Dynamic detection of computer worms
First Claim
1. A method for detecting malicious computer code in a host computer, the method comprising the steps of:
- identifying a port of a host computer from which executable content does not normally exit the host computer;
determining whether outbound executable content is addressed to exit the identified port;
calculating hashes of strings within the outbound executable content;
comparing the calculated hashes with prestored hashes of strings stored within a runtime database of executable threads,when outbound executable content is addressed to exit the identified port, determining whether a calculated hash matches a prestored hash, and, when a calculated hash matches a prestored hash, determining whether a string from the runtime database is present in the outbound executable content, wherein said runtime database is generated in real time by a thread analyzer that analyzes threads being executed on the host computer; and
when a string from the runtime database is present in the outbound executable content, declaring a suspicion of presence of malicious computer code in the outbound executable content.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparati, and computer-readable media for detecting malicious computer code in a host computer (1). A method embodiment of the present invention comprises the steps of determining (32) whether data leaving the host computer (1) is addressed to exit a port (15) of the host computer (1) where outbound executable content normally does not appear; when the data is addressed to exit such a port (15), determining (33) whether a string (24) from a pre-established runtime database (9) of executable threads is present in said data; and when a string (24) from said runtime database (9) is present in said data, declaring (34) a suspicion of presence of malicious computer code in said data.
-
Citations
39 Claims
-
1. A method for detecting malicious computer code in a host computer, the method comprising the steps of:
-
identifying a port of a host computer from which executable content does not normally exit the host computer; determining whether outbound executable content is addressed to exit the identified port; calculating hashes of strings within the outbound executable content; comparing the calculated hashes with prestored hashes of strings stored within a runtime database of executable threads, when outbound executable content is addressed to exit the identified port, determining whether a calculated hash matches a prestored hash, and, when a calculated hash matches a prestored hash, determining whether a string from the runtime database is present in the outbound executable content, wherein said runtime database is generated in real time by a thread analyzer that analyzes threads being executed on the host computer; and when a string from the runtime database is present in the outbound executable content, declaring a suspicion of presence of malicious computer code in the outbound executable content. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer-readable medium containing computer program instructions for detecting malicious computer code in data leaving a host computer, said computer program instructions for performing the steps of:
-
determining whether data leaving the host computer is addressed to exit a port of the host computer where outbound executable content normally does not appear; calculating hashes of strings within the outbound executable content; comparing the calculated hashes with prestored hashes of strings stored within a runtime database of executable threads; when the data is addressed to exit a port where outbound executable content normally does not appear, determining whether a calculated hash matches a prestored hash, and, when a calculated hash matches a prestored hash, determining whether a string from the runtime database of executable threads is present in said data, wherein said runtime database is generated in real time by a thread analyzer that analyzes threads being executed on said host computer; and when a string from said runtime database is present in said data, declaring a suspicion of presence of malicious computer code in said data. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
-
36. An apparatus for detecting malicious computer code in a host computer, said apparatus comprising:
-
a filter adapted to determine whether data leaving the host computer is addressed to exit a port of the host computer where outbound executable content normally does not appear; a runtime database containing strings from threads that have executed on said host computer and prestored hashes of the strings, wherein said runtime database is generated in real time by a thread analyzer that analyzes threads being executed on said host computer; and coupled to the filter and to the runtime database, a matching module for determining whether a string from the runtime database is present in said data and whether a calculated hash matches a prestored hash. - View Dependent Claims (37, 38, 39)
-
Specification