Using domain name service resolution queries to combat spyware

US 7,752,664 B1
Filed: 12/19/2005
Issued: 07/06/2010
Est. Priority Date: 12/19/2005
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for combating spyware, the method comprising:

using a computer to execute method steps, the steps comprising;

maintaining a list of domain names associated with spyware;

monitoring domain name service queries;

detecting a domain name service query on a domain name on the list of domain names associated with spyware; and

responsive to detecting the domain name service query on the domain name on the list of domain names associated with spyware, resolving the domain name service query to an Internet Protocol (IP) address of a designated computer, the IP address of the designated computer being different from an IP address of the domain name in the domain name service query.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An anti-spyware manager uses domain name service resolution queries to combat spyware. The anti-spyware manager maintains a list of domain names associated with spyware, monitors domain name service queries, and detects queries on domain names on the list. Responsive to detecting a domain name service query on a domain name associated with spyware, the anti-spyware manager forces the domain name service query to resolve to an address not associated with the domain name. Because attempts by spyware to communicate with its home server are now routed to the forced address, the spyware is unable to communicate with its homer server, and thus can neither steal information nor download updates of itself. Additionally, the anti-spyware manager can identify computers that are infected with spyware and clean or quarantine them.

44 Citations

View as Search Results

23 Claims

1. A computer implemented method for combating spyware, the method comprising:
- using a computer to execute method steps, the steps comprising;
  
  maintaining a list of domain names associated with spyware;
  
  monitoring domain name service queries;
  
  detecting a domain name service query on a domain name on the list of domain names associated with spyware; and
  
  responsive to detecting the domain name service query on the domain name on the list of domain names associated with spyware, resolving the domain name service query to an Internet Protocol (IP) address of a designated computer, the IP address of the designated computer being different from an IP address of the domain name in the domain name service query.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein the step of monitoring domain name service queries is executed at an enterprise level.
  - 3. The method of claim 2 further comprising:
    - detecting an attempt by a host computer within the enterprise to communicate with the IP address of the designated computer; and
      
      determining that the host computer that made the attempt to communicate with the IP address of the designated computer is infected with spyware.
  - 4. The method of claim 2 further comprising:
    - resolving the domain name service query to an address of a server within the enterprise, wherein the address of the server within the enterprise is not associated with the domain name in the domain name service query.
  - 5. The method of claim 2 further comprising:
    - responsive to detecting the domain name service query on the domain name on the list of domain names associated with spyware, determining that a host computer from which the query originated is infected with spyware.
  - 6. The method of claim 3 or claim 5 further comprising:
    - responsive to determining that the host computer is infected with spyware, executing a spyware removal program on the host computer.
  - 7. The method of claim 3 or claim 5 further comprising:
    - responsive to determining that the host computer is infected with spyware, quarantining the host computer.
  - 8. The method of claim 1 wherein the step of monitoring domain name service queries is executed by a local host computer.
  - 9. The method of claim 8 further comprising:
    - resolving the domain name service query to an address of the local host computer, wherein the address of the local host computer is not associated with the domain name in the domain name service query.
  - 10. The method of claim 8 further comprising:
    - responsive to detecting the domain name service query on the domain name on the list of domain names associated with spyware, determining that the local host computer is infected with spyware.
  - 11. The method of claim 9 further comprising:
    - detecting an attempt by a process on the local host computer to communicate with the address of the local host computer to which the resolution of the domain name service query was resolved; and
      
      determining that the local host computer is infected with spyware.
  - 12. The method of claim 11 wherein the step of detecting an attempt by a process on the local host computer to communicate with the address of the local host further comprises:
    - determining a local port of the local host computer on which to listen from the domain name service query;
      
      listening on the determined local port of the local host computer; and
      
      detecting the attempt by the process to communicate with the address of the local host via the local port.
  - 13. The method of claim 11 or 10 further comprising:
    - responsive to determining that the local host computer is infected with spyware, executing a spyware removal program on the local host computer.
  - 14. The method of claim 1 further comprising:
    - selectively allowing some approved communication with domain names associated with spyware.
  - 15. The method of claim 1, further comprising:
    - detecting a host computer attempting to communicate with the IP address of the designated computer; and
      
      determining that the host computer is infected with malware responsive to the detected attempt to communicate with the IP address of the designated computer.

16. A non transitory computer readable storage medium containing executable program code for combating spyware, the computer readable medium comprising program codes for:
- maintaining a list of domain names associated with spyware;
  
  monitoring domain name service queries;
  
  detecting a domain name service query on a domain name on the list of domain names associated with spyware; and
  
  responsive to detecting the domain name service query on the domain name on the list of domain names associated with spyware, resolving the domain name service query to resolve an Internet Protocol (IP) address of a designated computer, the IP address of the designated computer being different from an IP address of the domain name in the domain name service query.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The computer readable medium of claim 16 wherein the program code for monitoring domain name service queries is for executing at an enterprise level.
  - 18. The computer readable medium of claim 17 further comprising program codes for:
    - detecting an attempt by a host computer within the enterprise to communicate with the IP address of the designated computer; and
      
      determining that the host computer that made the attempt to communicate with the IP address of the designated computer is infected with spyware.
  - 19. The computer readable medium of claim 17 further comprising program codes for:
    - responsive to detecting the domain name service query on the domain name on the list of domain names associated with spyware, determining that a host computer from which the query originated is infected with spyware.
  - 20. The computer readable medium of claim 18 or claim 19 further comprising program code for:
    - responsive to determining that the host computer is infected with spyware, executing a spyware removal program on the host computer.
  - 21. The computer readable medium of claim 16 wherein the program code for monitoring domain name service queries is for executing by a local host computer, the computer readable medium further comprising program codes for:
    - resolving the domain name service query to an address of the local host computer, wherein the address of the local host computer is not associated with the domain name in the domain name service query;
      
      determining a local port of the local host computer on which to listen from the domain name service query;
      
      listening on the determined local port of the local host computer;
      
      detecting the attempt by the process to communicate with the address of the local host computer via the local port; and
      
      determining that the local host computer is infected with spyware responsive to the detected attempt.
  - 22. The computer readable medium of claim 16 wherein the program code for monitoring domain name service queries is for executing by a local host computer, the computer readable medium further comprising program code for:
    - responsive to detecting the domain name service query on the domain name on the list of domain names associated with spyware, determining that the local host computer is infected with spyware.

23. A computer system for combating spyware, the computer system comprising:
- a computer readable medium storing executable software portions, comprising;
  
  a software portion configured to maintain a list of domain names associated with spyware;
  
  a software portion configured to monitor domain name service queries;
  
  a software portion configured to detect a domain name service query on a domain name on the list of domain names associated with spyware; and
  
  a software portion configured to resolve the domain name service query to an Internet Protocol (IP) address of a designated computer, the IP address of the designated computer being different from an IP address of the domain name in the domain name service query, responsive to detecting the domain name service query on the domain name on the list of domain names associated with spyware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Satish, Sourabh, Hernacki, Brian
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
SHEHNI, GHAZAL B

Application Number

US11/313,183
Time in Patent Office

1,660 Days
Field of Search

726 22- 25, 713187-188
US Class Current

726/22
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

Using domain name service resolution queries to combat spyware

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Using domain name service resolution queries to combat spyware

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links