Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by analyzing message traffic patterns

US 7,823,200 B2
Filed: 07/01/2005
Issued: 10/26/2010
Est. Priority Date: 07/01/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-assisted method of reducing the spread of malware in an instant message (IM) system, comprising:

using a computer configured to execute method steps comprising;

examining incoming messages from an IM server to an IM client;

examining outgoing messages from the IM client to the IM server;

analyzing a relationship among the incoming and outgoing messages;

generating a plurality of virtual users with virtual IM accounts containing fictitious information, the fictitious information tailored to entice malware operators to communicate with the virtual users;

sending one or more messages to the IM client via the virtual IM accounts to elicit return messages from a particular type of malware operator, the particular type being one that observes whether IM accounts are passive or active and sends return messages only to active IM accounts that have previously sent messages;

comparing the incoming and outgoing messages with a database of information stored about likely malware messages that were sent to virtual users, the information about a likely malware message stored in the database including a confidence level indicating the likelihood of the message being a malware message; and

determining whether one or more messages contain malware based on the analysis of the relationship among the incoming and outgoing messages and based on the comparison with the database of information stored about likely malware messages that were sent to virtual users.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for reducing the spread of malware in communication between an instant message (IM) client and an IM server are described. An IM filter module (IM FM) is configured to examine incoming messages from an IM server to an IM client and outgoing messages from the IM client to the IM server. The IM filter module is further configured to analyze relationship among the incoming and outgoing messages and determine whether one or more messages contain malware based on the analysis of relationship among the incoming and outgoing messages.

Citations

37 Claims

1. A computer-assisted method of reducing the spread of malware in an instant message (IM) system, comprising:
- using a computer configured to execute method steps comprising;
  
  examining incoming messages from an IM server to an IM client;
  
  examining outgoing messages from the IM client to the IM server;
  
  analyzing a relationship among the incoming and outgoing messages;
  
  generating a plurality of virtual users with virtual IM accounts containing fictitious information, the fictitious information tailored to entice malware operators to communicate with the virtual users;
  
  sending one or more messages to the IM client via the virtual IM accounts to elicit return messages from a particular type of malware operator, the particular type being one that observes whether IM accounts are passive or active and sends return messages only to active IM accounts that have previously sent messages;
  
  comparing the incoming and outgoing messages with a database of information stored about likely malware messages that were sent to virtual users, the information about a likely malware message stored in the database including a confidence level indicating the likelihood of the message being a malware message; and
  
  determining whether one or more messages contain malware based on the analysis of the relationship among the incoming and outgoing messages and based on the comparison with the database of information stored about likely malware messages that were sent to virtual users.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the act of analyzing the relationship includes:
    - determining whether two or more outgoing messages from an IM user contain identical content.
  - 3. The method of claim 1, wherein the act of analyzing the relationship includes:
    - determining whether two or more messages from an IM user are sent at a time interval that is shorter than can be sent by a person.
  - 4. The method of claim 1, wherein the act of analyzing the relationship includes:
    - determining whether an IM user sends a plurality of messages after receiving one message from another IM user.
  - 5. The method of claim 1, wherein the act of determining whether one or messages contain malware includes:
    - determining that a message contains malware when a content of the message is longer than an average length of content of examined messages.
  - 6. The method of claim 1, wherein the act of determining whether one or more messages contain malware includes:
    - resolving a URL contained in a message sent from the IM server to the IM client; and
      
      identifying the message as containing malware when the URL resolves to a URL that is identical to a known source of malware.
  - 7. The method of claim 1, wherein the act of determining whether one or more messages contain malware includes:
    - parsing a content of a message into individual words; and
      
