Systems and methods for detecting data-stealing malware

US 8,321,940 B1
Filed: 04/30/2010
Issued: 11/27/2012
Est. Priority Date: 04/30/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting data-stealing malware the method comprising:

detecting an attempt by an untrusted application to access a storage location on a computing device that is known to be used by a legitimate application when storing potentially sensitive information;

determining that the legitimate application is not installed on the computing device by determining that a registry key known to be associated with the legitimate application is not present on the computing device;

determining that the untrusted application represents a potential security risk;

performing a security operation on the untrusted application to protect the computing device from the untrusted application;

wherein the method is performed by at least one processor of the computing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for detecting data-stealing malware may include: 1) detecting an attempt by an untrusted application to access a storage location that is known to be used by a legitimate application when storing potentially sensitive information, 2) determining that the legitimate application is not installed on the computing device, 3) determining that the untrusted application represents a potential security risk, and then 4) performing a security operation on the untrusted application. Corresponding systems and computer-readable instructions embodied on computer-readable media are also disclosed.

18 Citations

View as Search Results

17 Claims

1. A computer-implemented method for detecting data-stealing malware the method comprising:
- detecting an attempt by an untrusted application to access a storage location on a computing device that is known to be used by a legitimate application when storing potentially sensitive information;
  
  determining that the legitimate application is not installed on the computing device by determining that a registry key known to be associated with the legitimate application is not present on the computing device;
  
  determining that the untrusted application represents a potential security risk;
  
  performing a security operation on the untrusted application to protect the computing device from the untrusted application;
  
  wherein the method is performed by at least one processor of the computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein detecting the attempt by the untrusted application to access the storage location comprises monitoring attempts to access the storage location.
  - 3. The method of claim 1, wherein the storage location comprises at least one of:
    - a registry key;
      
      a file.
  - 4. The method of claim 1, wherein the registry key comprises an uninstall registry key.
  - 5. The method of claim 1, wherein performing the security operation on the untrusted application comprises at least one of:
    - preventing the untrusted application from accessing the storage location;
      
      preventing the computing device from communicating with a computing device that distributed the untrusted application;
      
      deleting the untrusted application from the computing device;
      
      quarantining the untrusted application;
      
      adding the untrusted application to a blacklist database;
      
      updating reputation information associated with the untrusted application in a reputation database.
  - 6. The method of claim 1, wherein the potentially sensitive information comprises at least one of:
    - a password;
      
      an install key;
      
      a license key;
      
      user credentials;
      
      personal user data.
  - 7. The method of claim 1, further comprising determining that the storage location is known to be used by the legitimate application when storing potentially sensitive information by:
    - accessing a list that identifies storage locations known to be used by legitimate applications when storing potentially sensitive information;
      
      determining that the storage location is identified on the list.
  - 8. The method of claim 7, wherein accessing the list comprises at least one of:
    - receiving the list from a security server;
      
      accessing a locally stored copy of the list.
  - 9. The method of claim 7, further comprising identifying the legitimate application by determining that the legitimate application is associated with the storage location within the list.
  - 10. The method of claim 9, wherein identifying the legitimate application further comprises retrieving an application identifier associated with the legitimate application from the list.

11. A system for detecting data-stealing malware, the system comprising:
- a monitoring module programmed to detect an attempt by an untrusted application to access a storage location on a computing device that is known to be used by a legitimate application when storing potentially sensitive information;
  
  an identification module programmed to determine that the legitimate application is not installed on the computing device by determining that a registry key known to be associated with the legitimate application is not present on the computing device;
  
  a security module programmed to;
  
  determine that the untrusted application represents a potential security risk;
  
  perform a security operation on the untrusted application to protect the computing device from the untrusted application;
  
  a processor of the computing device for executing the monitoring module, the identification module, and the security module.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The system of claim 11, wherein the monitoring module is programmed to monitor attempts to access the storage location.
  - 13. The system of claim 11, wherein the monitoring module is programmed to determine that the storage location is known to be used by the legitimate application when storing potentially sensitive information by:
    - accessing a list that identifies storage locations known to be used by legitimate applications when storing potentially sensitive information;
      
      determining that the storage location is identified on the list.
  - 14. The system of claim 13, wherein the monitoring module is programmed to access the list by at least one of:
    - receiving the list from a security server;
      
      accessing a locally stored copy of the list.
  - 15. The system of claim 13, wherein the monitoring module is programmed to identify the legitimate application by determining that the legitimate application is associated with the storage location within the list.
  - 16. The system of claim 15, wherein the monitoring module is programmed to identify the legitimate application by retrieving an application identifier associated with the legitimate application from the list.

17. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- detect an attempt by an untrusted application to access a storage location that is known to be used by a legitimate application when storing potentially sensitive information;
  
  determine that the legitimate application is not installed on the computing device by determining that a registry key known to be associated with the legitimate application is not present on the computing device;
  
  determine that the untrusted application represents a potential security risk;
  
  perform a security operation on the untrusted application to protect the computing device from the untrusted application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Pereira, Shane, Satish, Sourabh
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US12/771,433
Time in Patent Office

942 Days
Field of Search

726/22, 726/23, 726/24, 713/165, 713/188, 713/193
US Class Current

726/23
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

Systems and methods for detecting data-stealing malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting data-stealing malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links