Backwards researching activity indicative of pestware

US 20070250817A1
Filed: 04/20/2006
Published: 10/25/2007
Est. Priority Date: 04/20/2006
Status: Active Grant

First Claim

Patent Images

1. A method for identifying an origin of activity on a computer that is indicative of pestware comprising:

monitoring the computer for activity that is indicative of pestware;

identifying, based upon the activity, an object residing on the computer that is a suspected pestware object; and

accessing at least a portion of a recorded history of sources that the computer received files from so as to identify a reference to an identity of a particular source that the suspected pestware object originated from.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for researching an identity of a source of activity that is indicative of pestware is described. In one embodiment the method comprises monitoring the computer for activity that is indicative of pestware, identifying, based upon the activity, an object residing on the computer that is a suspected pestware object; and accessing at least a portion of a recorded history of sources that the computer received files from so as to identify a reference to an identity of a particular source that the suspected pestware object originated from.

Citations

22 Claims

1. A method for identifying an origin of activity on a computer that is indicative of pestware comprising:
- monitoring the computer for activity that is indicative of pestware;
  
  identifying, based upon the activity, an object residing on the computer that is a suspected pestware object; and
  
  accessing at least a portion of a recorded history of sources that the computer received files from so as to identify a reference to an identity of a particular source that the suspected pestware object originated from.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, including:
    - reporting the identity of the particular source to a pestware research entity so as to enable the pestware research entity to research whether the particular source is a source of pestware.
  - 3. The method of claim 1, wherein the source is identified by an identifier selected from the group consisting of an I.P. address, a URL, an email client and a program.
  - 4. The method of claim 3, wherein the identifying includes accessing an activity log that includes information that relates the activity to the suspected pestware object.
  - 5. The method of claim 1, wherein the monitoring includes monitoring the computer for activity with a kernel-mode driver.
  - 6. The method of claim 5, wherein the monitoring includes heuristically analyzing the activity so as to arrive at a determination that the activity is indicative of pestware.
  - 7. The method of claim 1, wherein the recorded history resides in a browser cache, which includes information about files downloaded to the computer and a source of each of the files.
  - 8. The method of claim 1, wherein the recorded history resides in at least one log selected from the group consisting of an activity log, a browser history, browser cache, browser settings, operating system settings, an event log, a debugging log, a firewall log, file information and monitoring software logs.

9. A system for identifying a source of activity on a computer that is indicative of pestware including:
- a heuristics module configured to identify activity on the computer that is indicative of pestware residing on the computer; and
  
  a research portion configured to access a first set of recorded information on the computer that relates the activity to at least one file residing an the computer, and wherein the research portion is configured to access a second set of recorded information on the computer that relates the at least one file to a source from which the file was received; and
  
  a reporting portion configured to generate a report that identifies the source of the file.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, including:
    - an activity monitor configured to monitor API calls and to store a history of at least a portion of the API calls in an activity log.
  - 11. The system of claim 10, wherein activity monitor is configured to store an identity of each process that made each of the API calls in the stored history, and wherein the activity monitor is configured to store an identity of each file that corresponds to each the processes that made the API calls in the stored history so as to create a relation between each API call and at least one file.
  - 12. The system of claim 10, wherein the heuristics module is configured to receive information about the API calls from the activity monitor and determine whether the API calls are indicative of pestware.
  - 13. The system of claim 10, wherein the activity monitor includes a kernel-mode driver adapted to intercept the API calls.
  - 14. The system of claim 9, wherein the first set of recorded information and the second set of recorded information reside in the same log file on a file storage device of the computer.
  - 15. The system of claim 9, wherein the source is identified by an identifier selected from the group consisting of an I.P. address, a URL, an email client and a program name.
  - 16. The system of claim 9, wherein the recorded history resides in at least one log selected from the group consisting of an activity log, a browser history, browser cache, browser settings, operating system settings, an event log, a debugging log, a firewall log, file information and monitoring software logs.

17. A computer-readable medium including processor-executable instructions for identifying an origin of activity on a computer that is indicative of pestware, the instructions including instructions for:
- monitoring the computer for activity that is indicative of pestware;
  
  identifying, based upon the activity, an object residing on the computer that is a suspected pestware object; and
  
  accessing at least a portion of a recorded history of sources that the computer received files from so as to identify a reference to an identity of a source that the suspected pestware object originated from.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The computer-readable medium of claim 17, including instructions for:
    - reporting the identity of the particular web site to a pestware research entity so as to enable the pestware research entity to research whether the particular source is a source of pestware.
  - 19. The computer-readable medium of claim 17, wherein the source is identified by an identifier selected from the group consisting of an I.P. address, a URL, an email client and a program.
  - 20. The computer-readable medium of claim 17, wherein the instructions for monitoring include instructions for monitoring the computer for activity with a kernel-mode driver.
  - 21. The computer-readable medium of claim 20, wherein the instructions for monitoring include instructions for heuristically analyzing the activity so as to arrive at a determination that the activity is indicative of pestware.
  - 22. The computer-readable medium of claim 17, wherein the recorded history resides in at least one log selected from the group consisting of an activity log, a browser history, browser cache, browser settings, operating system settings, an event log, a debugging log, a firewall log, file information and monitoring software logs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Boney, Matthew

Granted Patent

US 8,201,243 B2
Time in Patent Office

Days
Field of Search
US Class Current

717/124
CPC Class Codes

G06F 21/56 Computer malware detection ...

Backwards researching activity indicative of pestware

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Backwards researching activity indicative of pestware

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links