Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by using automated IM users

US 7,822,818 B2
Filed: 07/01/2005
Issued: 10/26/2010
Est. Priority Date: 07/01/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-assisted method of reducing spread of malware in communications between instant message (IM) clients and an IM server, comprising:

registering a virtual IM user with the IM server, wherein the virtual IM user includes an account name by which other IM users of the IM server are able to communicate with the virtual IM user, and the virtual IM user further includes fictitious information tailored to entice a source of malware to communicate with the virtual IM user;

intercepting one or more communication packets exchanged between the other IM users and the IM server, wherein one or more communication packets contain buddy lists of the other IM users;

responsive to intercepting the buddy lists of the other IM users, adding one or more fictitious buddies to the buddy lists of some of the other IM users, wherein each of the fictitious buddies is assigned an account name;

sending a message, using the account name of one of the fictitious buddies, to one of the other IM users to elicit return messages from a particular type of malware operator, the particular type being one that only sends messages to buddies that have previously sent messages;

receiving a message from an IM user to the virtual IM user, or from an IM user to the one or more fictitious buddies responsive to the message sent using the account name of the one of the fictitious buddies;

sending a confirmation message to the IM user requesting the IM user to confirm that the IM user intended to send the message to the virtual IM user or to the one or more fictitious buddies;

receiving a response to the confirmation message from the IM user; and

identifying the IM user as a source of malware responsive to content of the response to the confirmation message.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for reducing the spread of malware in communication between an instant message (IM) client and an IM server are described. A malware trapping system (MTS) creates and registers a set of virtual IM users with an IM server. The virtual IM users include account names by which other users of the IM server can communicate with the virtual IM users. The MTS publicizes the account names of the virtual IM users, which causes sources of malware to illicitly acquire the account names of the virtual IM users. The MTS identifies any IM user sending a message to one of the virtual users as a source of malware. The MTS also identifies such a message as a malware message and collects information about the sources of malware and malware messages and stores the information in a database. An IM filter module, accessing the information stored in the database, identifies and blocks malware messages based on the information.

48 Citations

View as Search Results

33 Claims

1. A computer-assisted method of reducing spread of malware in communications between instant message (IM) clients and an IM server, comprising:
- registering a virtual IM user with the IM server, wherein the virtual IM user includes an account name by which other IM users of the IM server are able to communicate with the virtual IM user, and the virtual IM user further includes fictitious information tailored to entice a source of malware to communicate with the virtual IM user;
  
  intercepting one or more communication packets exchanged between the other IM users and the IM server, wherein one or more communication packets contain buddy lists of the other IM users;
  
  responsive to intercepting the buddy lists of the other IM users, adding one or more fictitious buddies to the buddy lists of some of the other IM users, wherein each of the fictitious buddies is assigned an account name;
  
  sending a message, using the account name of one of the fictitious buddies, to one of the other IM users to elicit return messages from a particular type of malware operator, the particular type being one that only sends messages to buddies that have previously sent messages;
  
  receiving a message from an IM user to the virtual IM user, or from an IM user to the one or more fictitious buddies responsive to the message sent using the account name of the one of the fictitious buddies;
  
  sending a confirmation message to the IM user requesting the IM user to confirm that the IM user intended to send the message to the virtual IM user or to the one or more fictitious buddies;
  
  receiving a response to the confirmation message from the IM user; and
  
  identifying the IM user as a source of malware responsive to content of the response to the confirmation message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - identifying the IM user as a source of malware responsive to the content of the response to the confirmation message indicating that the IM user did not intend to send the message.
  - 3. The method of claim 1, further comprising:
    - connecting the virtual IM user to a chat room; and
      
      making the presence of the virtual IM user known to other members of the chat room.
  - 4. The method of claim 3, further comprising:
    - participating in a dialog with the other members of the chat room by automatically responding to an input message.
  - 5. The method of claim 4, wherein the act of automatically responding includes:
    - generating a response message by matching an expression contained in the input message with an expression stored in a database that contains input expressions and one or more associated output expressions for each input expression;
      
