Method and system for detecting dependent pestware objects on a computer

US 20070169197A1
Filed: 01/18/2006
Published: 07/19/2007
Est. Priority Date: 01/18/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting pestware on a computer, comprising:

detecting a primary pestware process in an executable memory of the computer, the primary pestware process including an associated check value by which the primary pestware process can be identified;

locating, at a predetermined offset in the executable memory relative to the check value, a pointer to a string, the string comprising an address of a secondary pestware object stored on the computer; and

following the pointer to the string to ascertain the address of the secondary pestware object.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting dependent pestware objects on a computer is described. One illustrative embodiment detects a primary pestware process in an executable memory of the computer, the primary pestware process including an associated check value by which the primary pestware process can be identified; locates, at a predetermined offset in the executable memory relative to the check value, a pointer to a string, the string comprising an address of a secondary pestware object stored on the computer; and follows the pointer to the string to ascertain the address of the secondary pestware object.

89 Citations

View as Search Results

24 Claims

1. A method for detecting pestware on a computer, comprising:
- detecting a primary pestware process in an executable memory of the computer, the primary pestware process including an associated check value by which the primary pestware process can be identified;
  
  locating, at a predetermined offset in the executable memory relative to the check value, a pointer to a string, the string comprising an address of a secondary pestware object stored on the computer; and
  
  following the pointer to the string to ascertain the address of the secondary pestware object.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising issuing a notification that pestware has been found on the computer.
  - 3. The method of claim 1, further comprising:
    - using the ascertained address to locate the secondary pestware object; and
      
      removing the secondary pestware object from the computer.
  - 4. The method of claim 1, wherein the secondary pestware object is executable.
  - 5. The method of claim 1, wherein the secondary pestware object is non-executable.
  - 6. The method of claim 1, wherein the pointer comprises a double word that acts as a string verifier for a long string.
  - 7. The method of claim 1, wherein the string resides in a string table within the primary pestware process.

8. A system for detecting pestware, comprising:
- a pestware detection module to detect pestware on a computer, the pestware detection module being configured to;
  
  detect a primary pestware process in an executable memory of the computer, the primary pestware process including an associated check value by which the primary pestware process can be identified;
  
  locate, at a predetermined offset in the executable memory relative to the check value, a pointer to a string, the string comprising an address of a secondary pestware object stored on the computer; and
  
  follow the pointer to the string to ascertain the address of the secondary pestware object.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the pestware detection module is further configured to issue a notification that pestware has been found on the computer.
  - 10. The system of claim 8, wherein the pestware detection module is further configured to use the ascertained address to locate the secondary pestware object and to remove the secondary pestware object from the computer.
  - 11. The system of claim 8, wherein the secondary pestware object is executable.
  - 12. The system of claim 8, wherein the secondary pestware object is non-executable.
  - 13. The system of claim 8, wherein the pointer comprises a double word that acts as a string verifier for a long string.
  - 14. The system of claim 8, wherein the string resides in a string table within the primary pestware process.

15. A system for detecting pestware on a computer, comprising:
- means for detecting a primary pestware process in an executable memory of the computer, the primary pestware process including an associated check value by which the primary pestware process can be identified;
  
  means for locating, at a predetermined offset in the executable memory relative to the check value, a pointer to a string, the string comprising an address of a secondary pestware object stored on the computer; and
  
  means for following the pointer to the string to ascertain the address of the secondary pestware object.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, further comprising:
    - means for issuing a notification that pestware has been found on the computer.
  - 17. The system of claim 15, further comprising:
    - means for locating the secondary pestware object based on the ascertained address; and
      
      means for removing the secondary pestware object from the computer.

18. A computer-readable storage medium containing program instructions to detect pestware on a computer, comprising:
- a first instruction segment configured to identify a primary pestware process in an executable memory of the computer, the primary pestware process including an associated check value by which the primary pestware process can be identified;
  
  a second instruction segment configured to locate, at a predetermined offset in the executable memory relative to the check value, a pointer to a string, the string comprising an address of a secondary pestware object stored on the computer; and
  
  a third instruction segment configured to follow the pointer to the string to ascertain the address of the secondary pestware object.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The computer-readable storage medium of claim 18, further comprising:
    - a fourth instruction segment configured to issue a notification that pestware has been found on the computer.
  - 20. The computer-readable storage medium of claim 18, further comprising:
    - a fourth instruction segment configured to locate the secondary pestware object based on the ascertained address and to remove the secondary pestware object from the computer.
  - 21. The computer-readable storage medium of claim 18, wherein the secondary pestware object is executable.
  - 22. The computer-readable storage medium of claim 18, wherein the secondary pestware object is non-executable.
  - 23. The computer-readable storage medium of claim 18, wherein the pointer comprises a double word that acts as a string verifier for a long string.
  - 24. The computer-readable storage medium of claim 18, wherein the string resides in a string table within the primary pestware process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Horne, Jefferson

Granted Patent

US 8,255,992 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/564 by virus signature recognition

G06F 21/566 Dynamic detection, i.e. det...

Method and system for detecting dependent pestware objects on a computer

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

89 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Method and system for detecting dependent pestware objects on a computer

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others