      identifying the message as containing malware when an average length of the message is longer than an average length of examined messages.
  - 8. The method of claim 1 further comprising:
    - blocking the one or more messages that have been determined as containing malware.
  - 9. The method of claim 1 further comprising:
    - storing, into a database, unique identifiers of the one or more messages that have been determined as containing malware.
  - 10. The method of claim 9 further comprising:
    - blocking any message that is sent by a user of the IM server having an identical unique identifier with any unique identifiers stored in the database.
  - 11. The method of claim 1, wherein the act of determining whether one or more messages contain malware includes:
    - determining that one or more messages contain malware in response to the comparison indicating that at least one of the messages matches the stored information for a likely malware message sent to a virtual user, wherein only malware operators send messages to virtual users.
  - 12. The method of claim 1, wherein the act of analyzing the relationship further includes:
    - determining whether one or more messages from an IM user are sent at a time interval that is shorter than can be sent by a person in response to an event indicating that a buddy is ready to participate in a dialog.
  - 13. The method of claim 1 further comprising:
    - adjusting one or more confidence levels associated with the likely malware messages in the database of information based on the determination of whether one or more messages contain malware.
  - 14. The method of claim 1 further comprising:
    - intercepting one or more communication packets exchanged between the IM server and the IM client, wherein one or more communication packets contain a buddy list of the IM client.
  - 15. The method of claim 14, further comprising:
    - responsive to intercepting the buddy list of the IM client, inserting one or more fictitious buddies into the buddy list.
  - 16. The method of claim 1 further comprising:
    - publicizing the virtual IM accounts of the plurality of the virtual users to make it known that one or more virtual users are available to participate in communications between the IM client and IM server.

17. A computer-assisted system of reducing the spread of malware in an instant message (IM) system, comprising:
- a non-transitory computer-readable storage medium storing executable software modules comprising;
  
  an IM filter module configured to examine incoming messages from an IM server to an IM client and outgoing messages from the IM client to the IM server;
  
  the IM filter module is further configured to;
  
  generate a plurality of virtual users with virtual IM accounts containing fictitious information, the fictitious information tailored to entice malware operators to communicate with the virtual users;
  
  analyze a relationship among the incoming and outgoing messages;
  
  sending one or more messages to the IM client via the virtual IM accounts to elicit return messages from a particular type of malware operator, the particular type being one that observes whether IM accounts are passive or active and sends return messages only to active IM accounts that have previously sent messages;
  
  compare the incoming and outgoing messages with a database of information stored about likely malware messages that were sent to virtual users, the information about a likely malware message stored in the database including a confidence level indicating the likelihood of the message being a malware message; and
  
  determine whether one or more messages contain malware based on the analysis of the relationship among the incoming and outgoing messages and based on the comparison with the database of information stored about likely malware messages that were sent to virtual users; and
  
  a computer configured to execute the software modules stored by the computer-readable storage medium.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system of claim 17, wherein the IM filter module is further configured to determine whether two or more outgoing messages from an IM user contain an identical content.
  - 19. The system of claim 17, wherein the IM filter module is further configured to determine whether two or more messages from an IM user are sent at a time interval that is shorter than can be sent by a person.
  - 20. The system of claim 17, wherein the IM filter module is further configured to determine that a message contains malware when a content of the message is longer than an average length of content of the examined message.
  - 21. The system of claim 17, wherein the IM filter module is further configured to resolve a URL contained in a message sent from the IM server to the IM client, and identify the message as containing malware when the URL resolves to a URL that is identical to a known source of malware.
  - 22. The system of claim 17 further comprising:
    - a database configured to store unique identifiers of the one or more messages that have been determined as containing malware.
  - 23. The system of claim 22, wherein the IM filter module is further configured to block any message that is sent by a user of the IM server having an identical unique identifier with any unique identifiers stored in the database.
  - 24. The system of claim 17, wherein the IM filter module is further configured to determine that one or more messages contain malware in response to the comparison indicating that at least one of the messages matches the stored information for a likely malware message sent to a virtual user, wherein only malware operators send messages to virtual users.

25. A non-transitory computer-readable storage medium storing executable computer program instructions for reducing the spread of malware in an instant message (IM) system, the computer program instructions comprising computer instructions for configuring a computer to perform the acts of:
- examining incoming messages from an IM server to an IM client;
  
  examining outgoing messages from the IM client to the IM server;
  
  analyzing a relationship among the incoming and outgoing messages;
  
  generating a plurality of virtual users with virtual IM accounts containing fictitious information, the fictitious information tailored to entice malware operators to communicate with the virtual users;
  
  sending one or more messages to the IM client via the virtual IM accounts to elicit return messages from a particular type of malware operator, the particular type being one that observes whether IM accounts are passive or active and sends return messages only to active IM accounts that have previously sent messages;
  
