Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by using automated IM users
First Claim
1. A computer-assisted method of reducing spread of malware in communications between instant message (IM) clients and an IM server, comprising:
- registering a virtual IM user with the IM server, wherein the virtual IM user includes an account name by which other IM users of the IM server are able to communicate with the virtual IM user, and the virtual IM user further includes fictitious information tailored to entice a source of malware to communicate with the virtual IM user;
intercepting one or more communication packets exchanged between the other IM users and the IM server, wherein one or more communication packets contain buddy lists of the other IM users;
responsive to intercepting the buddy lists of the other IM users, adding one or more fictitious buddies to the buddy lists of some of the other IM users, wherein each of the fictitious buddies is assigned an account name;
sending a message, using the account name of one of the fictitious buddies, to one of the other IM users to elicit return messages from a particular type of malware operator, the particular type being one that only sends messages to buddies that have previously sent messages;
receiving a message from an IM user to the virtual IM user, or from an IM user to the one or more fictitious buddies responsive to the message sent using the account name of the one of the fictitious buddies;
sending a confirmation message to the IM user requesting the IM user to confirm that the IM user intended to send the message to the virtual IM user or to the one or more fictitious buddies;
receiving a response to the confirmation message from the IM user; and
identifying the IM user as a source of malware responsive to content of the response to the confirmation message.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for reducing the spread of malware in communication between an instant message (IM) client and an IM server are described. A malware trapping system (MTS) creates and registers a set of virtual IM users with an IM server. The virtual IM users include account names by which other users of the IM server can communicate with the virtual IM users. The MTS publicizes the account names of the virtual IM users, which causes sources of malware to illicitly acquire the account names of the virtual IM users. The MTS identifies any IM user sending a message to one of the virtual users as a source of malware. The MTS also identifies such a message as a malware message and collects information about the sources of malware and malware messages and stores the information in a database. An IM filter module, accessing the information stored in the database, identifies and blocks malware messages based on the information.
48 Citations
33 Claims
-
1. A computer-assisted method of reducing spread of malware in communications between instant message (IM) clients and an IM server, comprising:
-
registering a virtual IM user with the IM server, wherein the virtual IM user includes an account name by which other IM users of the IM server are able to communicate with the virtual IM user, and the virtual IM user further includes fictitious information tailored to entice a source of malware to communicate with the virtual IM user; intercepting one or more communication packets exchanged between the other IM users and the IM server, wherein one or more communication packets contain buddy lists of the other IM users; responsive to intercepting the buddy lists of the other IM users, adding one or more fictitious buddies to the buddy lists of some of the other IM users, wherein each of the fictitious buddies is assigned an account name; sending a message, using the account name of one of the fictitious buddies, to one of the other IM users to elicit return messages from a particular type of malware operator, the particular type being one that only sends messages to buddies that have previously sent messages; receiving a message from an IM user to the virtual IM user, or from an IM user to the one or more fictitious buddies responsive to the message sent using the account name of the one of the fictitious buddies; sending a confirmation message to the IM user requesting the IM user to confirm that the IM user intended to send the message to the virtual IM user or to the one or more fictitious buddies; receiving a response to the confirmation message from the IM user; and identifying the IM user as a source of malware responsive to content of the response to the confirmation message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer-assisted system for reducing spread of malware in communications between an instant message (IM) client and an IM server, comprising:
-
a computer processor for executing computer program instructions; a non-transitory computer-readable storage medium having executable computer program instructions tangibly embodied thereon, the executable computer program instructions comprising instructions for providing; a malware trapping system configured to; register a virtual IM user with the IM server, wherein the virtual IM user includes an account name by which other IM users of the IM server are able to communicate with the virtual IM user, and the virtual IM user further includes fictitious information tailored to entice a source of malware to communicate with the virtual IM user; intercept one or more communication packets exchanged between the other IM users and the IM server, wherein one or more communication packets contain buddy lists of the other IM users; add one or more fictitious buddies to the buddy lists of some of the other IM users responsive to intercepting the buddy lists of the other IM users, wherein each of the fictitious buddies is assigned an account name; send a message, using the account name of one of the fictitious buddies, to one of the other IM users to elicit return messages from a particular type of malware operator, the particular type being one that only sends messages to buddies that have previously sent messages; receive a message from an IM user to the virtual IM user, or from an IM user to the one or more fictitious buddies, responsive to the message sent using the account name of the one of the fictitious buddies; send a confirmation message to the IM user requesting the IM user to confirm that the IM user intended to send the message to the virtual IM user or to the one or more fictitious buddies; receive a response to the confirmation message from the IM user; and identify the IM user as a source of malware responsive to content of the response to the confirmation message. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer program product for reducing spread of malware in communications between instant message (IM) clients and an IM server, the computer program product comprising a non-transitory computer-readable storage medium containing executable computer program code for performing a method comprising:
-
registering a virtual IM user with the IM server, wherein the virtual IM user includes an account name by which other IM users of the IM server are able to communicate with the virtual IM user, and the virtual IM user further includes fictitious information tailored to entice a source of malware to communicate with the virtual IM user; intercepting one or more communication packets exchanged between the other IM users and the IM server, wherein one or more communication packets contain buddy lists of the other IM users; responsive to intercepting the buddy lists of the other IM users, adding one or more fictitious buddies to the buddy lists of some of the other IM users, wherein each of the fictitious buddies is assigned an account name; sending a message, using the account name of one of the fictitious buddies, to one of the other IM users to elicit return messages from a particular type of malware operator, the particular type being one that only sends messages to buddies that have previously sent messages; receiving a message from an IM user to the virtual IM user, or from an IM user to the one or more fictitious buddies, responsive to the message sent using the account name of the one of the fictitious buddies; sending a confirmation message to the IM user requesting the IM user to confirm that the IM user intended to send the message to the virtual IM user or to the one or more fictitious buddies; receiving a response to the confirmation message from the IM user; and identifying the IM user as a source of malware responsive to content of the response to the confirmation message. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
Specification