System and method for scanning obfuscated files for pestware

US 7,349,931 B2
Filed: 04/14/2005
Issued: 03/25/2008
Est. Priority Date: 04/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method for scanning files on a protected computer for pestware comprising:

scanning a plurality of files in at least one file storage device of the protected computer;

identifying an obfuscated file from among the plurality of files in the at least one file storage device, wherein one or more potential pestware processes running in memory are associated with the obfuscated file;

analyzing the obfuscated file so as to identify, from among a plurality of processes running in the memory, the one or more potential pestware processes running in memory that are associated with the obfuscated file;

retrieving information from at least one of the one or more potential pestware processes running in memory; and

analyzing the information from the at least one of the one or more potential pestware processes running in memory so as to determine whether the one or more potential pestware processes running in memory is pestware,wherein the analyzing the obfuscated file includes running the obfuscated file in a simulation mode and scanning through the obfuscated file while it is being run in the simulation mode so as to obtain a start address of the one or more potential pestware processes running in memory that are associated with the obfuscated file, andwherein the analyzing the obfuscated file includes identifying a start address of the one or more potential pestware processes by identifying one or more contextual jumps in the obfuscated file as it is being run in the simulation mode.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for managing multiple related pestware processes on a protected computer are described. In one implementation, a plurality of files in a file storage device of a protected computer are scanned and obfuscated files are identified from among the plurality of files. To identify whether the obfuscated file is a pestware file, one or more potential pestware processes are identified as being associated with the obfuscated file, and the one or more associated process are scanned so as to determine whether the processes, and hence, the obfuscated file, are pestware. In variations, the obfuscated file is analyzed to identify the start address of the associated one or more processes, and the start address is utilized as a reference point from which information located at one or more offsets from the start address is analyzed so as to determine whether the one or more processes are known pestware.

Citations

16 Claims

1. A method for scanning files on a protected computer for pestware comprising:
- scanning a plurality of files in at least one file storage device of the protected computer;
  
  identifying an obfuscated file from among the plurality of files in the at least one file storage device, wherein one or more potential pestware processes running in memory are associated with the obfuscated file;
  
  analyzing the obfuscated file so as to identify, from among a plurality of processes running in the memory, the one or more potential pestware processes running in memory that are associated with the obfuscated file;
  
  retrieving information from at least one of the one or more potential pestware processes running in memory; and
  
  analyzing the information from the at least one of the one or more potential pestware processes running in memory so as to determine whether the one or more potential pestware processes running in memory is pestware,wherein the analyzing the obfuscated file includes running the obfuscated file in a simulation mode and scanning through the obfuscated file while it is being run in the simulation mode so as to obtain a start address of the one or more potential pestware processes running in memory that are associated with the obfuscated file, andwherein the analyzing the obfuscated file includes identifying a start address of the one or more potential pestware processes by identifying one or more contextual jumps in the obfuscated file as it is being run in the simulation mode.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the identifying includes identifying the obfuscated file as an encrypted file.
  - 3. The method of claim 1, wherein the identifying includes identifying the obfuscated file as a compressed file.
  - 4. The method of claim 1, wherein the retrieving includes retrieving the information at a predefined offset from a start address of the one of the one or more potential pestware processes running in memory.
  - 5. The method of claim 4, wherein the retrieving includes retrieving op code at the predefined offset from the start address of the one of the one or more potential pestware processes running in memory, and wherein the analyzing includes comparing the op code with op code substantially unique to known pestware.
  - 6. The method of claim 1, wherein, upon identifying the contextual jump, patching the contextual jump with the location of a function used to call the obfuscated file in the simulation mode.

