Detecting computer worms as they arrive at local computers through open network shares

US 7,509,680 B1
Filed: 09/01/2004
Issued: 03/24/2009
Est. Priority Date: 09/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for detecting a computer worm being written to a target computer, the method comprising the steps of:

monitoring, by the target computer, files written to the target computer by a source computer through at least one open share providing the source computer with write access to the target computer; and

determining, by the target computer, that an incoming file written to the target computer by the source computer through the at least one open share is infected with a worm, responsive to the incoming file being similar to a file previously written to the target computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A worm detection manager detects computer worms when they arrive at target computers via open network shares. The worm detection manager monitors incoming file system traffic, and determines the source of incoming files. The worm detection manager determines that an incoming file is infected with a worm, responsive to circumstances such as substantially the same file being written to the target computer by a requisite plurality of computers; substantially the same file being written to the target computer a requisite number of times by the same computer; substantially the same file being written to the target computer a requisite number of times within a requisite time period; and substantially the same file being written to the target computer through a requisite number of open shares.

186 Citations

24 Claims

1. A computer implemented method for detecting a computer worm being written to a target computer, the method comprising the steps of:
- monitoring, by the target computer, files written to the target computer by a source computer through at least one open share providing the source computer with write access to the target computer; and
  
  determining, by the target computer, that an incoming file written to the target computer by the source computer through the at least one open share is infected with a worm, responsive to the incoming file being similar to a file previously written to the target computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - responsive to determining that the incoming file is infected with a worm, performing a step from a group of steps consisting of;
      
      deleting the incoming file;
      
      cleaning the incoming file;
      
      preventing the incoming file from executing on the target computer; and
      
      quarantining the incoming file.
  - 3. The method of claim 2 further comprising:
    - responsive to determining that the incoming file is infected with a worm, quarantining the incoming file; and
      
      providing identifying information concerning the quarantined file to anti-malicious code software for further processing.
  - 4. The method of claim 1 further comprising:
    - performing a binary heuristic analysis on the incoming file; and
      
      determining that the incoming file is infected with a polymorphic worm, responsive to the incoming file exhibiting at least one substantially same suspicious characteristic as at least one other file previously written to the target computer through the at least one open share.
  - 5. The method of claim 4 further comprising:
    - responsive to determining that the incoming file is infected with a polymorphic worm, performing a step from a group of steps consisting of;
      
      deleting the incoming file;
      
      cleaning the incoming file;
      
      preventing the incoming file from executing on the target computer; and
      
      quarantining the incoming file.
  - 6. The method of claim 5 further comprising:
    - responsive to determining that the incoming file is infected with a polymorphic worm, quarantining the incoming file; and
      
      providing identifying information concerning the quarantined file to anti-malicious code software for further processing.
  - 7. The method of claim 1 wherein it is determined that the incoming file is infected with a worm in response to at least one circumstance from a group of circumstances consisting of:
    - substantially the same file being written to the target computer by a requisite plurality of source computers;
      
      substantially the same file being written to the target computer a requisite number of times by a same source computer;
      
      substantially the same file being written to the target computer a requisite number of times within a requisite time period;
      
      substantially the same file being written to the target computer through a requisite number of open shares; and
      
      the incoming file exhibiting at least one substantially same suspicious characteristic as at least one other file previously written to the target computer through the at least one open share.

8. A computer readable medium containing a computer program product for detecting a computer worm being written to a target computer, the computer readable medium comprising:
- program code for monitoring, by the target computer, files written to the target computer by a source computer through at least one open share providing the source computer with write access to the target computer; and
  
  program code for determining, by the target computer, that an incoming file written to the target computer by the source computer through the at least one open share is infected with a worm, responsive to the incoming file being similar to a file previously written to the target computer.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8 further comprising:
    - program code for, responsive to determining that the incoming file is infected with a worm, performing a step from a group of steps consisting of;
      
      deleting the incoming file;
      
      cleaning the incoming file;
      
      preventing the incoming file from executing on the target computer; and
      
      quarantining the incoming file.
  - 10. The computer program product of claim 9 further comprising:
    - program code for, responsive to determining that the incoming file is infected with a worm, quarantining the incoming file; and
      
      program code for providing identifying information concerning the quarantined file to anti-malicious code software for further processing.
  - 11. The computer program product of claim 8 further comprising:
    - program code for performing a binary heuristic analysis on the incoming file; and
      
      program code for determining that the incoming file is infected with a polymorphic worm, responsive to the incoming file exhibiting at least one substantially same suspicious characteristic as at least one other file previously written to the target computer through the at least one open share.
  - 12. The computer program product of claim 11 further comprising:
    - program code for, responsive to determining that the incoming file is infected with a polymorphic worm, performing a step from a group of steps consisting of;
      
      deleting the incoming file;
      
      cleaning the incoming file;
      
