Thwarting malicious registry mapping modifications and map-loaded module masquerade attacks
First Claim
1. Computer apparatus comprising:
- an intermediate location containing mappings from generic map-loaded module names to specific locations of map-loaded modules;
coupled to the intermediate location and to the map-loaded modules, a monitor adapted to monitor changes in mappings from the intermediate location to the map-loaded modules; and
coupled to the monitor, a programmable control module adapted to make a determination that a change in mapping is deemed to constitute a malicious code attack when at least one pre-established rule is satisfied.
3 Assignments
0 Petitions
Accused Products
Abstract
Apparati, computer-implemented methods, and computer-readable media for thwarting map-loaded module (8) attacks on a digital computer (1). Within the computer (1) is an intermediate location such as a registry (10) containing mappings from generic names (4) of map-loaded modules (8) to specific locations (5) of the map-loaded modules (8). Coupled to the intermediate location (10) is a monitor module (20) adapted to monitor attempts to replace existing mappings (5) of map-loaded modules (8) with replacement mappings (5). Coupled to the map-loaded modules (8) is a file system monitor;module (70) adapted to monitor attempts to insert new map-loaded modules (8) into the computer (1). Coupled to the monitor module (20) and to the file system monitor module (70) is a programmable control module (30) adapted to determine when a change in mapping constitutes a malicious code attack.
65 Citations
19 Claims
-
1. Computer apparatus comprising:
-
an intermediate location containing mappings from generic map-loaded module names to specific locations of map-loaded modules;
coupled to the intermediate location and to the map-loaded modules, a monitor adapted to monitor changes in mappings from the intermediate location to the map-loaded modules; and
coupled to the monitor, a programmable control module adapted to make a determination that a change in mapping is deemed to constitute a malicious code attack when at least one pre-established rule is satisfied. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 17)
an intermediate location monitor module adapted to monitor attempts to replace existing mappings of map-loaded modules with replacement mappings; and
a file system monitor module adapted to monitor attempts to insert new map-loaded modules into the computer.
-
-
3. The apparatus of claim 1 wherein the computer is coupled to a computer network.
-
4. The apparatus of claim 1 wherein there are two categories of rules embodied within the programmable control module:
-
a first category of rules having a characteristic that the programmable control module makes said determination by itself whenever at least one of said first category of rules is satisfied; and
a second category of rules having a characteristic that whenever at least one of said second category of rules is satisfied, the programmable control module allows said determination to be made by a system administrator.
-
-
5. The apparatus of claim 1 wherein the change in mapping is an attempt to register a new map-loaded module with the intermediate location.
-
6. The apparatus of claim 1 wherein the change in mapping is an attempt to replace a mapping to an original map-loaded module with a mapping to a replacement map-loaded module.
-
7. The apparatus of claim 1 wherein at least one map-loaded module is a COM (component object model).
-
8. The apparatus of claim 1 wherein at least one map-loaded module is a software driver.
-
9. The apparatus of claim 1 wherein the change in mapping involves an original map-loaded module and a replacement map-loaded module;
- and
one rule is that;
the original map-loaded module is digitally signed by a first author; and
the replacement map-loaded module is digitally signed by a second author who is not in a trusted relationship with respect to the first author.
- and
-
10. The apparatus of claim 1 wherein the change in mapping involves a new map-loaded module;
- and
one rule is that;
the new map-loaded module is not digitally signed by someone on a pre-established approved list.
- and
-
11. The apparatus of claim 1 wherein the change in mapping involves an original map-loaded module having a first pathname and a replacement map-loaded module having a second pathname;
- and
one rule is that;
the replacement map-loaded module is a newer version of the original map-loaded module; and
the second pathname is different than the first pathname.
- and
-
12. The apparatus of claim 1 wherein the change in mapping involves a candidate map-loaded module;
-
a malicious code scan is performed on the candidate map-loaded module; and
one rule is that;
the malicious code scan determines that the candidate map-loaded module contains at least one item from the group of items comprising a virus, a trojan, and a worm.
-
-
17. The apparatus of claim 1 wherein the intermediate location is a registry.
-
13. A computer-implemented method for thwarting map-loaded module masquerade attacks on a computer having an intermediate location containing mappings from generic map-loaded module names to specific locations of map-loaded modules, said method comprising the steps of:
-
monitoring changes in mappings that occur between the intermediate location and the map-loaded modules; and
determining that a change in mapping is deemed to constitute a malicious code attack when at least one pre-established rule is satisfied. - View Dependent Claims (14, 15, 18)
monitoring attempts to insert new map-loaded modules into the computer; and
monitoring attempts to replace existing mappings of map-loaded modules with replacement mappings.
-
-
15. The method of claim 13 wherein the determining step comprises the substeps of:
-
determining whether the at least one pre-established rule that is satisfied is of a first type or a second type;
when at least one rule of the first type is satisfied, declaring that a malicious code attack has occurred; and
when at least one pre-established rule has been satisfied, but no rule of the first type has been satisfied, passing control to a system administrator to make a decision as to whether a malicious code attack has occurred.
-
-
18. The computer-implemented method of claim 13 wherein the intermediate location is a registry.
-
16. A computer-readable medium used in conjunction with a digital computer having an intermediate location containing mappings from generic map-loaded module names to specific locations of map-loaded modules, said computer-readable medium containing computer program instructions for performing the steps of:
-
monitoring changes in mappings that occur between the intermediate location and the map-loaded modules; and
determining that a change in mapping is deemed to constitute a malicious code attack upon the computer when at least one pre-established rule is satisfied. - View Dependent Claims (19)
-
Specification