7. A system for managing pestware comprising:
- a pestware removal module configured to remove pestware on a protected computer, the protected computer including at least one file storage device and a program memory; and
  
  a pestware detection module configured to;
  
  scan a plurality of files in at least one file storage device of the protected computer;
  
  identify an obfuscated file from among the plurality of files in the at least one file storage device, wherein one or more potential pestware processes running in memory are associated with the obfuscated file;
  
  analyze the obfuscated file so as to identify, from among a plurality of processes running in the memory, the one or more potential pestware processes running in memory that are associated with the obfuscated file;
  
  retrieve information from at least one of the one or more potential pestware processes running in memory; and
  
  analyze the information from the at least one of the one or more potential pestware processes running in memory so as to determine whether the one or more potential pestware processes running in memory is pestware,wherein the pestware detection module is configured to identify a start address of the one or more potential pestware processes running in memory that are associated with the obfuscated file, andwherein the pestware detection module is configured to identify the start address by locating a contextual lump in the obfuscated file.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the pestware detection module is configured to identify the obfuscated file as an encrypted file.
  - 9. The system of claim 7, wherein the pestware detection module is configured to identify the obfuscated file as a compressed file.
  - 10. The system of claim 7, wherein the pestware detection module is configured to retrieve the information at a predefined offset from a start address of the at least one of the one or more potential pestware processes running in memory.
  - 11. The system of claim 10, wherein the pestware detection module is configured to retrieve op code at the predefined offset from the start address of the at least one of the one or more potential pestware processes running in memory, and wherein the pestware detection module is configured to compare the op code with op code substantially unique to known pestware.
  - 12. The system of claim 7, wherein the pestware detection module is configured to analyze the obfuscated file by:
    - executing the obfuscated file in a simulation mode;
      
      scanning the obfuscated file as it is being run in simulation mode so as to identify a portable executable header, an original entry point in the portable executable header and the at least one contextual jump; and
      
      obtaining, utilizing the original entry point, a reference address;
      
      wherein one or more start addresses for one or more potential pestware processes are identified by utilizing the at least one contextual jump and the reference address.

13. A computer readable medium encoded with instructions for scanning files on a protected computer for pestware, the instructions including instructions for:
- scanning a plurality of files in at least one file storage device of the protected computer;
  
  identifying an obfuscated file from among the plurality of files in the at least one file storage device, wherein one or more potential pestware processes running in memory are associated with the obfuscated file;
  
  analyzing the obfuscated file so as to identify, from among a plurality of processes running in the memory, the one or more potential pestware processes running in memory that are associated with the obfuscated file;
  
  retrieving information from at least one of the one or more potential pestware processes running in memory; and
  
  analyzing the information from the at least one of the one or more potential pestware processes running in memory so as to determine whether the one or more potential pestware processes running in memory is pestware,wherein the analyzing the obfuscated file includes running the obfuscated file in a simulation mode and scanning through the obfuscated file while it is being run in the simulation mode so as to obtain a start address of the one or more potential pestware processes running in memory that are associated with the obfuscated file, andwherein the analyzing the obfuscated file includes identifying a start address of the one or more potential pestware processes by identifying one or more contextual jumps in the obfuscated file as it is being run in the simulation mode.
- View Dependent Claims (14, 15, 16)
- - 14. The computer readable medium of claim 13, wherein the instructions for identifying the obfuscated file include instructions selected from the group consisting of instructions for identifying an encrypted file and instructions for identifying a compressed file.
  - 15. The computer readable medium of claim 13, wherein the instructions for analyzing include instructions for identifying a start address of the one or more potential pestware processes running in memory that are associated with the obfuscated file.
  - 16. The computer readable medium of claim 13, wherein the instructions for analyzing include instructions for identifying a specific API implementation, and instructions for retrieving executable code from one or more offsets in the memory from the specific API implementation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Software Incorporated (Open Text Corporation)
Inventors
Horne, Jefferson Delk
Primary Examiner(s)
Alam; Shahid
Assistant Examiner(s)
EHICHIOYA, IRETE FRED

Application Number

US11/105,978
Publication Number

US 20060236397A1
Time in Patent Office

1,076 Days
Field of Search

707/1, 707/9, 707/10, 707/205, 711/3, 711/163, 713/150, 713/161, 713/189, 713/190, 713/194, 713/340, 717/140, 726/22, 726/23, 726/24, 726/25
US Class Current

1/1
CPC Class Codes

G06F 21/562 Static detection

G06F 21/57 Certifying or maintaining t...

System and method for scanning obfuscated files for pestware

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for scanning obfuscated files for pestware

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links