Dynamic detection of computer worms

US 7,293,290 B2
Filed: 02/06/2003
Issued: 11/06/2007
Est. Priority Date: 02/06/2003
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious computer code in a host computer, the method comprising the steps of:

identifying a port of a host computer from which executable content does not normally exit the host computer;

determining whether outbound executable content is addressed to exit the identified port;

calculating hashes of strings within the outbound executable content;

comparing the calculated hashes with prestored hashes of strings stored within a runtime database of executable threads,when outbound executable content is addressed to exit the identified port, determining whether a calculated hash matches a prestored hash, and, when a calculated hash matches a prestored hash, determining whether a string from the runtime database is present in the outbound executable content, wherein said runtime database is generated in real time by a thread analyzer that analyzes threads being executed on the host computer; and

when a string from the runtime database is present in the outbound executable content, declaring a suspicion of presence of malicious computer code in the outbound executable content.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparati, and computer-readable media for detecting malicious computer code in a host computer (1). A method embodiment of the present invention comprises the steps of determining (32) whether data leaving the host computer (1) is addressed to exit a port (15) of the host computer (1) where outbound executable content normally does not appear; when the data is addressed to exit such a port (15), determining (33) whether a string (24) from a pre-established runtime database (9) of executable threads is present in said data; and when a string (24) from said runtime database (9) is present in said data, declaring (34) a suspicion of presence of malicious computer code in said data.

98 Citations

View as Search Results

39 Claims

1. A method for detecting malicious computer code in a host computer, the method comprising the steps of:
- identifying a port of a host computer from which executable content does not normally exit the host computer;
  
  determining whether outbound executable content is addressed to exit the identified port;
  
  calculating hashes of strings within the outbound executable content;
  
  comparing the calculated hashes with prestored hashes of strings stored within a runtime database of executable threads,when outbound executable content is addressed to exit the identified port, determining whether a calculated hash matches a prestored hash, and, when a calculated hash matches a prestored hash, determining whether a string from the runtime database is present in the outbound executable content, wherein said runtime database is generated in real time by a thread analyzer that analyzes threads being executed on the host computer; and
  
  when a string from the runtime database is present in the outbound executable content, declaring a suspicion of presence of malicious computer code in the outbound executable content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 wherein the outbound executable content is in the form of packets.
  - 3. The method of claim 1 wherein the outbound executable content is stream data.
  - 4. The method of claim 1 wherein the identified port comprises an HTTP Internet port.
  - 5. The method of claim 1 wherein the identified port comprises port 80.
  - 6. The method of claim 1 wherein the thread analyzer:
    - takes a hash of each thread being executed on the host computer; and
      
      for each hash, stores the hash and a corresponding string from the thread in the runtime database only if the hash is not already present in the runtime database.
  - 7. The method of claim 1 wherein the thread analyzer is coupled to a tracking module associated with a multi-threading operating system resident on the host computer.
  - 8. The method of claim 7 wherein the tracking module comprises one of:
    - tracker.sys and filter.sys.
  - 9. The method of claim 1 wherein the thread analyzer creates a record for each thread that executes on the host computer, each record comprising a thread identification, a string representative of the thread, and a start address of the string.
  - 10. The method of claim 9 wherein each string in the runtime database has a pre-established fixed length.
  - 11. The method of claim 9 wherein each record further comprises a start address of the string, a location from the group of locations comprising a start address of the thread, and a start address following a jump instruction within the thread.
  - 12. The method of claim 9 wherein each record further comprises a hash of the string.
  - 13. The method of claim 12 wherein just a portion of the string is hashed.
  - 14. The method of claim 1 wherein a suspicion of presence of malicious code in the outbound executable content is flagged to a user of the host computer.
  - 15. The method of claim 1 wherein outbound executable content suspected of containing malicious code is subjected to a false positive mitigation procedure.
  - 16. The method of claim 15 wherein the false positive mitigation procedure comprises checking outbound executable content for the presence of a digital signature from a trusted party.
  - 17. The method of claim 15 wherein the false positive mitigation procedure comprises subjecting the outbound executable content to further analysis.
  - 18. The method of claim 15 wherein the false positive mitigation procedure comprises allowing a process from a list of pre-approved processes to access the port.
  - 19. The method of claim 18 wherein the list comprises the process calc.exe.
  - 20. The method of claim 1 farther comprising the step of:
    - when a string from the runtime database of executable threads is not present in the outbound executable content, allowing the outbound executable content to exit the host computer.

