System and method for locating malware

US 7,287,279 B2
Filed: 10/01/2004
Issued: 10/23/2007
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A method for identifying Web sites that may include malware, the method comprising:

receiving an initial Uniform Resource Locator (URL) associated with a Web site;

downloading content associated with the initial URL, the content including Hyper Text Markup Language (HTML), a script program, and code related to a button-click event that executes a function;

searching the HTML in the downloaded content for an embedded URL;

identifying a non-obfuscated URL in the script program;

identifying an obfuscated URL in the script program;

executing the function corresponding to the button-click event;

receiving a new URL as a result of executing the function;

adding the embedded URL, the non-obfuscated URL and the new URL to a URL database; and

adding a high-priority indicator to the URL database, the high-priority indicator corresponding to the obfuscated URL.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for managing malware is described. One embodiment is designed to receive an initial URL associated with a Web site; download content from that Web site; identify any obfuscation techniques used to hide malware or pointers to malware; interpret those obfuscation techniques; identify a new URL as a result of interpreting the obfuscation techniques; and add the new URL to a URL database.

87 Citations

View as Search Results

12 Claims

1. A method for identifying Web sites that may include malware, the method comprising:
- receiving an initial Uniform Resource Locator (URL) associated with a Web site;
  
  downloading content associated with the initial URL, the content including Hyper Text Markup Language (HTML), a script program, and code related to a button-click event that executes a function;
  
  searching the HTML in the downloaded content for an embedded URL;
  
  identifying a non-obfuscated URL in the script program;
  
  identifying an obfuscated URL in the script program;
  
  executing the function corresponding to the button-click event;
  
  receiving a new URL as a result of executing the function;
  
  adding the embedded URL, the non-obfuscated URL and the new URL to a URL database; and
  
  adding a high-priority indicator to the URL database, the high-priority indicator corresponding to the obfuscated URL.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - searching the HTML for a text string corresponding to malware.
  - 3. The method of claim 1, further comprising:
    - searching the script program for a text string corresponding to malware.
  - 4. The method of claim 1, further comprising:
    - identifying obfuscated text strings in the script program; and
      
      interpreting the obfuscated text strings.
  - 5. The method of claim 4, further comprising:
    - adding the initial URL to the URL database; and
      
      responsive to identifying obfuscated text strings in the script program, adding a high-priority indicator to the URL database, the high-priority indicator corresponding to the initial URL.

6. A method for identifying malware, the method comprising:
- receiving an initial Uniform Resource Locator (URL) associated with a Web site;
  
  downloading content associated with the initial URL, the content including a script program;
  
  identifying obfuscation techniques in the script program;
  
  interpreting the obfuscation techniques;
  
  identifying a new URL as a result of interpreting the obfuscation techniques;
  
  adding the new URL to a URL database; and
  
  adding a high-priority indicator to the URL database, the high-priority indicator corresponding to the new URL and the high-priority indicator indicating that the new URL is likely to be associated with malware.
- View Dependent Claims (7, 8)
- - 7. The method of claim 6, further comprising:
    - downloading additional content from a Web site associated with the new URL; and
      
      determining whether the additional content downloaded from the Web site associated with the new URL includes malware.
  - 8. The method of claim 6, further comprising:
    - downloading additional content from the new URL;
      
      identifying an additional embedded link in the additional content; and
      
      adding the additional embedded link to the URL database.

9. A method for identifying malware, the method comprising:
- downloading content associated with an initial Uniform Resource Locator (URL), the content including an object and an embedded URL;
  
  extracting the embedded URL from the content;
  
  adding the extracted URL to a URL database;
  
  determining whether the object can be verified through text searching;
  
  responsive to the object not being verifiable through text searching, passing the object to an active browser configured to execute the object automatically and to record configuration changes to a computer system on which the active browser operates that occur as a result of executing the object; and
  
  examining the configuration changes to determine whether the object is malware.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, wherein determining whether the object can be verified through text searching comprises:
    - determining whether the object includes obfuscated text.
  - 11. The method of claim 9, wherein determining whether the object can be verified through text searching comprises:
    - determining whether the object includes a form that requires submittal to a remote computer.
  - 12. The method of claim 9, wherein determining whether the object can be verified through text searching comprises:
    - determining whether the object includes a button click event that is configured to run a function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Software Incorporated (Open Text Corporation)
Inventors
Liston, Bryan M., Bertman, Justin R., Boney, Matthew L.
Primary Examiner(s)
TRUONG, THANHNGA B

Application Number

US10/956,274
Publication Number

US 20060075500A1
Time in Patent Office

1,117 Days
Field of Search

713/165, 709/224, 709/232, 709/238, 715/736, 715/749, 715/760, 715/238, 715/700, 726 22- 24, 382/100, 382/103
US Class Current

726/23
CPC Class Codes

G06F 21/563 by source code analysis

System and method for locating malware

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

87 Citations

12 Claims

Specification

Use Cases

Quick Links

Others

System and method for locating malware

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

12 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others