System and method for defining and detecting pestware with function parameters

US 8,171,550 B2
Filed: 08/07/2006
Issued: 05/01/2012
Est. Priority Date: 08/07/2006
Status: Active Grant

First Claim

Patent Images

1. A method for generating pestware definitions comprising:

receiving a pestware file;

placing at least a portion of the pestware file into a processor-readable memory;

following a plurality of execution paths within code of the pestware file, wherein each of the execution paths is a potential path that a processor executing the code may follow;

retrieving, for each of a plurality of selected function calls within the code of the pestware file, at least one parameter from each of the function calls so as to obtain a plurality of parameters;

storing, in a processor-readable pestware-definition file, a representation of each of the parameters; and

sending the pestware-definition file to a plurality of client devices;

wherein the selected function calls are selected on the basis that the selected function calls include calls to addresses of the processor-readable memory that are outside of the memory occupied by the code of the pestware file.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for defining and detecting pestware is described. In one embodiment, a pestware file is received and at least a portion of the pestware file is placed into a processor-readable memory. A plurality of execution paths within code of the pestware file are followed and for each of a plurality of selected function calls within the execution paths of the pestware file, at least one parameter from each of the function calls is retrieved so as to obtain a plurality of parameters. A representation of each of the parameters is then stored in a processor-readable pestware-definition file, which is sent to a plurality of client devices.

Citations

11 Claims

1. A method for generating pestware definitions comprising:
- receiving a pestware file;
  
  placing at least a portion of the pestware file into a processor-readable memory;
  
  following a plurality of execution paths within code of the pestware file, wherein each of the execution paths is a potential path that a processor executing the code may follow;
  
  retrieving, for each of a plurality of selected function calls within the code of the pestware file, at least one parameter from each of the function calls so as to obtain a plurality of parameters;
  
  storing, in a processor-readable pestware-definition file, a representation of each of the parameters; and
  
  sending the pestware-definition file to a plurality of client devices;
  
  wherein the selected function calls are selected on the basis that the selected function calls include calls to addresses of the processor-readable memory that are outside of the memory occupied by the code of the pestware file.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the storing includes storing relative locations of where, within the code of the pestware file, each of the function calls associated with the parameters occur.
  - 3. The method of claim 1, wherein the selected function calls are system calls.
  - 4. The method of claim 1 including:
    - simplifying the representation of the relative locations so as to create a simplified representation of the relative locations, wherein the storing includes storing the representation as the simplified representation.
  - 5. The method of claim 1 wherein the retrieving includes:
    - retrieving a string that is indicative of a file name.
  - 6. The method of claim 1, wherein the representation of each of the parameters includes a digital signature of each of the parameters.
  - 7. The method of claim 1, wherein the representation of each of the parameters is a textual representation of each of the parameters.

8. A method for detecting pestware on a computer comprising:
- receiving a file;
  
  placing at least a portion of the file into a processor-readable memory of the computer;
  
  following a plurality of execution paths within code of the pestware file, wherein each of the execution paths is a potential path that a processor executing the code may follow;
  
  retrieving, for each of a plurality of selected function calls within the code of the pestware file, at least one parameter from each of the function calls so as to obtain a plurality of parameters;
  
  comparing the plurality of parameters with parameters within a processor-readable pestware-definition file so as to determine whether the file is a potential pestware file; and
  
  quarantining the file in the event the plurality of parameters match a minimum percentage of parameters within the processor-readable pestware-definition file;
  
  wherein the retrieving, for each of a plurality of selected function calls within the code of the pestware file, at least one parameter includes identifying calls to addresses to portions of the processor-readable memory that are outside of the memory occupied by the code of the pestware file.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, wherein the identifying includes identifying system call parameters within the execution paths.
  - 10. The method of claim 8 including:
    - bypassing, while following the plurality of execution paths, parameters other than system-call parameters and jump instructions.
  - 11. The method of claim 8 including:
    - alerting a user of the computer in the event the particular function-call parameters within the code match a minimum percentage of function-call parameters in the pestware-definition file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Burtscher, Michael
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
LANE, GREGORY A

Application Number

US11/462,943
Publication Number

US 20080034430A1
Time in Patent Office

2,094 Days
Field of Search

726 22- 24
US Class Current

726/23
CPC Class Codes

G06F 21/562 Static detection

System and method for defining and detecting pestware with function parameters

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for defining and detecting pestware with function parameters

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links