FUNCTIONAL PATCHING/HOOKING DETECTION AND PREVENTION

US 20100169969A1
Filed: 08/07/2009
Published: 07/01/2010
Est. Priority Date: 12/25/2008
Status: Active Grant

First Claim

Patent Images

1. A method for preventing malicious attacks on software, using the patching method, comprising the steps of:

i) providing a database of legitimate and known patches, which database contains characteristic code paths of said legitimate patches;

ii) detecting whether a patch is malicious by inspecting one or more characteristic paths of said patch and matching said one or more code paths against said database of legitimate and known patches; and

iii) performing an activity needed to prevent said malicious patch from performing undesired activities.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for preventing malicious attacks on software, using the patching method, includes providing a database of legitimate and known patches, the database contains characteristic code paths of said legitimate patches. The method also includes detecting whether a patch is malicious by inspecting one or more characteristic paths of the patch and matching one or more code paths against the database of legitimate and known patches. An activity needed to prevent the malicious patch from performing undesired activities is then performed.

Citations

12 Claims

1. A method for preventing malicious attacks on software, using the patching method, comprising the steps of:
- i) providing a database of legitimate and known patches, which database contains characteristic code paths of said legitimate patches;
  
  ii) detecting whether a patch is malicious by inspecting one or more characteristic paths of said patch and matching said one or more code paths against said database of legitimate and known patches; and
  
  iii) performing an activity needed to prevent said malicious patch from performing undesired activities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method according to claim 1, wherein performing an activity needed to prevent said malicious patch from performing undesired activities comprises making changes to said malicious patch to prevent it from performing undesired activities, or deleting it.
  - 3. A method according to claim 1, wherein performing an activity needed to prevent said malicious patch from performing undesired activities comprises reporting the presence of the malicious path to a receiving entity.
  - 4. A method according to claim 3, wherein said receiving entity is selected from one or more of a remote software agent, a local software agent, or a user.
  - 5. A method according to claim 1, wherein the characteristic code path inspected includes the pointer to the function in the Export Address Table (EAT).
  - 6. A method according to claim 1, wherein the characteristic code path inspected includes the pointer to the function in the Import Address Table (IAT) of the currently loaded modules.
  - 7. A method according to claim 1, wherein the characteristic code path inspected includes the code of the function.
  - 8. A method according to claim 1, comprising providing in the database also information regarding where to look for the next patch.
  - 9. A method according to claim 1, comprising providing in the database also information on how to “
    - linearize”
      
      the code being examined.
  - 10. The method according to claim 1, wherein the process is repeated until no match is found in the database.
  - 11. A method according to claim 1, further comprising, when a malicious patch is detected, correcting the patch by making appropriate changes to the patch, or deleting the patch.
  - 12. The method according to claim 1, wherein the software is a browser.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Trusteer Ltd (International Business Machines Corporation)
Inventors
Regev, Shmuel, Izmerly, Oleg, Ben-Haim, Eldan, KLEIN, Amit

Granted Patent

US 8,239,940 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/57   Certifying or maintaining t...

G06F 9/328   for runtime instruction pat...

FUNCTIONAL PATCHING/HOOKING DETECTION AND PREVENTION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

FUNCTIONAL PATCHING/HOOKING DETECTION AND PREVENTION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links