DETECTING MACHINES COMPROMISED WITH MALWARE

US 20100024034A1
Filed: 07/22/2008
Published: 01/28/2010
Est. Priority Date: 07/22/2008
Status: Active Grant

First Claim

Patent Images

1. In a computerized environment comprising one or more computer systems having installed thereon one or more messaging applications that send and receive messages to or from one or more contacts, a method of detecting the presence of malware at any of the one or more computer systems using a decoy contact, comprising:

installing one or more decoy contacts in a contact store used by one or more messaging applications in a host computer system;

identifying that one or more messages have been sent to any of the one or more decoy contacts from the host computer system; and

determining that the host computer system has been compromised with one or more malware applications based at least in part on the message to the one or more decoy contacts.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system can be configured to identify when it has been infected with or otherwise compromised by malware, such as viruses, worms, etc. In one implementation, a computer system receives and installs one or more decoy contacts in a contact store and further installs one or more malware reporting modules that effectively filter outgoing messages. For example, a malware reporting module can redirect messages with a decoy contact address to an alternate inbox associated with the decoy contact. The same malware reporting module, or another module in the system, can also generate one or more reports indicating the presence of malware, either due to detection of the decoy contact address, or due to identifying messages in the decoy contact inbox. The host computer system that sent the message to the decoy contact can then be flagged as infected with malware.

27 Citations

View as Search Results

20 Claims

1. In a computerized environment comprising one or more computer systems having installed thereon one or more messaging applications that send and receive messages to or from one or more contacts, a method of detecting the presence of malware at any of the one or more computer systems using a decoy contact, comprising:
- installing one or more decoy contacts in a contact store used by one or more messaging applications in a host computer system;
  
  identifying that one or more messages have been sent to any of the one or more decoy contacts from the host computer system; and
  
  determining that the host computer system has been compromised with one or more malware applications based at least in part on the message to the one or more decoy contacts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as recited in claim 1, further comprising an act of installing one or more malware reporting modules in conjunction with the one or more messaging applications in the host computer system.
  - 3. The method as recited in claim 2, further comprising an act of receiving the one or more messages through the one or more malware reporting modules.
  - 4. The method as recited in claim 2, wherein the one or more malware reporting modules further perform an act of directing at least one of the one or more messages to an alternate inbox associated with the one or more decoy contacts.
  - 5. The method as recited in claim 2, wherein the act of determining that the host computer has been compromised further comprises reviewing a designated address in the one or more messages.
  - 6. The method as recited in claim 2, wherein the act of determining that the host computer has been compromised further comprises reviewing an inbox that corresponds to the one or more decoy contacts.
  - 7. The method as recited in claim 1, further comprising an act of hiding the one or more installed decoy contacts, wherein the one or more installed decoy contacts are unavailable to a user of the host computer system.
  - 8. The method as recited in claim 1, further comprising an act of installing a new set of one or more decoy contacts to replace the previously installed one or more decoy contacts.
  - 9. The method as recited in claim 8, further comprising an act of modifying one more messaging inboxes associated with the previously installed one or more decoy contacts to correspond with the new one or more decoy contacts.
  - 10. The method as recited in claim 9, further comprising an act of determining that an additional message sent from the host computer system is directed to one of the new one or more decoy contacts.
  - 11. The method as recited in claim 10, wherein the act of determining that the additional message is directed to one of the new one or more decoy contacts comprises at least one of:
    - identifying an address of the one or more decoy contacts in the additional message;
      
      oridentifying message in the modified one more messaging inboxes associated with any of the new one or more decoy contacts.

12. In a computerized environment comprising one or more computer systems having installed thereon one or more messaging applications configured to send and receive messages to one or more contacts, a method of configuring a computer system to report the presence of a malware application using messages sent to a decoy contact, comprising:
- identifying one or more messaging applications used by a host computer system;
  
  identifying one or more contact stores that are used by the one or more messaging applications;
  
  sending one or more messages to add one or more decoy contacts in any of the one or more contact stores, and to install one or more malware reporting modules configured at least in part to filter messages sent to the installed one or more decoy contacts;
  
  installing one or more alternate inboxes configured to receive messages directed to the corresponding one or more installed decoy contacts; and
  
  reviewing one or more reports that indicate that a message has been sent to an installed decoy contact.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method as recited in claim 12, wherein the one or more installed alternate inboxes are installed locally at the host computer system.
  - 14. The method as recited in claim 12, wherein the one or more installed decoy contacts comprise a messaging address that directs messages to a local area network address.
  - 15. The method as recited in claim 14, wherein the local area network address comprises a network address for the host computer system.
  - 16. The method as recited in claim 12, wherein the one or more installed malware reporting modules prepare the one or more reports that indicate that the message has been sent to an installed decoy contact.
  - 17. The method as recited in claim 12, wherein the one or more alternate contact stores and the one or more alternate inboxes are located on a computer system that is different from the host computer system.
  - 18. The method as recited in claim 12, wherein the one or more malware reporting modules are configured to halt activities by the one or more messaging applications upon detecting the message addressed to any of the one or more decoy contacts.
  - 19. The method as recited in claim 12, wherein the one or more contact stores comprise:
    - existing contacts created by a user of the one or more messaging applications;
      
      the one or more installed decoy contacts; and
      
      one or more addresses parsed from messages in the user'"'"'s inbox or outbox corresponding to the one or more messaging applications.

20. In a computerized environment comprising one or more computer systems having installed thereon one or more messaging applications that send and receive messages to or from one or more contacts, a computer program storage product having computer-executable instructions stored thereon that, when executed, cause one or more processors to perform a method comprising:
- installing one or more decoy contacts in a contact store used by one or more messaging applications in a host computer system;
  
  identifying that one or more messages have been sent to any of the one or more decoy contacts from the host computer system; and
  
  determining that the host computer system has been compromised with one or more malware applications based at least in part on the message to the one or more decoy contacts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Cohen, Rami

Granted Patent

US 8,464,341 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

DETECTING MACHINES COMPROMISED WITH MALWARE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTING MACHINES COMPROMISED WITH MALWARE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links