/2005
Published: 04/26/2007
Est. Priority Date: 10/26/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for neutralizing pestware, comprising:

identifying a pestware construct;

accessing at least one function exported by the pestware construct; and

writing an instruction into the memory for the at least one exported function that renders the at least one exported function substantially ineffective.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for managing pestware on a protected computer are described. In one implementation, a pestware construct is identified. Functions exported by the pestware process are identified, and neutralization of the pestware process is accomplished by skipping a portion of the executed code for pestware functions exported by the pestware process. Registry entries associated with the pestware process are detected and deleted, and the pestware process is scheduled for deletion after the next reboot of a protected computer.

Citations

24 Claims

1. A method for neutralizing pestware, comprising:
- identifying a pestware construct;
  
  accessing at least one function exported by the pestware construct; and
  
  writing an instruction into the memory for the at least one exported function that renders the at least one exported function substantially ineffective.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the accessing at least one function exported by the pestware construct comprises:
    - reading a memory address corresponding to the at least one export function;
      
      populating a list with the at least one export function memory address; and
      
      advancing through the list of at least one export function memory address to access the at least one export function.
  - 3. The method of claim 1, wherein the instruction written into memory for each of the exported functions is a return instruction that causes each of the exported functions, when accessed by the pestware construct, to return without executing pestware instructions within each respective exported function.
  - 4. The method claim of claim 3, wherein the return instruction initiates a jump to a return value within the code of the at least one export function so as to preclude execution of at least a portion of the export function code.
  - 5. The method of claim 1, wherein the identifying the pestware construct includes using a technique selected from the group consisting of a definition matching approach, a heuristics approach, and a dynamic offset scanning approach.
  - 6. The method of claim 1, wherein the pestware construct is a dynamic link library.
  - 7. The method of claim 1, wherein the identifying a pestware construct, accessing each function exported by the pestware construct, and writing an instruction into the memory for each of the exported functions that renders each of the exported functions substantially ineffective are performed at a computer, the method further comprising:
    - deleting registry entries associated with the pestware construct; and
      
      scheduling the pestware construct for deletion after the next reboot.
  - 8. The method of claim 1, wherein the neutralizing the pestware construct is accomplished without removing the pestware construct.

9. A computer-readable medium comprising executable instructions to:
- identify a pestware construct;
  
  access at least one function exported by the pestware construct; and
  
  write an instruction into the memory for the at least one exported function that renders the at least one exported function substantially ineffective.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable medium of claim 9, wherein the executable instructions to access at least one function exported by the pestware construct include executable instructions to:
    - read a memory address corresponding to the at least one export function;
      
      populate a list with the at least one export function memory address; and
      
      advance through the list of at least one export function memory address to access the at least one export function.
  - 11. The computer-readable medium of claim 9, wherein the instruction written into memory for each of the exported functions is a return instruction that causes each of the exported functions, when accessed by the pestware construct, to return without executing pestware instructions within each respective exported function.
  - 12. The computer-readable medium of claim 11, wherein the return instruction initiates a jump to a return value within the code of the at least one export function so as to preclude execution of at least a portion of the export function code.
  - 13. The computer-readable medium of claim 9, wherein the executable instructions to identify the pestware construct use a technique selected from the group consisting of a definition matching approach, a heuristics approach, and a dynamic offset scanning approach.
  - 14. The computer-readable medium of claim 9, wherein the pestware construct is a dynamic link library.
  - 15. The computer-readable medium of claim 9, wherein the executable instructions to identify a pestware construct, access each function exported by the pestware construct, and write an instruction into the memory for each of the exported functions that renders each of the exported functions substantially ineffective are performed at a computer, the executable instructions further comprising:
    - deleting registry entries associated with the pestware construct; and
      
      scheduling the pestware construct for deletion after the next reboot.
  - 16. The computer-readable medium of claim 9, wherein the executable instructions to neutralize the pestware construct do so without removing the pestware construct.

17. A system of removing pestware, comprising:
- a detection module configured to;
  
  identify a pestware construct; and
  
  a removal module configured to;
  
  access at least one function exported by the pestware construct; and
  
  write an instruction into the memory for the at least one exported function that renders the at least one exported function substantially ineffective.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system of claim 17, wherein the removal module is configured to:
    - read a memory address corresponding to the at least one export function;
      
      populate a list with the at least one export function memory address; and
      
      advance through the list of at least one export function memory address to access the at least one export function.
  - 19. The system of claim 17, wherein the instruction written into memory for each of the exported functions is a return instruction that causes each of the exported functions, when accessed by the pestware construct, to return without executing pestware instructions within each respective exported function.
  - 20. The system of claim 19, wherein the return instruction initiates a jump to a return value within the code of the at least one export function so as to preclude execution of at least a portion of the export function code.
  - 21. The system of claim 17, wherein the removal module is configured to identify the pestware construct using a technique selected from the group consisting of a definition matching approach, a heuristics approach, and a dynamic offset scanning approach.
  - 22. The system of claim 17, wherein the pestware construct is a dynamic link library.
  - 23. The system of claim 17, wherein the removal module is configured to:
    - delete registry entries associated with the pestware construct; and
      
      schedule the pestware construct for deletion after the next reboot.
  - 24. The system of claim 17, wherein the removal module is configured to neutralize the pestware construct without removing the pestware construct.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Webroot Software Incorporated (Open Text Corporation)
Original Assignee
Webroot Software Incorporated (Open Text Corporation)
Inventors
Wilson, Michael, Horne, Jefferson

Application Number

US11/258,711
Publication Number

US 20070094733A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

System and method for neutralizing pestware residing in executable memory

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for neutralizing pestware residing in executable memory

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links