Methods for combating malicious software

US 20090077664A1
Filed: 04/27/2006
Published: 03/19/2009
Est. Priority Date: 04/27/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for combating malware on a computer comprising a CPU, a memory, and a digital storage medium, the method comprising:

a) monitoring all attempts by any software executing on the computer to write data to the digital storage medium;

b) recording details of the attempts in a system database;

wherein the system database has a causal tree structure, where branch points represent objects from which derivative objects are created and leaves represent objects that have no derivative object;

c) intercepting unauthorized modification by executing objects to the memory allocated to other executing objects; and

d) intercepting unauthorized attempts by executing objects to modify a selected set of protected objects stored on the digital storage medium.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for combating malware monitors all attempts by any software executing on a computer to write data to the computer'"'"'s digital storage medium and records details of the attempts in a system database having a causal tree structure. The method also intercepts unauthorized attempts by executing objects to modify the memory allocated to other executing objects or to modify a selected set of protected objects stored on the digital storage medium, and may also intercept write attempts by executing objects that have a buffer overflow or that are executing in a data segment of memory. The method may include a procedure for switching the computer into a quasi-safe mode that disables all non-essential processes. Preferably, the database is automatically organized into software packages classified by malware threat level. Entire or packages or portions thereof may be easily selected and neutralized by a local or remote user.

Citations

66 Claims

1. A computer-implemented method for combating malware on a computer comprising a CPU, a memory, and a digital storage medium, the method comprising:
- a) monitoring all attempts by any software executing on the computer to write data to the digital storage medium;
  
  b) recording details of the attempts in a system database;
  
  wherein the system database has a causal tree structure, where branch points represent objects from which derivative objects are created and leaves represent objects that have no derivative object;
  
  c) intercepting unauthorized modification by executing objects to the memory allocated to other executing objects; and
  
