Detecting surreptitious spyware

US 7,712,132 B1
Filed: 03/24/2006
Issued: 05/04/2010
Est. Priority Date: 10/06/2005
Status: Active Grant

First Claim

Patent Images

1. An activities-to-code method for identifying spyware candidates, comprising:

automatically monitoring network transmission activities of a computer and recording the identities of processes which perform said network transmission activities;

automatically monitoring user update activities of the computer, namely, activities that write to a screen of the computer and/or send output to a speaker of the computer, and recording the identities of processes which are not surreptitious because they indicate their presence to a user of the computer by performing said user update activities;

identifying at least one spyware candidate by automatically comparing recorded identities of processes which perform network transmission activities with recorded identities of processes which perform user update activities, to determine whether any group of one or more related processes performed at least one network transmission activity and did not perform any substantive user update activities; and

automatically identifying as a spyware candidate at least one group of one or more related processes which performed network transmission activities and did not perform any substantive user update activities;

wherein the method automatically identifies a group of one or more related processes which performed network transmission activities and did not perform any user update activities.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Tools and techniques are provided for detecting a particular type of spyware. Network activities and user update activities are monitored automatically, and the results are analyzed to identify related processes which perform network transmissions without performing substantive user updates. These processes are identified to a user and/or an administrator as potential spyware, and are then quarantined or otherwise handled based on instructions received from the user or administrator. In some cases, the monitoring and analysis begins with selection of a group of processes to monitor, while in other cases it begins with monitoring of network and/or user update activities in order to narrow the group of suspect processes. Devices, configured media, and method products are also described.

84 Citations

View as Search Results

19 Claims

1. An activities-to-code method for identifying spyware candidates, comprising:
- automatically monitoring network transmission activities of a computer and recording the identities of processes which perform said network transmission activities;
  
  automatically monitoring user update activities of the computer, namely, activities that write to a screen of the computer and/or send output to a speaker of the computer, and recording the identities of processes which are not surreptitious because they indicate their presence to a user of the computer by performing said user update activities;
  
  identifying at least one spyware candidate by automatically comparing recorded identities of processes which perform network transmission activities with recorded identities of processes which perform user update activities, to determine whether any group of one or more related processes performed at least one network transmission activity and did not perform any substantive user update activities; and
  
  automatically identifying as a spyware candidate at least one group of one or more related processes which performed network transmission activities and did not perform any substantive user update activities;
  
  wherein the method automatically identifies a group of one or more related processes which performed network transmission activities and did not perform any user update activities.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The activities-to-code method of claim 1, further comprisingautomatically grouping processes as related on the basis of at least one of the following:
    - two related processes each have a hidden file;
      
      two or more related processes reinstall one another;
      
      two related processes each interfere with user access to system information;
      
      two related processes each interfere with user access to anti-virus or anti-spyware information;
      
      two related processes each interfere with anti-virus or anti-spyware software.
  - 3. The activities-to-code method of claim 2, wherein the method automatically groups processes as related on the basis of at least three of the following:
    - a process spawned a related process;
      
      a process loaded a related process;
      
      a process has code residing in the same directory as code of a related process;
      
      a process has substantially the same file timestamp as a related process;
      
      a process has the same author as a related process;
      
      a process communicates with a related process;
      
      two related processes have substantially similar registry entries;
      
      two related processes each have a hidden file;
      
      two related processes each have a file name substantially similar to a standard operating system file name;
      
      two related processes each have a process name substantially similar to a standard operating system process name;
      
      two or more related processes reinstall one another;
      
      two related processes each interfere with user access to system information;
      
      two related processes each interfere with user access to anti-virus or anti-spyware information;
      
      two related processes each interfere with anti-virus or anti-spyware software.
  - 4. The activities-to-code method of claim 1, wherein at least one of the steps of automatically monitoring activities of the computer conforms with at least one of the following:
    - monitoring occurs more frequently for recently added items than for older items, where an item is at least one of;
      
      a process recently created, a process having a recently added or modified file, a process having a recently added or modified registry entry;
      
      monitoring occurs more frequently for application processes than for operating system processes;
      
      monitoring occurs continuously until terminated by the user;
      
      monitoring occurs in bursts for predefined periods of time;
      
      monitoring occurs on a schedule defined by the user.
  - 5. The activities-to-code method of claim 1, wherein at least one of the following holds:
    - the method automatically monitors all network transmission activities of the computer over a period of time;
      
      the method automatically monitors substantially all network transmission activities of the computer over a period of time;
      
      the method automatically monitors all user update activities of the computer over a period of time;
      
      the method automatically monitors substantially all user update activities of the computer over a period of time;
      
      the method automatically monitors all screen update activities of the computer over a period of time;
      
      the method automatically monitors substantially all screen update activities of the computer over a period of time.