      orparsing the input message into a parameterized regular expression and generating the response message using one or more of the parsed input expressions.
  - 6. The method of claim 1 further comprising:
    - blocking any message sent by the identified source of malware.
  - 7. The method of claim 1 further comprising:
    - storing into a database an account name of the identified source of malware.
  - 8. The method of claim 7 further comprising:
    - blocking any message that is sent by an IM user of the IM server having an identical or similar account name with any account names stored in the database as sources of malware.
  - 9. The method of claim 1 further comprising:
    - storing into a database content of a message sent by the identified source of malware.
  - 10. The method of claim 9 further comprising:
    - blocking any message that contains an identical or similar content with contents of messages stored in the database as sent by the identified source of malware.
  - 11. The method of claim 1 further comprising:
    - storing into a database a unique identifier of the identified source of malware.
  - 12. The method of claim 11 further comprising:
    - blocking any message that is sent by an IM user of the IM server having an identical or similar unique identifier with any unique identifiers stored in the database as sources of malware.
  - 13. The method of claim 1, further comprising adding the virtual IM user to at least one of the buddy lists of the other IM users.

14. A computer-assisted system for reducing spread of malware in communications between an instant message (IM) client and an IM server, comprising:
- a computer processor for executing computer program instructions;
  
  a non-transitory computer-readable storage medium having executable computer program instructions tangibly embodied thereon, the executable computer program instructions comprising instructions for providing;
  
  a malware trapping system configured to;
  
  register a virtual IM user with the IM server, wherein the virtual IM user includes an account name by which other IM users of the IM server are able to communicate with the virtual IM user, and the virtual IM user further includes fictitious information tailored to entice a source of malware to communicate with the virtual IM user;
  
  intercept one or more communication packets exchanged between the other IM users and the IM server, wherein one or more communication packets contain buddy lists of the other IM users;
  
  add one or more fictitious buddies to the buddy lists of some of the other IM users responsive to intercepting the buddy lists of the other IM users, wherein each of the fictitious buddies is assigned an account name;
  
  send a message, using the account name of one of the fictitious buddies, to one of the other IM users to elicit return messages from a particular type of malware operator, the particular type being one that only sends messages to buddies that have previously sent messages;
  
  receive a message from an IM user to the virtual IM user, or from an IM user to the one or more fictitious buddies, responsive to the message sent using the account name of the one of the fictitious buddies;
  
  send a confirmation message to the IM user requesting the IM user to confirm that the IM user intended to send the message to the virtual IM user or to the one or more fictitious buddies;
  
  receive a response to the confirmation message from the IM user; and
  
  identify the IM user as a source of malware responsive to content of the response to the confirmation message.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The system of claim 14, wherein the malware trapping system is further configured to:
    - identify the IM user as the source of malware responsive to the content of the response to the confirmation message indicating that the IM user did not intend to send the message.
  - 16. The system of claim 14, wherein the executable computer program instructions further comprise instructions for providing:
    - a chat room access system configured to connect the virtual IM user to a chat room and to make the presence of the virtual IM user known to other members of the chat room.
  - 17. The system of claim 16, wherein the chat room access system is further configured to participate in a dialog with other members of the chat room by automatically responding to an input message.
  - 18. The system of claim 16, wherein the chat room access system is further configured to generate a response message by matching an expression contained in the input message with an expression stored in a database that contains input expressions and one or more associated output expressions for each input expression.
  - 19. The system of claim 14, wherein the executable computer program instructions further comprise instructions for providing:
    - an IM filter module coupled to the malware trapping system and configured to block any message sent by the identified source of malware.
  - 20. The system of claim 14, wherein the executable computer program instructions further comprise instructions for providing:
    - a database configured to store unique identifiers of sources of malware.
  - 21. The system of claim 20, wherein the executable computer program instructions further comprise instructions for providing:
    - an IM filter module coupled to the malware trapping system and configured to block any message that is sent by a user of the IM server having an identical or similar unique identifier with any unique identifiers stored in the database as sources of malware.
  - 22. The system of claim 14, wherein the malware trapping system is further configured to add the virtual IM user to at least one of the buddy lists of the other IM users.

