Detecting surreptitious spyware
First Claim
1. An activities-to-code method for identifying spyware candidates, comprising:
- automatically monitoring network transmission activities of a computer and recording the identities of processes which perform said network transmission activities;
automatically monitoring user update activities of the computer, namely, activities that write to a screen of the computer and/or send output to a speaker of the computer, and recording the identities of processes which are not surreptitious because they indicate their presence to a user of the computer by performing said user update activities;
identifying at least one spyware candidate by automatically comparing recorded identities of processes which perform network transmission activities with recorded identities of processes which perform user update activities, to determine whether any group of one or more related processes performed at least one network transmission activity and did not perform any substantive user update activities; and
automatically identifying as a spyware candidate at least one group of one or more related processes which performed network transmission activities and did not perform any substantive user update activities;
wherein the method automatically identifies a group of one or more related processes which performed network transmission activities and did not perform any user update activities.
3 Assignments
0 Petitions
Accused Products
Abstract
Tools and techniques are provided for detecting a particular type of spyware. Network activities and user update activities are monitored automatically, and the results are analyzed to identify related processes which perform network transmissions without performing substantive user updates. These processes are identified to a user and/or an administrator as potential spyware, and are then quarantined or otherwise handled based on instructions received from the user or administrator. In some cases, the monitoring and analysis begins with selection of a group of processes to monitor, while in other cases it begins with monitoring of network and/or user update activities in order to narrow the group of suspect processes. Devices, configured media, and method products are also described.
84 Citations
19 Claims
-
1. An activities-to-code method for identifying spyware candidates, comprising:
-
automatically monitoring network transmission activities of a computer and recording the identities of processes which perform said network transmission activities; automatically monitoring user update activities of the computer, namely, activities that write to a screen of the computer and/or send output to a speaker of the computer, and recording the identities of processes which are not surreptitious because they indicate their presence to a user of the computer by performing said user update activities; identifying at least one spyware candidate by automatically comparing recorded identities of processes which perform network transmission activities with recorded identities of processes which perform user update activities, to determine whether any group of one or more related processes performed at least one network transmission activity and did not perform any substantive user update activities; and automatically identifying as a spyware candidate at least one group of one or more related processes which performed network transmission activities and did not perform any substantive user update activities; wherein the method automatically identifies a group of one or more related processes which performed network transmission activities and did not perform any user update activities. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A code-by-code method for identifying spyware candidates, comprising:
-
selecting a group of one or more related processes; automatically monitoring the selected group of processes for network transmission activities and for user update activities which indicate a process'"'"'s presence to a user, namely, activities that write to a screen of a device and/or send output to a speaker of the device; and identifying at least one spyware candidate by automatically determining whether the group of one or more related processes performed at least one network transmission activity and did not perform any substantive user update activities; wherein the method repeats at least once, by selecting another group of one or more related processes, automatically monitoring that group, and automatically determining whether that group performed at least one network transmission activity and did not perform any substantive user update activities. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer-readable medium configured by code for performing an anti-spyware method comprising at least one of:
- an activities-to-code method, a code-by-code method,
wherein the activities-to-code method if present includes; automatically monitoring network transmission activities of a computer and recording the identities of processes which perform said network transmission activities; automatically monitoring user update activities of the computer which indicate a process'"'"'s presence to a user, namely, activities that write to a screen of the computer and/or send output to a speaker of the computer and recording the identities of processes which perform said user update activities; and automatically comparing recorded identities of processes which perform network transmission activities with recorded identities of processes which perform user update activities, to determine whether any group of one or more related processes performed at least one network transmission activity and did not perform any substantive user update activities; and wherein the code-by-code method if present includes; selecting a group of one or more related processes; automatically monitoring the selected group of processes for network transmission activities and/or for user update activities which indicate a process'"'"'s presence to the user, namely, activities that write to the screen of the computer and/or send output to the speaker of the computer; and automatically determining whether the group of one or more related processes is likely spyware based at least in part on a result of the monitoring step. - View Dependent Claims (12, 13, 14, 15, 16)
- an activities-to-code method, a code-by-code method,
-
17. A list identifying at least one suspect software code, the list produced by an anti-spyware method comprising at least one of:
- activities-to-code method steps, code-by-code method steps,
wherein the activities-to-code method steps if present include; automatically monitoring network transmission activities of a computer and recording the identities of processes which perform said network transmission activities; automatically monitoring user update activities of the computer which indicate a process'"'"'s presence to a user, namely, activities that write to a screen of the computer and/or send output to a speaker of the computer and recording the identities of processes which perform said user update activities; and automatically comparing recorded identities of processes which perform network transmission activities with recorded identities of processes which perform user update activities, to determine whether any group of one or more related processes performed at least one network transmission activity and did not perform any substantive user update activities; and wherein the code-by-code method steps if present include; selecting a group of one or more related processes; automatically monitoring the selected group of processes for network transmission activities and/or for user update activities which indicate a process'"'"'s presence to the user, namely, activities that write to the screen of the computer and/or send output to the speaker of the computer; and automatically determining whether the group of one or more related processes is likely spyware based at least in part on a result of the monitoring step. - View Dependent Claims (18)
- activities-to-code method steps, code-by-code method steps,
-
19. An activities-to-code method for identifying spyware candidates, comprising:
-
automatically monitoring network transmission activities of a computer and recording the identities of processes which perform said network transmission activities; automatically monitoring user update activities of the computer, namely, activities that write to a screen of the computer and/or send output to a speaker of the computer, and recording the identities of processes which are not surreptitious because they indicate their presence to a user of the computer by performing said user update activities; identifying at least one spyware candidate by automatically comparing recorded identities of processes which perform network transmission activities with recorded identities of processes which perform user update activities, to determine whether any group of one or more related processes performed at least one network transmission activity and did not perform any substantive user update activities; automatically grouping processes as related on the basis of at least one of the following; two related processes each have a hidden file; two or more related processes reinstall one another; two related processes each interfere with user access to system information; two related processes each interfere with user access to anti-virus or anti-spyware information; two related processes each interfere with anti-virus or anti-spyware software; and automatically grouping processes as related on the basis of at least three of the following; a process spawned a related process; a process loaded a related process; a process has code residing in the same directory as code of a related process; a process has substantially the same file timestamp as a related process; a process has the same author as a related process; a process communicates with a related process; two related processes have substantially similar registry entries; two related processes each have a hidden file; two related processes each have a file name substantially similar to a standard operating system file name; two related processes each have a process name substantially similar to a standard operating system process name; two or more related processes reinstall one another; two related processes each interfere with user access to system information; two related processes each interfere with user access to anti-virus or anti-spyware information; two related processes each interfere with anti-virus or anti-spyware software.
-
Specification