6. A code-by-code method for identifying spyware candidates, comprising:
- selecting a group of one or more related processes;
  
  automatically monitoring the selected group of processes for network transmission activities and for user update activities which indicate a process'"'"'s presence to a user, namely, activities that write to a screen of a device and/or send output to a speaker of the device; and
  
  identifying at least one spyware candidate by automatically determining whether the group of one or more related processes performed at least one network transmission activity and did not perform any substantive user update activities;
  
  wherein the method repeats at least once, by selecting another group of one or more related processes, automatically monitoring that group, and automatically determining whether that group performed at least one network transmission activity and did not perform any substantive user update activities.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The code-by-code method of claim 6, wherein the method conforms with at least one of the following:
    - the method rules-in code as likely spyware by identifying corresponding process groups which perform at least one network transmission activity without performing any substantive user update activities during a monitoring period;
      
      the method rules-out code as unlikely spyware by identifying corresponding process groups which do not perform any network transmission activity during a monitoring period;
      
      the method rules-out code as unlikely spyware by identifying corresponding process groups which perform substantive user update transmission activity during a monitoring period.
  - 8. The code-by-code method of claim 6, wherein the step of selecting a group of one or more related processes selects processes in response to an interactive designation of at least one process of the group by a user.
  - 9. The code-by-code method of claim 6, wherein the step of selecting a group of one or more related processes selects processes automatically without requiring a user to designate any process of the group.
  - 10. The code-by-code method of claim 6, wherein the selecting step favors selection of a process belonging to at least one of the following groups over processes which do not belong to said group(s), and does so for each of at least four processes and a respective at least four of said groups:
    - operating system processes;
      
      recently added item processes;
      
      processes that are not digitally signed;
      
      processes added after a visit to a site containing adult content;
      
      processes added after a peer-to-peer communication;
      
      processes which reinstall themselves;
      
      processes which run without being manually launched by a user;
      
      processes which make no calls to operating system screen output routines;
      
      processes which contain no graphical user interface calls;
      
      processes which have at least one hidden file;
      
      processes which are related to an already selected process;
      
      processes which interfere with user access to system information;
      
      processes which interfere with user access to anti-malware information;
      
      processes which interfere with anti-malware software.

11. A computer-readable medium configured by code for performing an anti-spyware method comprising at least one of:
- an activities-to-code method, a code-by-code method,wherein the activities-to-code method if present includes;
  
  automatically monitoring network transmission activities of a computer and recording the identities of processes which perform said network transmission activities;
  
  automatically monitoring user update activities of the computer which indicate a process'"'"'s presence to a user, namely, activities that write to a screen of the computer and/or send output to a speaker of the computer and recording the identities of processes which perform said user update activities; and
  
  automatically comparing recorded identities of processes which perform network transmission activities with recorded identities of processes which perform user update activities, to determine whether any group of one or more related processes performed at least one network transmission activity and did not perform any substantive user update activities;
  
  and wherein the code-by-code method if present includes;
  
  selecting a group of one or more related processes;
  
  automatically monitoring the selected group of processes for network transmission activities and/or for user update activities which indicate a process'"'"'s presence to the user, namely, activities that write to the screen of the computer and/or send output to the speaker of the computer; and
  
  automatically determining whether the group of one or more related processes is likely spyware based at least in part on a result of the monitoring step.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The configured medium of claim 11, wherein a method present further comprises automatically identifying as a spyware candidate at least one group of one or more related processes which performed network transmission activities and did not perform any substantive user update activities.
  - 13. The configured medium of claim 11, wherein the method present automatically monitors user update activities in the form of screen updates.
  - 14. The configured medium of claim 11, wherein the method present automatically groups processes as related on the basis of at least one of the following:
    - a process spawned a related process;
      
      a process loaded a related process;
      
      a process has code residing in the same directory as code of a related process;
      
      a process has substantially the same file timestamp as a related process;
      
      a process has the same author as a related process;
      
      a process communicates with a related process;
      
      two related processes have substantially similar registry entries;
      
      two related processes each have a hidden file;
      
      two related processes each have a file name substantially similar to a standard operating system file name;
      
      two related processes each have a process name substantially similar to a standard operating system process name;
      
      two or more related processes reinstall one another;
      
      two related processes each interfere with user access to system information;
      
      two related processes each interfere with user access to anti-virus or anti-spyware information;
      
      two related processes each interfere with anti-virus or anti-spyware software.
  - 15. The configured medium of claim 11, wherein the method present determines that a group of one or more related processes performed at least one network transmission activity and did not perform any substantive user update activities, and the method further comprises at least one of the following:
    - notifying a user that the group of processes is a spyware candidate;
      
      notifying an administrator that the group of processes is a spyware candidate;
      
      notifying a user that the group of processes is spyware;
      
      notifying an administrator that the group of processes is spyware;
      
      quarantining the group of processes and/or its code;
      
      disabling the group of processes and/or its code from executing on the computer;
      
