Method and system for detecting dependent pestware objects on a computer

US 8,255,992 B2
Filed: 01/18/2006
Issued: 08/28/2012
Est. Priority Date: 01/18/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting pestware on a computer, comprising:

detecting a primary pestware process in an executable memory of the computer, the primary pestware process including an associated check value by which the primary pestware process can be identified;

locating, at a predetermined offset in the executable memory relative to the check value, a pointer to a string, wherein the pointer to the string is a variable that is located within the executable memory occupied by the primary pestware process and whose value is the address of the string, the string comprising an address of a secondary pestware object stored on the computer, wherein the string is located in the executable memory occupied by the primary pestware process;

following the pointer to the string to ascertain the address of the secondary pestware object;

using the ascertained address to locate the secondary pestware object; and

removing the secondary pestware object from the computer.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting dependent pestware objects on a computer is described. One illustrative embodiment detects a primary pestware process in an executable memory of the computer, the primary pestware process including an associated check value by which the primary pestware process can be identified; locates, at a predetermined offset in the executable memory relative to the check value, a pointer to a string, the string comprising an address of a secondary pestware object stored on the computer; and follows the pointer to the string to ascertain the address of the secondary pestware object.

83 Citations

20 Claims

1. A method for detecting pestware on a computer, comprising:
- detecting a primary pestware process in an executable memory of the computer, the primary pestware process including an associated check value by which the primary pestware process can be identified;
  
  locating, at a predetermined offset in the executable memory relative to the check value, a pointer to a string, wherein the pointer to the string is a variable that is located within the executable memory occupied by the primary pestware process and whose value is the address of the string, the string comprising an address of a secondary pestware object stored on the computer, wherein the string is located in the executable memory occupied by the primary pestware process;
  
  following the pointer to the string to ascertain the address of the secondary pestware object;
  
  using the ascertained address to locate the secondary pestware object; and
  
  removing the secondary pestware object from the computer.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising issuing a notification that pestware has been found on the computer.
  - 3. The method of claim 1, wherein the secondary pestware object is executable.
  - 4. The method of claim 1, wherein the secondary pestware object is non-executable.
  - 5. The method of claim 1, wherein the pointer comprises a double word that acts as a string verifier for a long string.
  - 6. The method of claim 1, wherein the string resides in a string table within the primary pestware process.

7. A system for detecting pestware, comprising:
- a processor; and
  
  a memory containing a plurality of program instructions configured to cause the processor to;
  
  detect a primary pestware process in an executable memory of the computer, the primary pestware process including an associated check value by which the primary pestware process can be identified;
  
  locate, at a predetermined offset in the executable memory relative to the check value, a pointer to a string, wherein the pointer to the string is a variable that is located within the executable memory occupied by the primary pestware process and whose value is the address of the string, the string comprising an address of a secondary pestware object stored on the computer, wherein the string is located in the executable memory occupied by the primary pestware process;
  
  follow the pointer to the string to ascertain the address of the secondary pestware object;
  
  cause the processor to use the ascertained address to locate the secondary pestware object; and
  
  remove the secondary pestware object from the computer.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the plurality of program instructions are further configured to cause the processor to issue a notification that pestware has been found on the computer.
  - 9. The system of claim 7, wherein the secondary pestware object is executable.
  - 10. The system of claim 7, wherein the secondary pestware object is non-executable.
  - 11. The system of claim 7, wherein the pointer comprises a double word that acts as a string verifier for a long string.
  - 12. The system of claim 7, wherein the string resides in a string table within the primary pestware process.

13. A system for detecting pestware on a computer, comprising:
- means for detecting a primary pestware process in an executable memory of the computer, the primary pestware process including an associated check value by which the primary pestware process can be identified;
  
  means for locating, at a predetermined offset in the executable memory relative to the check value, a pointer to a string, wherein the pointer to the string is a variable that is located within the executable memory occupied by the primary pestware process and whose value is the address of the string, the string comprising an address of a secondary pestware object stored on the computer, wherein the string is located in the executable memory occupied by the primary pestware process;
  
  means for following the pointer to the string to ascertain the address of the secondary pestware object;
  
  means for locating the secondary pestware object based on the ascertained address; and
  
  means for removing the secondary pestware object from the computer.
- View Dependent Claims (14)
- - 14. The system of claim 13, further comprising:
    - means for issuing a notification that pestware has been found on the computer.

15. A computer-readable storage medium containing program instructions to detect pestware on a computer, comprising:
- a first instruction segment configured to identify a primary pestware process in an executable memory of the computer, the primary pestware process including an associated check value by which the primary pestware process can be identified;
  
  a second instruction segment configured to locate, at a predetermined offset in the executable memory relative to the check value, a pointer to a string, wherein the pointer to the string is a variable that is located within the executable memory occupied by the primary pestware process and whose value is the address of the string, the string comprising an address of a secondary pestware object stored on the computer, wherein the string is located in the executable memory occupied by the primary pestware process;
  
  a third instruction segment configured to follow the pointer to the string to ascertain the address of the secondary pestware object; and
  
  a fourth instruction segment configured to locate the secondary pestware object based on the ascertained address and to remove the secondary pestware object from the computer.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable storage medium of claim 15, further comprising:
    - a fifth instruction segment configured to issue a notification that pestware has been found on the computer.
  - 17. The computer-readable storage medium of claim 15, wherein the secondary pestware object is executable.
  - 18. The computer-readable storage medium of claim 15, wherein the secondary pestware object is non-executable.
  - 19. The computer-readable storage medium of claim 15, wherein the pointer comprises a double word that acts as a string verifier for a long string.
  - 20. The computer-readable storage medium of claim 15, wherein the string resides in a string table within the primary pestware process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Horne, Jefferson Delk
Primary Examiner(s)
ZIA, SYED

Application Number

US11/334,307
Publication Number

US 20070169197A1
Time in Patent Office

2,414 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/564 by virus signature recognition

G06F 21/566 Dynamic detection, i.e. det...

Method and system for detecting dependent pestware objects on a computer

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting dependent pestware objects on a computer

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links