23. A computer program product for reducing spread of malware in communications between instant message (IM) clients and an IM server, the computer program product comprising a non-transitory computer-readable storage medium containing executable computer program code for performing a method comprising:
- registering a virtual IM user with the IM server, wherein the virtual IM user includes an account name by which other IM users of the IM server are able to communicate with the virtual IM user, and the virtual IM user further includes fictitious information tailored to entice a source of malware to communicate with the virtual IM user;
  
  intercepting one or more communication packets exchanged between the other IM users and the IM server, wherein one or more communication packets contain buddy lists of the other IM users;
  
  responsive to intercepting the buddy lists of the other IM users, adding one or more fictitious buddies to the buddy lists of some of the other IM users, wherein each of the fictitious buddies is assigned an account name;
  
  sending a message, using the account name of one of the fictitious buddies, to one of the other IM users to elicit return messages from a particular type of malware operator, the particular type being one that only sends messages to buddies that have previously sent messages;
  
  receiving a message from an IM user to the virtual IM user, or from an IM user to the one or more fictitious buddies, responsive to the message sent using the account name of the one of the fictitious buddies;
  
  sending a confirmation message to the IM user requesting the IM user to confirm that the IM user intended to send the message to the virtual IM user or to the one or more fictitious buddies;
  
  receiving a response to the confirmation message from the IM user; and
  
  identifying the IM user as a source of malware responsive to content of the response to the confirmation message.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The product of claim 23, further comprising:
    - identifying the IM user as a source of malware responsive to the content of the response to the confirmation message indicating that the IM user did not intend to send the message.
  - 25. The product of claim 23, wherein the method further comprises:
    - connecting the virtual IM user to a chat room; and
      
      making the presence of the virtual IM user known to other members of the chat room.
  - 26. The product of claim 25, wherein the method further comprises participating in a dialog with the other members of the chat room by automatically responding to an input message.
  - 27. The product of claim 26, wherein automatically responding includes:
    - generating a response message by matching an expression contained in the input message with an expression stored in a database that contains input expressions and one or more associated output expressions for each input expression;
      
      orparsing the input message into a parameterized regular expression and generating the response message using one or more of the parsed input expressions.
  - 28. The product of claim 23, wherein the method further comprises:
    - blocking any message sent by the identified source of malware.
  - 29. The product of claim 23, wherein the method further comprises:
    - storing into a database content of a message sent by the identified source of malware.
  - 30. The product of claim 29, wherein the method further comprises:
    - blocking any message that contains an identical or similar content with contents of messages stored in the database as sent by the identified source of malware.
  - 31. The product of claim 23, wherein the method further comprises:
    - storing into a database a unique identifier of the identified source of malware.
  - 32. The product of claim 31, wherein the method further comprises:
    - blocking any message that is sent by an IM user of the IM server having an identical or similar unique identifier with any unique identifiers stored in the database as sources of malware.
  - 33. The product of claim 23, wherein the method further comprises adding the virtual IM user to at least one of the buddy lists of the other IM users.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Lorenzo, Eric Lyle, Roychowdhary, Anandamoy, Gilliland, Arthur William, Desouza, Francis Aurelio, Sakoda, Jon, Shah, Milan
Primary Examiner(s)
Nawaz; Asad M
Assistant Examiner(s)
CHAO, MICHAEL W

Application Number

US11/171,251
Publication Number

US 20070006028A1
Time in Patent Office

1,943 Days
Field of Search

709/202, 709/206, 709/205, 726/22, 712/02
US Class Current

709/206
CPC Class Codes

H04L 51/04   Real-time or near real-time...

H04L 51/212   using filtering or selectiv...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1425   Traffic logging, e.g. anoma...

Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by using automated IM users

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by using automated IM users

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links