Detecting and removing rootkits from within an infected computing system

US 7,631,357 B1
Filed: 10/05/2005
Issued: 12/08/2009
Est. Priority Date: 10/05/2005
Status: Active Grant

First Claim

Patent Images

1. A computer program product for implementing a method for a computing system to detect the presence of a rootkit in the form of rootkit code that, when executed, manipulates responses to a file system, the computing system including an operating system, a storage unit, a snapshot component configured to take a snapshot of the storage unit, and a rootkit detection component, the computer program product comprising one or more computer-readable storage media having thereon computer-executable instructions that, when executed by one or more processors of the computing system, cause the computing system to perform the method, the method comprising:

an act of initiating a computing system shut down operation;

an act of the snapshot component pausing the shutdown operation prior to the completion of the shut down and taking a snapshot of at least a portion of the storage unit, wherein the act of the snapshot component pausing the shutdown operation prior to the completion of the shut down comprises shutting down at least one functional layer of the computing system before shutting down a device driver for the storage unit, wherein the at least one functional layer is logically positioned above the device driver;

an act of the rootkit detection component accessing an enumeration of individual files represented in the snapshot using an alternate file system I/O, wherein;

the operating system comprises the rootkit detection component;

the operating system comprises a first file system I/O;

the alternate file system I/O has a different source code implementation than the first file system I/O for interpreting file system data structures; and

an act of the rootkit detection component using the enumeration to detect the presence of a rootkit.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing system configured to detect and/or remove a rootkit. For detection, a snapshot component takes a snapshot of a storage unit. A rootkit detection component accesses an enumeration of individual files stored on the storage unit using an alternative file system I/O to detect the presence of a rootkit. For removal, the location of a rootkit is identified and a computing system shutdown is initiated. A snapshot component pauses the shutdown operation prior to the completion of the shut down and takes a snapshot of a file storage unit. A rootkit repair component accesses the identified location of the portion of the file storage unit containing the rootkit and modifies the portion of the snapshot of the file storage unit so as remove the rootkit.

28 Citations

View as Search Results

19 Claims

1. A computer program product for implementing a method for a computing system to detect the presence of a rootkit in the form of rootkit code that, when executed, manipulates responses to a file system, the computing system including an operating system, a storage unit, a snapshot component configured to take a snapshot of the storage unit, and a rootkit detection component, the computer program product comprising one or more computer-readable storage media having thereon computer-executable instructions that, when executed by one or more processors of the computing system, cause the computing system to perform the method, the method comprising:
- an act of initiating a computing system shut down operation;
  
  an act of the snapshot component pausing the shutdown operation prior to the completion of the shut down and taking a snapshot of at least a portion of the storage unit, wherein the act of the snapshot component pausing the shutdown operation prior to the completion of the shut down comprises shutting down at least one functional layer of the computing system before shutting down a device driver for the storage unit, wherein the at least one functional layer is logically positioned above the device driver;
  
  an act of the rootkit detection component accessing an enumeration of individual files represented in the snapshot using an alternate file system I/O, wherein;
  
  the operating system comprises the rootkit detection component;
  
  the operating system comprises a first file system I/O;
  
  the alternate file system I/O has a different source code implementation than the first file system I/O for interpreting file system data structures; and
  
  an act of the rootkit detection component using the enumeration to detect the presence of a rootkit.
- View Dependent Claims (2, 3, 4, 5, 6, 8)
- - 2. A computer program product in accordance with claim 1, wherein the act of the rootkit detection component using the enumeration to detect the presence of a rootkit comprises:
    - an act of performing a virus scan of the individual files comprising the enumeration.
  - 3. A computer program product in accordance with claim 1, wherein the act of the rootkit detection component using the enumeration to detect the presence of a rootkit comprises:
    - an act of comparing a directory listing reported by the first file system I/O with the enumeration of individual files accessed by the rootkit detection component using the alternate file system I/O.
  - 4. A computer program product in accordance with claim 1, wherein the act of the rootkit detection component using the enumeration to detect the presence of a rootkit comprises:
    - an act of comparing one or more files returned by the first file system I/O with one or more files returned by the alternate file system I/O to thereby determine if a rootkit is corrupting data contained within the one or more files returned by the file system I/O.
  - 5. A computer program product in accordance with claim 1, wherein the alternate file system I/O provides access to an active operating system registry to thereby determine if a rootkit is hiding in the active operating system registry.
  - 6. A computer program product in accordance with claim 1, wherein:
    - each application installed on the operating system, other than the rootkit detection component, uses the first file system I/O to access data and does not use the alternate file system I/O to access data.
  - 8. A computer program product in accordance with claim 1, wherein the alternate file system I/O is not available to applications other than the rootkit detection component.