21. A computer-readable medium containing computer program instructions for detecting malicious computer code in data leaving a host computer, said computer program instructions for performing the steps of:
- determining whether data leaving the host computer is addressed to exit a port of the host computer where outbound executable content normally does not appear;
  
  calculating hashes of strings within the outbound executable content;
  
  comparing the calculated hashes with prestored hashes of strings stored within a runtime database of executable threads;
  
  when the data is addressed to exit a port where outbound executable content normally does not appear, determining whether a calculated hash matches a prestored hash, and, when a calculated hash matches a prestored hash, determining whether a string from the runtime database of executable threads is present in said data, wherein said runtime database is generated in real time by a thread analyzer that analyzes threads being executed on said host computer; and
  
  when a string from said runtime database is present in said data, declaring a suspicion of presence of malicious computer code in said data.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 22. The computer readable medium of claim 21 further comprising instructions for, when a string from the runtime database is present in the outbound executable content, performing the step of quarantining the the outbound executable content.
  - 23. The computer readable medium of claim 21 further comprising instructions for, when a string from the runtime database is present in the outbound executable content, performing the step of repairing the outbound executable content.
  - 24. The computer readable medium of claim 21 further comprising instructions for, when a string from the runtime database is present in the outbound executable content, performing the step of deleting from the host computer a process corresponding to a string from the runtime database that has been found to be present in the outbound executable content.
  - 25. The computer readable medium of claim 21 further comprising instructions for, when a string from the runtime database is present in the outbound executable content, performing the step of stopping the outbound executable content from exiting the host computer.
  - 26. The computer readable medium of claim 21 further comprising instructions for, prior to said second determining step, performing the step of decoding the outbound executable content.
  - 27. The computer readable medium of claim 21 further comprising instructions for, prior to said second determining step, the step of ascertaining whether the outbound executable content is encoded.
  - 28. The computer readable medium of claim 21 further comprising instructions for performing the step of specifying threads that are to be represented in the runtime database.
  - 29. The computer readable medium of claim 21 further comprising instructions for performing the step of eliminating excess information from the runtime database.
  - 30. The computer readable medium of claim 29 wherein the eliminating step comprises removing a string from the runtime database upon the command of an operating system executing on the host computer.
  - 31. The computer readable medium of claim 29 wherein the eliminating step comprises removing a string from the runtime database when a thread corresponding to said string has not executed on the host computer for a preselected period of time.
  - 32. The computer readable medium of claim 29 wherein the eliminating step comprises deleting a string from the runtime database when contents of the database exceed a pre-determined size.
  - 33. The computer readable medium of claim 21, further comprising instructions for, when a string from the runtime database of executable threads is not present in the outbound executable content, performing the step of allowing the outbound executable content to exit the host computer.
  - 34. The computer readable medium of claim 21 further comprising instructions for flagging to a user of the host computer a suspicion of presence of malicious code in the outbound executable content.
  - 35. The computer readable medium of claim 21 further comprising instructions for subjecting outbound executable content suspected of containing malicious code to a false positive mitigation procedure.

36. An apparatus for detecting malicious computer code in a host computer, said apparatus comprising:
- a filter adapted to determine whether data leaving the host computer is addressed to exit a port of the host computer where outbound executable content normally does not appear;
  
  a runtime database containing strings from threads that have executed on said host computer and prestored hashes of the strings, wherein said runtime database is generated in real time by a thread analyzer that analyzes threads being executed on said host computer; and
  
  coupled to the filter and to the runtime database, a matching module for determining whether a string from the runtime database is present in said data and whether a calculated hash matches a prestored hash.
- View Dependent Claims (37, 38, 39)
- - 37. The apparatus of claim 36 further comprising a thread analyzer adapted to extract strings from threads executing on the host computer, and to place said strings into said runtime database.
  - 38. The apparatus of claim 36 further comprising:
    - a tracking module adapted to identify threads executing on the host computer; and
      
      a user interface coupled to the tracking module, said user interface adapted to permit a user of the host computer to instruct the tracking module as to threads that should be tracked by said tracking module.
  - 39. The apparatus of claim 36 further comprising, coupled to the runtime database, a garbage collector module for periodically purging contents of said runtime database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter
Primary Examiner(s)
Moise; Emmanuel L.
Assistant Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US10/360,381
Publication Number

US 20040158725A1
Time in Patent Office

1,734 Days
Field of Search

713/188, 726 23- 26
US Class Current

726/24
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

H04L 63/145 the attack involving the pr...

Dynamic detection of computer worms

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic detection of computer worms

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links