Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by using fictitious buddies

US 7,600,258 B2
Filed: 07/01/2005
Issued: 10/06/2009
Est. Priority Date: 07/01/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-assisted method of reducing spread of malware in an instant message (IM) system, comprising:

intercepting a buddy list sent from an IM server to an IM client;

adding one or more fictitious buddies to the intercepted buddy list;

forwarding the buddy list with the one or more fictitious buddies to the IM client;

identifying that a computer that hosts the IM client sent a message to at least one of the fictitious buddies;

interactively confirming with a user of the IM client whether the user intended to send the message; and

responsive to the user denying sending the message to the at least one of the fictitious buddies, identifying the host computer of the IM client as a source of malware.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for reducing the spread of malware in communication between an instant message (IM) client and an IM server are described. An IM filter module (IM FM) is configured to intercept a buddy list sent from an IM server to an IM client, add one or more fictitious buddies to the intercepted buddy list, and forward the buddy list with the one or more fictitious buddies to the IM client. The IM FM is further configured to identify a computer that hosts the IM client as a source of malware based on messages sent by the IM client to at least one of the fictitious buddies and to determine that the host computer of the IM client is a source of malware if a content of the messages sent to the at least one of the fictitious buddies contains malware.

36 Citations

View as Search Results

37 Claims

1. A computer-assisted method of reducing spread of malware in an instant message (IM) system, comprising:
- intercepting a buddy list sent from an IM server to an IM client;
  
  adding one or more fictitious buddies to the intercepted buddy list;
  
  forwarding the buddy list with the one or more fictitious buddies to the IM client;
  
  identifying that a computer that hosts the IM client sent a message to at least one of the fictitious buddies;
  
  interactively confirming with a user of the IM client whether the user intended to send the message; and
  
  responsive to the user denying sending the message to the at least one of the fictitious buddies, identifying the host computer of the IM client as a source of malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein identifying the host computer of the IM client as a source of malware further comprises:
    - determining that the host computer of the IM client is a source of malware if a content of the messages sent to the at least one of the fictitious buddies contains malware.
  - 3. The method of claim 1 further comprising:
    - blocking messages originating from the IM client if the host computer of the IM client has been identified as a source of malware.
  - 4. The method of claim 1 further comprising:
    - sending a test message to the IM client using an account name of one of the fictitious buddies.
  - 5. The method of claim 4 further comprising:
    - determining that the host computer of the IM client is a source of malware if the IM clientsends a message in response to the test message.
  - 6. The method of claim 4 further comprising:
    - sending a confirmation message to a user of the IM client if the IM client sends a message in response to the test message; and
      
      identifying the host computer of the IM client as a source of malware if the user denies sending the response message.
  - 7. The method of claim 4 further comprising:
    - identifying the host computer of the IM client as a source of malware when a response to the test message by the IM client is too fast to be a response by a person.
  - 8. The method of claim 1 further comprising:
    - storing, into a database, unique identifiers of messages sent by the IM client if the host computer of the IM client has been identified as a source of malware.
  - 9. The method of claim 8 further comprising:
    - blocking any message that is sent by a user of the IM server having an identical or similar unique identifier with any unique identifiers stored in the database.
  - 10. The method of claim 1 further comprising:
    - storing, into a database, contents of messages sent by the IM client if the host computer of the IM client has been identified as a source of malware.
  - 11. The method of claim 10 further comprising:
    - blocking any message that contains an identical or similar content with contents of messages stored in the database.
  - 12. The method of claim 1 further comprising:
    - identifying, as sources of malware, a plurality of computers each hosting an IM client if messages with identical contents are sent from each of the plurality of host computers.
  - 13. The method of claim 12 further comprising:
    - blocking any message that contains an identical or similar content with contents of messages send by the plurality of host computers identified as sources of malware.

14. A computer-assisted system of reducing spread of malware in an instant message (IM) system, comprising:
- an IM filter module configured to intercept a buddy list sent from an IM server to an IM client, add one or more fictitious buddies to the intercepted buddy list, and forward the buddy list with the one or more fictitious buddies to the IM client; and
  
  the IM filter module further configured to identify that a computer that hosts the IM client sent a message to at least one of the fictitious buddies, interactively confirm with a user of the IM client whether the user intended to send the message, and identify the host computer of the IM client as a source of malware in response to the user denying sending the message to the at least one of the fictitious buddies.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The system of claim 14, wherein the IM filter module is further configured to determine that the host computer of the IM client is a source of malware if a content of the messages sent to the at least one of the fictitious buddies contains malware.
  - 16. The system of claim 14, wherein the IM filter module is further configured to block messages originating from the IM client if the host computer of the IM client has been identified as a source of malware.
  - 17. The system of claim 14, wherein the IM filter module is further configured to send a test message to the IM client using an account name of one of the fictitious buddies.
  - 18. The system of claim 17, wherein the IM filter module is further configured to determine that the host computer of the IM client is a source of malware if the IM client sends a message in response to the test message.
  - 19. The system of claim 17, wherein the IM filter module is further configured to:
    - send a confirmation message to a user of the IM client if the IM client sends a message in response to the test message; and
      
