System and method for scanning memory for pestware offset signatures

US 7,971,249 B2
Filed: 09/14/2009
Issued: 06/28/2011
Est. Priority Date: 04/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method for scanning executable memory of a protected system for pestware comprising:

locating a reference point in the executable memory that is associated with a process being executed by a computer via the executable memory;

retrieving a first set of information from a first portion of the executable memory and a second set of information from a second portion of the executable memory, wherein the first and second portions of the executable memory are separated by a defined offset based on a predetermined type of pestware, and wherein each of the first and second portions of the executable memory are offset from the reference point; and

identifying the process as the predetermined type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are specific to the predetermined type of pestware wherein the second set of information is derived from the first set of information upon execution of the first set of information in the executable memory.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for managing pestware processes on a protected computer are described. In one implementation, a reference point in the executable memory that is associated with a process running in the executable memory is located. A first and second sets of information from corresponding first and second portions of the executable memory are then retrieved. The first and second portions of the executable memory are separated by a defined offset, and each of the first and second portions of the executable memory are offset from the reference point. The process is identifiable as a particular type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are of the particular type of pestware. In some variations, the reference point is a starting address and/or an API implementation in the process.

Citations

18 Claims

1. A method for scanning executable memory of a protected system for pestware comprising:
- locating a reference point in the executable memory that is associated with a process being executed by a computer via the executable memory;
  
  retrieving a first set of information from a first portion of the executable memory and a second set of information from a second portion of the executable memory, wherein the first and second portions of the executable memory are separated by a defined offset based on a predetermined type of pestware, and wherein each of the first and second portions of the executable memory are offset from the reference point; and
  
  identifying the process as the predetermined type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are specific to the predetermined type of pestware wherein the second set of information is derived from the first set of information upon execution of the first set of information in the executable memory.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the locating the reference point includes locating a starting address of the process.
  - 3. The method of claim 1, wherein the locating the reference point includes locating an API implementation in the process.
  - 4. The method of claim 1, wherein the retrieving includes retrieving op code from the first and second portions of the executable memory.
  - 5. The method according to claim 1, whereinthe defined offset is based on the predetermined type of pestware, andthe process is identified as the predetermined type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are specific to the predetermined type of pestware.
  - 6. The method according to claim 1, further comprising:
    - analyzing the first set of information;
      
      identifying the first set of information as being associated with the predetermined type of pestware; and
      
      selecting the defined offset based on the analyzed first set of information.

7. A system for managing pestware comprising:
- a protected computer;
  
  a pestware removal module configured to remove pestware on the protected computer, the protected computer including at least one file storage device and an executable memory; and
  
  a pestware detection module configured to;
  
  locate a reference point in the executable memory that is associated with a process being executed by the protected computer via the executable memory;
  
  retrieve a first set of information from a first portion of the executable memory and a second set of information from a second portion of the executable memory, wherein the first and second portions of the executable memory are separated by a defined offset based on a predetermined type of pestware, and wherein each of the first and second portions of the executable memory are offset from the reference point; and
  
  identify the process as the predetermined type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are specific to the predetermined type of pestware, wherein the second set of information is derived from the first set of information upon execution of the first set of information in the executable memory.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the pestware detection module is configured to locate a starting address as the reference point.
  - 9. The system of claim 7, wherein the pestware detection module is configured to locate an API implementation as the reference point.
  - 10. The system of claim 7, wherein the pestware detection module is configured to retrieve op code from the first and second portions of the executable memory.
  - 11. The system according to claim 7, whereinthe defined offset is based on the predetermined type of pestware, andthe process is identified as the predetermined type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are specific to the predetermined type of pestware.
  - 12. The system according to claim 7, wherein the pestware detection module is further configured to:
    - analyze the first set of information;
      
      identify the first set of information as being associated with the predetermined type of pestware; and
      
      select the defined offset based on the analyzed first set of information.

13. A non-transitory computer readable storage medium storing instructions for scanning executable memory on a protected computer for pestware, the instructions including instructions for:
- locating a reference point in the executable memory that is associated with a process being executed by the protected computer via the executable memory;
  
  retrieving a first set of information from a first portion of the executable memory and a second set of information from a second portion of the executable memory, wherein the first and second portions of the executable memory are separated by a defined offset based on a predetermined type of pestware, and wherein each of the first and second portions of the executable memory are offset from the reference point; and
  
  identifying the process as the predetermined type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are specific to the predetermined type of pestware wherein the second set of information is derived from the first set of information upon execution of the first set of information in the executable memory.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer readable medium of claim 13, wherein the instructions for locating the reference point include instructions for locating a starting address of the process.
  - 15. The non-transitory computer readable medium of claim 13, wherein the instructions for locating the reference point include instructions for locating an API implementation in the process.
  - 16. The non-transitory computer readable medium of claim 13, wherein the instructions for retrieving include instructions for retrieving op code from the first and second portions of the executable memory.
  - 17. The non-transitory computer readable storage medium according to claim 13, whereinthe defined offset is based on the predetermined type of pestware, andthe process is identified as the predetermined type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are specific to the predetermined type of pestware.
  - 18. The non-transitory computer readable storage medium according to claim 13, wherein the instructions further include instructions for:
    - analyzing the first set of information;
      
      identifying the first set of information as being associated with the predetermined type of pestware; and
      
      selecting the defined offset based on the analyzed first set of information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Software Incorporated (Open Text Corporation)
Inventors
Horne, Jefferson Delk
Primary Examiner(s)
Patel; Nirav B

Application Number

US12/559,434
Publication Number

US 20100005530A1
Time in Patent Office

652 Days
Field of Search

726 22- 25, 713/188, 713164-167, 711/200, 714/100, 714/5, 714/25, 714/29, 714/39, 714/47
US Class Current

726/22
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

System and method for scanning memory for pestware offset signatures

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for scanning memory for pestware offset signatures

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links