7. A method for a computing system to detect the presence of a rootkit in the form of rootkit code that, when executed, manipulates responses to a file system, the computing system including, an operating system, a storage unit comprising individual files, a snapshot component configured to take a snapshot of the storage unit, and a rootkit detection component, the method comprising:
- an act of initiating a computing system shut down operation;
  
  an act of the snapshot component pausing the shutdown operation prior to the completion of the shut down and taking a snapshot of at least a portion of the storage unit, wherein the act of the snapshot component pausing the shutdown operation prior to the completion of the shut down comprises shutting down at least one functional layer of the computing system before shutting down a device driver for the storage unit, wherein the at least one functional layer is logically positioned above the device driver;
  
  an act of the rootkit detection component accessing an enumeration of the individual files represented in the snapshot using an alternate file system I/O, wherein;
  
  the operating system comprises the rootkit detection component;
  
  the operating system comprises a first file system I/O;
  
  the alternate file system I/O has a different source code implementation than the first file system I/O for interpreting file system data structures;
  
  each application installed on the operating system, other than the rootkit detection component, uses the first file system I/O to access data and does not use the alternate file system I/O to access data; and
  
  an act of the rootkit detection component using the enumeration to detect the presence of a rootkit.

9. A computer program product for use in a computing system to remove a rootkit representing rootkit code from a storage unit, wherein the rootkit code, when executed, manipulates responses to a file system, the computing system including the storage unit, a snapshot component configured to take a snapshot of the storage unit, and a rootkit repair component, the computer program product comprising one or more computer-readable storage media having thereon computer-executable instructions that, when executed by one or more processors of the computing system, cause the computing system to perform the method, the method comprising:
- an act of identifying a location of a rootkit;
  
  an act of initiating a computing system shut down operation;
  
  an act of the snapshot component pausing the shutdown operation prior to the completion of the shut down and taking a snapshot of at least a portion of the storage unit, wherein the act of the snapshot component pausing the shutdown operation prior to the completion of the shut down comprises shutting down at least one functional layer of the computing system before shutting down a device driver for the storage unit, wherein the at least one functional layer is logically positioned above the device driver;
  
  an act of the rootkit repair component accessing the identified location of the portion of the storage unit containing the rootkit and modifying the portion of the snapshot of the storage unit so as remove the rootkit; and
  
  an act of rebooting the computing system from the snapshot after the rootkit has been removed from the snapshot.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. A computer program product in accordance with claim 9, wherein:
    - the act of rebooting the computing system from the snapshot is performed instead of rebooting the computing system from a normal view of an operating system of the computing system.
  - 11. A computer program product in accordance with claim 9, wherein the act of identifying a location of a rootkit is performed by the rootkit repair component.
  - 12. A computer program product in accordance with claim 9, wherein the act of identifying a location of a rootkit is performed by the snapshot component.
  - 13. A computer program product in accordance with claim 9, wherein the act of initiating a computing system shut down operation is performed by the snapshot component.
  - 14. A computer program product in accordance with claim 9, wherein the rootkit repair component is implemented in one of hardware or software or any combination of hardware and software.
  - 15. A computer program product in accordance with claim 9, wherein the rootkit repair component is embedded in the snapshot component.
  - 16. A computer program product in accordance with claim 9, wherein the act of modifying the portion of the snapshot of the file storage unit so as to remove the rootkit comprises one of removing a directory entry for files associated with the rootkit;
    - or repairing or modifying individual files to remove embedded rootkit code from the individual files.

17. A method for a computing system to remove a rootkit representing rootkit code from a storage unit, wherein the rootkit code, when executed, manipulates responses to a file system, the computing system including the storage unit, a snapshot component configured to take a snapshot of the storage unit, and a rootkit repair component, the method comprising:
- an act of identifying a location of a rootkit;
  
  an act of initiating a computing system shut down operation;
  
  an act of the snapshot component pausing the shutdown operation prior to the completion of the shut down and taking a snapshot of at least a portion of the storage unit, wherein the act of the snapshot component pausing the shutdown operation prior to the completion of the shut down comprises shutting down at least one functional layer of the computing system before shutting down a device driver for the storage unit, wherein the at least one functional layer is logically positioned above the device driver;
  
  an act of the rootkit repair component accessing the identified location of the portion of the storage unit containing the rootkit and modifying the portion of the snapshot of the storage unit so as remove the rootkit; and
  
  an act of rebooting the computing system from the snapshot after the rootkit has been removed from the snapshot.
- View Dependent Claims (18, 19)
- - 18. A method in accordance with claim 17, wherein:
    - the act of rebooting the computing system from the snapshot is performed instead of rebooting the computing system from a normal view of an operating system of the computing system.
  - 19. A method in accordance with claim 17, wherein the act of modifying the portion of the snapshot of the file storage unit so as to remove the rootkit comprises one of removing a directory entry for files associated with the rootkit;
    - or repairing or modifying individual files to remove embedded rootkit code from the individual files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Stringham, Russell R.
Primary Examiner(s)
Moazzami; Nasser G
Assistant Examiner(s)
POGMORE, TRAVIS D

Application Number

US11/243,824
Time in Patent Office

1,525 Days
Field of Search

726 22- 25
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/568 eliminating virus, restorin...

Detecting and removing rootkits from within an infected computing system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting and removing rootkits from within an infected computing system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links