      removing the group of processes and/or its code from the computer.
  - 16. The configured medium of claim 11, wherein the method present further comprises monitoring user update activity automatically by at least one of:
    - installing a hook for copying text data sent to a screen;
      
      installing a hook for copying pixel data sent to a screen;
      
      installing a hook for copying vector data sent to a screen;
      
      installing a hook for copying window creation data sent to a screen;
      
      installing a hook for copying window update data sent to a screen;
      
      installing a hook for copying window layering data sent to a screen;
      
      installing a virtual device driver;
      
      installing screen activity monitoring code in a call chain of an operating system screen I/O API;
      
      installing an interrupt handler which handles at least one screen I/O interrupt;
      
      installing a peripheral filter using a V×
      
      D service;
      
      using screen monitoring code which shipped as part of an operating system;
      
      trapping writes done directly to video memory.

17. A list identifying at least one suspect software code, the list produced by an anti-spyware method comprising at least one of:
- activities-to-code method steps, code-by-code method steps,wherein the activities-to-code method steps if present include;
  
  automatically monitoring network transmission activities of a computer and recording the identities of processes which perform said network transmission activities;
  
  automatically monitoring user update activities of the computer which indicate a process'"'"'s presence to a user, namely, activities that write to a screen of the computer and/or send output to a speaker of the computer and recording the identities of processes which perform said user update activities; and
  
  automatically comparing recorded identities of processes which perform network transmission activities with recorded identities of processes which perform user update activities, to determine whether any group of one or more related processes performed at least one network transmission activity and did not perform any substantive user update activities;
  
  and wherein the code-by-code method steps if present include;
  
  selecting a group of one or more related processes;
  
  automatically monitoring the selected group of processes for network transmission activities and/or for user update activities which indicate a process'"'"'s presence to the user, namely, activities that write to the screen of the computer and/or send output to the speaker of the computer; and
  
  automatically determining whether the group of one or more related processes is likely spyware based at least in part on a result of the monitoring step.
- View Dependent Claims (18)
- - 18. The list of claim 17, wherein the list identifies at least two codes which jointly or severally fall into at least two of the following groups:
    - recently added item processes;
      
      processes that are not digitally signed;
      
      processes added after a visit to a site containing adult content;
      
      processes added after a peer-to-peer communication;
      
      processes which reinstall themselves;
      
      processes which run without being manually launched by a user;
      
      processes which have at least one hidden file;
      
      processes which interfere with user access to system information;
      
      processes which interfere with user access to anti-malware information;
      
      processes which interfere with anti-malware software.

19. An activities-to-code method for identifying spyware candidates, comprising:
- automatically monitoring network transmission activities of a computer and recording the identities of processes which perform said network transmission activities;
  
  automatically monitoring user update activities of the computer, namely, activities that write to a screen of the computer and/or send output to a speaker of the computer, and recording the identities of processes which are not surreptitious because they indicate their presence to a user of the computer by performing said user update activities;
  
  identifying at least one spyware candidate by automatically comparing recorded identities of processes which perform network transmission activities with recorded identities of processes which perform user update activities, to determine whether any group of one or more related processes performed at least one network transmission activity and did not perform any substantive user update activities;
  
  automatically grouping processes as related on the basis of at least one of the following;
  
  two related processes each have a hidden file;
  
  two or more related processes reinstall one another;
  
  two related processes each interfere with user access to system information;
  
  two related processes each interfere with user access to anti-virus or anti-spyware information;
  
  two related processes each interfere with anti-virus or anti-spyware software;
  
  andautomatically grouping processes as related on the basis of at least three of the following;
  
  a process spawned a related process;
  
  a process loaded a related process;
  
  a process has code residing in the same directory as code of a related process;
  
  a process has substantially the same file timestamp as a related process;
  
  a process has the same author as a related process;
  
  a process communicates with a related process;
  
  two related processes have substantially similar registry entries;
  
  two related processes each have a hidden file;
  
  two related processes each have a file name substantially similar to a standard operating system file name;
  
  two related processes each have a process name substantially similar to a standard operating system process name;
  
  two or more related processes reinstall one another;
  
  two related processes each interfere with user access to system information;
  
  two related processes each interfere with user access to anti-virus or anti-spyware information;
  
  two related processes each interfere with anti-virus or anti-spyware software.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gula Consulting Limited Liability Company (Intellectual Ventures LLC)
Original Assignee
John W.L. Ogilvie
Inventors
OGILVIE, JOHN W.
Primary Examiner(s)
Song, Hosuk

Application Number

US11/277,453
Time in Patent Office

1,502 Days
Field of Search

726/1, 726 22- 26, 713187-188, 713/200, 707/100, 705/34
US Class Current

726/22
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

H04L 63/1408 by monitoring network traff...

Detecting surreptitious spyware

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting surreptitious spyware

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links