  d) intercepting unauthorized attempts by executing objects to modify a selected set of protected objects stored on the digital storage medium.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66)
- - 2. The method of claim 1 wherein the monitoring is performed by a file storage system filter installed at a driver level of an operating system of the computer.
  - 3. The method of claim 1 wherein the intercepting unauthorized modification comprises executing a kernel-level process filter.
  - 4. The method of claim 1 wherein the intercepting unauthorized modification comprises executing a modified API call.
  - 5. The method of claim 1 wherein the intercepting unauthorized modification comprises authorizing the modification only for executing objects that are included in a predetermined exempt list.
  - 6. The method of claim 1 further comprising intercepting attempts to write to any objects whenever the executing object initiating the attempt has a buffer overflow.
  - 7. The method of claim 6 further comprising checking a system call stack for signs of corruption indicative of a buffer overflow condition.
  - 8. The method of claim 1 further comprising intercepting attempts to open pop-up windows whenever the executing object initiating the attempt has a buffer overflow.
  - 9. The method of claim 1 further comprising intercepting attempts to write to any objects whenever the executing object initiating the attempt exists in a data segment of memory.
  - 10. The method of claim 1 wherein recording details of the attempts to write data comprises recording a first object identifier corresponding to an executable object attempting to write the data and a second object identifier corresponding to a target object stored on the digital storage medium that the executable object is attempting to write data to.
  - 11. The method of claim 10 wherein recording details of the attempts to write data further comprises recording a third object identifier corresponding to a parent executable that initiated execution of the executable object attempting to write the data.
  - 12. The method of claim 10 further comprising comparing the first object identifier to a predetermined list of known helper objects.
  - 13. The method of claim 1 wherein the system database is stored in XML format.
  - 14. The method of claim 1 wherein intercepting unauthorized attempts by executing objects to modify a selected set of protected objects comprises preventing executable objects stored outside a protected storage space from modifying objects in the protected storage space.
  - 15. The method of claim 1 wherein the predetermined set of protected objects comprises the system database.
  - 16. The method of claim 1 wherein the predetermined set of protected objects comprises a dynamic linked library.
  - 17. The method of claim 1 wherein the predetermined set of protected objects comprises executable objects.
  - 18. The method of claim 17 wherein the executable objects comprise executable objects associated with an operating system of the computer.
  - 19. The method of claim 17 wherein the executable objects comprise objects associated with selected application programs installed on the computer.
  - 20. The method of claim 1 wherein the protected storage space is a list of one or more directories on the digital storage medium.
  - 21. The method of claim 1 further comprising preventing unauthorized attempts to neutralize a protected driver.
  - 22. The method of claim 21 wherein preventing unauthorized attempts to stop a protected driver comprises modifying API calls to prevent unauthorized registry changes.
  - 23. The method of claim 1 further comprising intercepting unauthorized attempts to install executables that intercept attempts to write data to the digital storage medium.
  - 24. The method of claim 23 wherein intercepting unauthorized attempts to install executables that intercept attempts to write data to the digital storage medium comprises checking for a digital signature from an authorized entity prior to allowing installation of an executable that intercept attempts to write data to the digital storage medium.
  - 25. The method of claim 1 further comprising automatically backing up objects stored on the digital storage medium if the objects are modified.
  - 26. The method of claim 1 further comprising using a backup to restore objects stored on the digital storage medium to a prior state.
  - 27. The method of claim 1 further comprising organizing the system database into software packages comprising groups of associated objects.
  - 28. The method of claim 27 wherein organizing the system database into software packages comprises identifying a new software package whenever an object is downloaded over a network and executed.
  - 29. The method of claim 27 wherein organizing the system database into software packages comprises identifying a new software package whenever an object is copied from an external digital storage medium and executed.
  - 30. The method of claim 27 wherein organizing the system database into software packages comprises identifying a new software package if a package manager creates a collection of installed objects.
  - 31. The method of claim 27 wherein organizing the system database into software packages comprises identifying a new software package if an executable object installs itself.
  - 32. The method of claim 27 wherein organizing the system database into software packages comprises identifying a new software package if an object registers itself with a package manager.
  - 33. The method of claim 27 wherein organizing the system database into software packages comprises identifying a new software package if a first object unassociated with any existing package creates a second object that is executed.
  - 34. The method of claim 27 wherein organizing the system database into software packages comprises associating a new object with an existing software package if another object in the existing software package created the new object.
  - 35. The method of claim 27 further comprising categorizing a software package as suspected malware if an object in the software package attempts to modify a memory space assigned to another executing object.
  - 36. The method of claim 27 wherein organizing the system database into software packages comprises comparing the system database with a reference database containing known software packages and associated objects having a causal tree structure.
  - 37. The method of claim 27 wherein organizing the system database into software packages comprises assigning recognizable names to the packages.
  - 38. The method of claim 37 wherein assigning recognizable names to the packages comprises comparing a hash of files associated with the package with a database of known hashes.
  - 39. The method of claim 37 wherein assigning recognizable names to the packages comprises comparing a URL of files associated with the package with a database of known URLs.
  - 40. The method of claim 27 wherein recording details of the attempts to write data further comprises recording a URL corresponding to an origin of the software program.
  - 42. The method of claim 1 further comprising categorizing an object as suspected malware if the object does not have properties that conform to a predetermined profile for a software package modifying or creating the object.
  - 43. The method of claim 1 further comprising identifying pre-existing objects on the digital storage medium, and initializing the system database to contain the identified pre-existing objects.
  - 44. The method of claim 43 wherein identifying pre-existing objects comprises comparing a hash of files associated with the package with a database of known hashes.
  - 45. The method of claim 1 further comprising switching to a quasi-safe mode that restricts execution of a selected collection of objects.
  - 46. The method of claim 45 wherein switching to quasi-safe mode comprises killing objects in the selected collection of objects that are currently executing.
  - 47. The method of claim 45 wherein switching to the quasi-safe mode comprises preventing initiation of execution of any executable objects in the selected collection of objects.
  - 48. The method of claim 45 wherein the selected collection of objects comprises all non-essential objects.
  - 49. The method of claim 1 further comprising neutralizing a selected collection of objects.
  - 50. The method of claim 49 wherein neutralizing the selected collection of objects comprises moving or deleting indirect links to the objects.
  - 51. The method of claim 49 wherein neutralizing the selected collection of objects comprises moving the objects to a quarantined location.
  - 52. The method of claim 1 further comprising deleting objects in a registered list of objects belonging to a selected software package, deleting remaining objects associated with the selected software package that have extensions indicating they are executable or that have been auto-executed, and moving remaining executable objects associated with the selected software package to a quarantine location.
  - 53. The method of claim 1 further comprising transmitting system database information to a remote computer.
  - 54. The method of claim 53 wherein the system database information comprises information about installed packages.
  - 55. The method of claim 53 wherein the system database information comprises information about suspected malware.
  - 56. The method of claim 1 further comprising receiving and executing a command from a remote computer.
  - 57. The method of claim 56 wherein the command from the remote computer comprises a command to remove a software package from the computer.
  - 58. The method of claim 56 wherein the command from the remote computer comprises a command to search the computer for objects matching a specified malware profile.
  - 59. The method of claim 1 further comprising displaying data from the system database and a set of selectable commands, and allowing a user to select a set of displayed objects and activate one of the selectable commands.
  - 60. The method of claim 1 further comprising displaying data from the system database in an expandable tree structure allowing portions of the tree to be revealed and hidden by a user.
  - 61. The method of claim 1 further comprising displaying data from the system database in an expandable tree structure organized by the causal tree structure of the system database.
  - 62. The method of claim 1 further comprising displaying data from the system database in an flat, linear structure.
  - 63. The method of claim 1 further comprising displaying data from the system database grouped according to software package.
  - 64. The method of claim 1 further comprising displaying data from the system database grouped according to software package, together with associated categorization labels for each package.
  - 65. The method of claim 1 further comprising displaying an identity of an executing process and associated software package that created a displayed item currently being selected by a user using a window inspector tool.
  - 66. The method of claim 1 further comprising categorizing an object as suspected malware if the object is not part of a software package registered with the operating system.

41. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Robot Genius, Inc.
Original Assignee
Robot Genius, Inc.
Inventors
Hormuzdiar, James Noshir, Hsu, Stephen Dao Hui

Granted Patent

US 8,528,087 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Methods for combating malicious software

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for combating malicious software

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links