IDENTIFYING EXPLOITATION OF VULNERABILITIES USING ERROR REPORT

US 20090320136A1
Filed: 06/24/2008
Published: 12/24/2009
Est. Priority Date: 06/24/2008
Status: Active Grant

First Claim

Patent Images

1. A method of computer forensics to determine whether an error report contains evidence of an exploit, the method comprising:

scanning the error report for a memory pattern indicative of an attempt to subvert a security mechanism;

scanning the error report for exception information indicative of a point of attack; and

recording forensic data associated with a result of any of the scanning steps onto a computer-readable storage medium.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A tool and method examine error report information from a computer to determine not only whether a virus or other malware may be present on the computer but also may determine what vulnerability a particular exploit was attempting to use to subvert security mechanism to install the virus. A system monitor may collect both error reports and information about the error report, such as geographic location, hardware configuration, and software/operating system version information to build a profile of the spread of an attack and to be able to issue notifications related to increased data collection for errors, including crashes related to suspected services under attack.

Citations

20 Claims

1. A method of computer forensics to determine whether an error report contains evidence of an exploit, the method comprising:
- scanning the error report for a memory pattern indicative of an attempt to subvert a security mechanism;
  
  scanning the error report for exception information indicative of a point of attack; and
  
  recording forensic data associated with a result of any of the scanning steps onto a computer-readable storage medium.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein scanning the error report for a known exploit comprises:
    - scanning the error report for a known exploit at an executable memory location.
  - 3. The method of claim 1, wherein scanning the error report for a memory pattern indicative of an attempt to subvert a security mechanism comprises:
    - scanning for NOPSleds;
      
      scanning for decoder loops;
      
      scanning for other malicious sequences;
      
      scanning for evidence of a disabled defense; and
      
      scanning for a data inconsistency between the error report a known benign condition.
  - 4. The method of claim 3, wherein scanning for malicious sequences comprises scanning for one of malicious text, malicious strings, and malicious binary sequences.
  - 5. The method of claim 1, wherein scanning the error report for the exception information indicative of a point of attack comprises:
    - scanning for a hijacked control structure; and
      
      examining exception information for a location of a vulnerability as indicated by a point of attack.
  - 6. The method of claim 1, further comprising:
    - reporting one of the error report file and the result of the exploit analysis to a system monitor via a network connection.
  - 7. The method of claim 1, further comprising:
    - sending an alert indicating an attack status.
  - 8. The method of claim 1, further comprising:
    - one of collecting and generating a network statistic based on exploit characteristic and occurrence data.
  - 9. The method of claim 1, further comprising:
    - modifying an exploit detection and deterrence process associated with exploit protection responsive to the result of the exploit analysis.
  - 10. The method of claim 9, wherein modifying the exploit detection and deterrence process comprises:
    - setting data collection routines to save extra available data from an error report; and
      
      sending the extra data to the system monitor.
  - 11. The method of claim 9, wherein modifying the exploit detection and deterrence process comprises:
    - scanning to determine whether an exploit protection mechanism is absent or disabled.
  - 12. The method of claim 9, wherein modifying the exploit detection and deterrence process comprises:
    - analyzing at the system monitor a collection of error report data from a plurality of computer systems to determine a pattern of exploit.

13. A system for collecting and managing error report data that determines when an exploit has taken place on one or more networked computers comprising:
- a network connection for receiving error report data from a plurality of networked computers;
  
  a data store for collecting the error report data from the plurality of networked computers;
  
  a notification module responsive to an identification of an exploit in a service of one of the plurality of computers that sends a notice to each of the plurality of computers to collect and forward maximal error data associated with the service;
  
  a data collection module that obtains state data regarding the one of the plurality of computers; and
  
  an analysis module that analyzes data in the data store and state data to produce the identification of the exploit in the service.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein the state data is one of a security update, a firewall setting, and an intrusion detection setting.
  - 15. The system of claim 13, wherein the analysis module examines browser error data from a plurality of machines to determine a common web site indicative of a source of an error trigger.
  - 16. The system of claim 13, wherein the notification module updates settings in an intrusion detection module at least at the one of the plurality of computers and alerts an operator of a possible exploit.
  - 17. The system of claim 13, further comprising a statistics module that aggregates exploit metadata to determine one of a type of service under attack, a geographic region under attack, and a system configuration under attack.
  - 18. The system of claim 17, wherein the type of service under attack is one of a domain name server (DNS) service and a printer server service.

19. A method of performing computer forensics to determine whether an error report contains evidence of an exploit, the method comprising:
- receiving an error report file;
  
  scanning the error report for a known exploit at an executable memory location;
  
  scanning for NOPSleds;
  
  scanning for a decoder loop;
  
  scanning for each of a malicious text, a malicious string, and a malicious binary sequence;
  
  scanning for evidence of a disabled defense program;
  
  scanning for a hijacked control structure;
  
  examining exception information for a location of a vulnerability that indicates a point of attack; and
  
  reporting one of the error report file and the result of the exploit analysis to a system monitor via a network connection.
- View Dependent Claims (20)
- - 20. The method of claim 19, further comprising:
    - receiving an system policy update from the system monitor;
      
      modifying an exploit detection and deterrence process associated with exploit protection responsive to the system policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kelly, James P., Crowe, Emma L., Carter, David S., Diver, Matthew I., Lucas, Alexander R. G., Thomlinson, Matthew W., Lambert, John J.

Granted Patent

US 8,745,703 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 11/36   Preventing errors by testin...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2123   Dummy operation

H04L 63/1433   Vulnerability analysis

IDENTIFYING EXPLOITATION OF VULNERABILITIES USING ERROR REPORT

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTIFYING EXPLOITATION OF VULNERABILITIES USING ERROR REPORT

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links