  comparing the incoming and outgoing messages with a database of information stored about likely malware messages that were sent to virtual users, the information about a likely malware message stored in the database including a confidence level indicating the likelihood of the message being a malware message; and
  
  determining whether one or more messages contain malware based on the analysis of the relationship among the incoming and outgoing messages and based on the comparison with the database of information stored about likely malware messages that were sent to virtual users.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 26. The non-transitory computer-readable storage medium of claim 25, wherein the instruction for performing the act of analyzing the relationship further includes the instructions to perform the act of:
    - determining whether two or more outgoing messages from an IM user contain an identical content.
  - 27. The non-transitory computer-readable storage medium of claim 25, wherein the instruction for performing the act of analyzing the relationship further includes the instructions to perform the act of:
    - determining whether two or more messages from an IM user are sent at a time interval that is shorter than can be sent by a person.
  - 28. The non-transitory computer-readable storage medium of claim 25, wherein the instruction for performing the act of analyzing the relationship further includes the instructions to perform the act of:
    - determining whether an IM user sends a plurality of messages after receiving one message from another IM user.
  - 29. The non-transitory computer-readable storage medium of claim 25, wherein the instructions for performing the act of determining whether one or more messages contain malware further includes the instructions for performing the act of:
    - determining that a message contains malware when a content of the message is longer than an average length of content of examined messages.
  - 30. The non-transitory computer-readable storage medium of claim 25, wherein the instructions for performing the act of determining whether one or more messages contain malware further includes the instructions for performing the acts of:
    - resolving a URL contained in a message sent from the IM server to the IM client; and
      
      identifying the message as containing malware when the URL resolves to a URL that is identical to a known source of malware.
  - 31. The non-transitory computer-readable storage medium of claim 25, wherein the instructions for performing the act of determining whether one or more messages contain malware further includes the instructions for performing the acts of:
    - parsing a content of a message into individual words; and
      
      identifying the message as containing malware when an average length of the message is longer than an average length of words in the examined messages.
  - 32. The non-transitory computer-readable storage medium of claim 25 further comprising the instructions for performing the act of:
    - blocking the one or more messages that have been determined as containing malware.
  - 33. The non-transitory computer-readable storage medium of claim 25, wherein the instructions for comparing the incoming and outgoing messages with the database further include instructions for performing the act of:
    - comparing a unique identifier for each of the messages with unique identifiers stored in the database for the likely malware messages that were sent to virtual users with virtual IM accounts.
  - 34. The non-transitory computer-readable storage medium of claim 25 wherein the instructions for performing the act of determining whether one or more messages contain malware further include instructions for performing the act of:
    - determining that one or more messages contain malware in response to the comparison indicating that at least one of the messages matches the stored information for a message sent to a virtual user, wherein only malware operators send messages to virtual users.
  - 35. The non-transitory computer-readable storage medium of claim 25 further comprising the instructions for performing the act of:
    - storing, into a database, contents of the one or more messages that have been determined as containing malware.
  - 36. The non-transitory computer-readable storage medium of claim 35 further comprising the instructions for performing the act of:
    - blocking any message that contains an identical content with contents of messages stored in the database.
  - 37. The non-transitory computer-readable storage medium of claim 25, wherein the instruction for performing the act of analyzing relationship further includes the instructions to perform the act of:
    - determining whether one or more messages from an IM user are sent at a time interval that is shorter than can be sent by a person in response to an event indicating that a buddy is ready to participate in a dialog.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Shah, Milan, Lorenzo, Eric Lyle, Roychowdhary, Anandamoy, Gilliland, Arthur William, Desouza, Francis Aurelio, Sakoda, Jon
Primary Examiner(s)
Smithers; Matthew B
Assistant Examiner(s)
Khoshnoodi; Nadia

Application Number

US11/171,250
Publication Number

US 20070006027A1
Time in Patent Office

1,943 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

H04L 51/04   Real-time or near real-time...

H04L 51/212   using filtering or selectiv...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1425   Traffic logging, e.g. anoma...

Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by analyzing message traffic patterns

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by analyzing message traffic patterns

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links