      identify the host computer of the IM client as a source of malware if the user denies sending the response message.
  - 20. The system of claim 17, wherein the IM filter module is further configured to identify the host computer of the IM client as a source of malware when a response to the test message by the IM client is too fast to be a response by a person.
  - 21. The system of claim 14 further comprising:
    - a database configured to store unique identifiers of messages sent by the IM client if the host computer of the IM client has been identified as a source of malware.
  - 22. The system of claim 21, wherein the IM filter module is further configured to block any message that is sent by a user of the IM server having an identical or similar unique identifier with any unique identifiers stored in the database.
  - 23. The system of claim 14 further comprising:
    - a database configured to store contents of messages sent by the IM client if the host computer of the IM client has been identified as a source of malware.
  - 24. The system of claim 23, wherein the IM filter module is further configured to block any message that contains an identical or similar content with contents of messages stored in the database.

25. A computer program product comprising a computer-readable medium storing computer instructions for configuring a computer to perform steps comprising:
- intercepting a buddy list sent from an IM server to an IM client;
  
  adding one or more fictitious buddies to the intercepted buddy list;
  
  forwarding the buddy list with the one or more fictitious buddies to the IM client;
  
  identifying that a computer that hosts the IM client sent a message to at least one of the fictitious buddies;
  
  interactively confirming with a user of the IM client whether the user intended to send the message; and
  
  responsive to the user denying sending the message to the at least one of the fictitious buddies, identifying the host computer of the IM client as a source of malware.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 26. The product of claim 25, wherein the instructions for identifying the host computer of the IM client as a source of malware further comprise instructions for:
    - determining that the host computer of the IM client is a source of malware if a content of the messages sent to the at least one of the fictitious buddies contains malware.
  - 27. The product of claim 25 further comprising instructions for:
    - blocking messages originating from the IM client if the host computer of the IM client has been identified as a source of malware.
  - 28. The product of claim 25 further comprising instructions for:
    - sending a test message to the IM client using an account name of one of the fictitious buddies.
  - 29. The product of claim 28 further comprising instructions for:
    - determining that the host computer of the IM client is a source of malware if the IM client sends a message in response to the test message.
  - 30. The product of claim 28 further comprising instructions for:
    - sending a confirmation message to a user of the IM client if the IM client sends a message in response to the test message; and
      
      identifying the host computer of the IM client as a source of malware if the user denies sending the response message.
  - 31. The product of claim 28 further comprising instructions for:
    - identifying the host computer of the IM client as a source of malware when a response to the test message by the IM client is too fast to be a response by a person.
  - 32. The product of claim 25 further comprising instructions for:
    - storing, into a database, unique identifiers of messages sent by the IM client if the host computer of the IM client has been identified as a source of malware.
  - 33. The product of claim 32 further comprising instructions for:
    - blocking any message that is sent by a user of the IM server having an identical or similar unique identifier with any unique identifiers stored in the database.
  - 34. The product of claim 25 further comprising instructions for:
    - storing, into a database, contents of messages sent by the IM client if the host computer of the IM client has been identified as a source of malware.
  - 35. The product of claim 34 further comprising instructions for:
    - blocking any message that contains an identical or similar content with contents of messages stored in the database.
  - 36. The product of claim 25 further comprising instructions for:
    - identifying, as sources of malware, a plurality of computers each hosting an IM client if messages with identical contents are sent from each of the plurality of host computers.
  - 37. The product of claim 36 further comprising instructions for:
    - blocking any message that contains an identical or similar content with contents of messages send by the plurality of host computers identified as sources of malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Shah, Milan, Lorenzo, Eric Lyle, Roychowdhary, Anandamoy, Gilliland, Arthur William, Desouza, Francis Aurelio, Sakoda, Jon
Primary Examiner(s)
Lanier; Benjamin E
Assistant Examiner(s)
ALMEIDA, DEVIN E

Application Number

US11/171,248
Publication Number

US 20070006308A1
Time in Patent Office

1,558 Days
Field of Search

726/24
US Class Current

726/24
CPC Class Codes

H04L 51/04   Real-time or near real-time...

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by using fictitious buddies

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by using fictitious buddies

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links