Method and system for detecting obfuscatory pestware in a computer memory

US 20070168982A1
Filed: 01/18/2006
Published: 07/19/2007
Est. Priority Date: 01/18/2006
Status: Active Grant

First Claim

Patent Images

1. A method for scanning a computer memory for pestware, comprising:

identifying, within an executable object in the computer memory, a reference to a known procedure, the known procedure having a fixed address in the computer memory; and

searching for a predetermined check value at a known offset relative to an address, in the computer memory, of the reference to the known procedure.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for detecting obfuscatory pestware in a computer memory is described. One illustrative embodiment identifies, within an executable object, a reference to a known procedure, the known procedure having a fixed address in the computer memory; and searches for a predetermined check value at a known offset relative to an address, in the computer memory, of the reference to the known procedure.

60 Citations

View as Search Results

19 Claims

1. A method for scanning a computer memory for pestware, comprising:
- identifying, within an executable object in the computer memory, a reference to a known procedure, the known procedure having a fixed address in the computer memory; and
  
  searching for a predetermined check value at a known offset relative to an address, in the computer memory, of the reference to the known procedure.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the known procedure comprises one of an application program interface (API), a memory management routine, and a computational procedure.
  - 3. The method of claim 1, wherein identifying, within the executable object, the reference to the known procedure comprises examining an import address table (IAT) of the executable object to identify at least one subroutine that uses the known procedure.
  - 4. The method of claim 1, wherein the check value comprises a uniform resource locator (URL).

5. A method for scanning a computer memory for pestware, comprising:
- examining an import address table (IAT) of an executable object in the computer memory to identify at least one subroutine of the executable object that calls an application program interface (API), the API having a fixed address in the computer memory;
  
  locating the at least one subroutine within the executable object; and
  
  searching for a predetermined check value at a known offset relative to an address, in the computer memory, at which the at least one subroutine calls the API.

6. A system for detecting pestware, comprising:
- a pestware detection module to detect pestware on a computer, the pestware detection module being configured to;
  
  identify, within an executable object in a memory of the computer, a reference to a known procedure, the known procedure having a fixed address in the memory; and
  
  search for a predetermined check value at a known offset relative to an address, in the memory, of the reference to the known procedure.
- View Dependent Claims (7, 8, 9)
- - 7. The system of claim 6, wherein the known procedure comprises one of an application program interface (API), a memory management routine, and a computational procedure.
  - 8. The system of claim 6, wherein the pestware detection module is configured to identify, within the executable object, the reference to the known procedure by examining an import address table (IAT) of the executable object to identify at least one subroutine that uses the known procedure.
  - 9. The system of claim 6, wherein the check value comprises a uniform resource locator (URL).

10. A system for detecting pestware, comprising:
- a pestware detection module to detect pestware on a computer, the pestware detection module being configured to;
  
  examine an import address table (IAT) of an executable object in a memory of the computer to identify at least one subroutine of the executable object that calls an application program interface (API), the API having a fixed address in the memory;
  
  locate the at least one subroutine within the executable object; and
  
  search for a predetermined check value at a known offset relative to an address, in the memory, at which the at least one subroutine calls the API.

11. A system for detecting pestware on a computer, comprising:
- means for identifying, within an executable object in a memory of the computer, a reference to a known procedure, the known procedure having a fixed address in the memory; and
  
  means for searching for a predetermined check value at a known offset relative to an address, in the memory, of the reference to the known procedure.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11, wherein the known procedure comprises one of an application program interface (API), a memory management routine, and a computational procedure.
  - 13. The system of claim 11, wherein the means for identifying, within the executable object in the memory of the computer, a reference to a known procedure examines an import address table (IAT) of the executable object to identify at least one subroutine that uses the known procedure.
  - 14. The system of claim 11, wherein the check value comprises a uniform resource locator (URL).

15. A computer-readable storage medium containing program instructions to scan for pestware on a computer, comprising:
- a first instruction segment that identifies, within an executable object in a memory of the computer, a reference to a known procedure, the known procedure having a fixed address in the memory; and
  
  a second instruction segment that searches for a predetermined check value at a known offset relative to an address, in the memory, of the reference to the known procedure.
- View Dependent Claims (16, 17, 18)
- - 16. The computer-readable storage medium of claim 15, wherein the known procedure comprises one of an application program interface (API), a memory management routine, and a computational procedure.
  - 17. The computer-readable storage medium of claim 15, wherein the first instruction segment identifies, within the executable object, the reference to the known procedure by examining an import address table (IAT) of the executable object to identify at least one subroutine that uses the known procedure.
  - 18. The computer-readable storage medium of claim 15, wherein the check value comprises a uniform resource locator (URL).

19. A computer-readable storage medium containing program instructions to scan for pestware on a computer, comprising:
- a first instruction segment that examines an import address table (IAT) of an executable object in a memory of the computer to identify at least one subroutine of the executable object that calls an application program interface (API), the API having a fixed address in the memory;
  
  a second instruction segment that locates the at least one subroutine within the executable object; and
  
  a third instruction segment that searches for a predetermined check value at a known offset relative to an address, in the memory, at which the at least one subroutine calls the API.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Horne, Jefferson

Granted Patent

US 8,418,245 B2
Time in Patent Office

Days
Field of Search
US Class Current

717/124
CPC Class Codes

G06F 21/564 by virus signature recognition

Method and system for detecting obfuscatory pestware in a computer memory

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting obfuscatory pestware in a computer memory

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links