      preventing the incoming file from executing on the target computer; and
      
      quarantining the incoming file.
  - 13. The computer program product of claim 12 further comprising:
    - program code for, responsive to determining that the incoming file is infected with a polymorphic worm, quarantining the incoming file; and
      
      program code for providing identifying information concerning the quarantined file to anti-malicious code software for further processing.
  - 14. The computer program product of claim 8 wherein it is determined that the incoming file is infected with a worm in response to at least one circumstance from a group of circumstances consisting of:
    - substantially the same file being written to the target computer by a requisite plurality of source computers;
      
      substantially the same file being written to the target computer a requisite number of times by a same source computer;
      
      substantially the same file being written to the target computer a requisite number of times within a requisite time period;
      
      substantially the same file being written to the target computer through a requisite number of open shares; and
      
      the incoming file exhibiting at least one substantially same suspicious characteristic as at least one other file previously written to the target computer through the at least one open share.

15. A computer system for detecting a computer worm being written to a target computer, the computer system comprising:
- a software portion configured to monitor, by the target computer, files written to the target computer by a source computer through at least one open share providing the source computer with write access to the target computer; and
  
  a software portion configured to determine, by the target computer, that an incoming file written to the target computer by the source computer through the at least one open share is infected with a worm, responsive to the incoming file being similar to a file previously written to the target computer.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer system of claim 15 further comprising:
    - a software portion configured to, responsive to determining that the incoming file is infected with a worm, perform a step from a group of steps consisting of;
      
      deleting the incoming file;
      
      cleaning the incoming file;
      
      preventing the incoming file from executing on the target computer; and
      
      quarantining the incoming file.
  - 17. The computer system of claim 16 further comprising:
    - a software portion configured to quarantine the incoming file, responsive to determining that the incoming file is infected with a worm; and
      
      a software portion configured to provide identifying information concerning the quarantined file to anti-malicious code software for further processing.
  - 18. The computer system of claim 15 further comprising:
    - a software portion configured to perform a binary heuristic analysis on the incoming file; and
      
      a software portion configured to determine that the incoming file is infected with a polymorphic worm, responsive to the incoming file exhibiting at least one substantially same suspicious characteristic as at least one other file previously written to the target computer through the at least one open share.
  - 19. The computer system of claim 18 further comprising:
    - a software portion configured to, responsive to determining that the incoming file is infected with a polymorphic worm, perform a step from a group of steps consisting of;
      
      deleting the incoming file;
      
      cleaning the incoming file;
      
      preventing the incoming file from executing on the target computer; and
      
      quarantining the incoming file.
  - 20. The computer system of claim 19 further comprising:
    - a software portion configured to quarantine the incoming file, responsive to determining that the incoming file is infected with a polymorphic worm; and
      
      a software portion configured to provide identifying information concerning the quarantined file to anti-malicious code software for further processing.
  - 21. The computer system of claim 15 wherein it is determined that the incoming file is infected with a worm in response to at least one circumstance from a group of circumstances consisting of:
    - substantially the same file being written to the target computer by a requisite plurality of source computers;
      
      substantially the same file being written to the target computer a requisite number of times by a same source computer;
      
      substantially the same file being written to the target computer a requisite number of times within a requisite time period;
      
      substantially the same file being written to the target computer through a requisite number of open shares; and
      
      the incoming file exhibiting at least one substantially same suspicious characteristic as at least one other file previously written to the target computer through the at least one open share.

22. A computer system for detecting a computer worm being written to a target computer, the computer system comprising:
- means for monitoring, by the target computer, files written to the target computer by a source computer through at least one open share providing the source computer with write access to the target computer; and
  
  means for determining, by the target computer, that an incoming file written to the target computer by the source computer through the at least one open share is infected with a worm, responsive to the incoming file being similar to a file previously written to the target computer.
- View Dependent Claims (23, 24)
- - 23. The computer system of claim 22 further comprising:
    - means for, responsive to determining that the incoming file is infected with a worm, performing a step from a group of steps consisting of;
      
      deleting the incoming file;
      
      cleaning the incoming file;
      
      preventing the incoming file from executing on the target computer; and
      
      quarantining the incoming file.
  - 24. The computer system of claim 22 wherein it is determined that the incoming file is infected with a worm in response to at least one circumstance from a group of circumstances consisting of:
    - substantially the same file being written to the target computer by a requisite plurality of source computers;
      
      substantially the same file being written to the target computer a requisite number of times by a same source computer;
      
      substantially the same file being written to the target computer a requisite number of times within a requisite time period;
      
      substantially the same file being written to the target computer through a requisite number of open shares; and
      
      the incoming file exhibiting at least one substantially same suspicious characteristic as at least one other file previously written to the target computer through the at least one open share.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sallam, Ahmed
Primary Examiner(s)
Revak; Christopher A

Application Number

US10/932,609
Time in Patent Office

1,665 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Detecting computer worms as they arrive at local computers through open network shares

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

186 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting computer worms as they arrive at local computers through open network shares

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

186 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links