Programmatic communication in the event of host malware infection

US 8,321,943 B1
Filed: 07/30/2009
Issued: 11/27/2012
Est. Priority Date: 07/30/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method of advertising presence of communications-blocking malware, comprising:

receiving, at a client, beacon name-generation parameters;

generating a beacon name based at least in part on the received parameters, the beacon name representing a network location;

storing the beacon name;

monitoring access to network communications available to the client;

detecting, responsive to the monitoring, an inability of the client to access a predetermined network address of a security server while still being able to access other network addresses; and

responsive to the detecting, sending a beacon message to the network location represented by the beacon name, the beacon message describing a security state of the client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A distress signal sender and a distress signal receiver receive beacon-name generation parameters and generate a beacon name based at least in part on the received parameters, the beacon name representing a network location. Responsive to detecting an unexpected lack of access to network communications, the distress signal sender sends a beacon message to the generated beacon name, the beacon message describing a security state of the client. The distress signal receiver detects the beacon message sent by the distress signal sender, and responsive to receiving the beacon message, performs a remedial action.

96 Citations

View as Search Results

17 Claims

1. A computer-implemented method of advertising presence of communications-blocking malware, comprising:
- receiving, at a client, beacon name-generation parameters;
  
  generating a beacon name based at least in part on the received parameters, the beacon name representing a network location;
  
  storing the beacon name;
  
  monitoring access to network communications available to the client;
  
  detecting, responsive to the monitoring, an inability of the client to access a predetermined network address of a security server while still being able to access other network addresses; and
  
  responsive to the detecting, sending a beacon message to the network location represented by the beacon name, the beacon message describing a security state of the client.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein the beacon message is sent to the network location represented by the beacon name periodically, the security state indicating that the client has an expected access to network communications.
  - 3. The computer-implemented method of claim 1, further comprising:
    - generating a second beacon name responsive to occurrence of a condition specified by the received parameters, the second beacon name representing a second network location; and
      
      sending a beacon message to the second network represented by the second beacon name.
  - 4. The computer-implemented method of claim 1, wherein the generated beacon name comprises a hostname, and wherein the beacon message is a DNS query requesting an IP address for the hostname.
  - 5. The computer-implemented method of claim 1, wherein the beacon message comprises an identifier of the client.
  - 6. The computer-implemented method of claim 1, wherein the received parameters include a seed value, and wherein the beacon name is generated according to a pseudo-random algorithm that uses the seed value as input.

7. A non-transitory computer-readable storage medium storing a computer program executable by a processor for responding to a client indication of malware infection, actions of the computer program comprising:
- receiving beacon name-generation parameters;
  
  generating a beacon name based at least in part on the received parameters, the beacon name representing a network location;
  
  detecting a beacon message sent by a client device responsive to the client device determining that the client device is unable to access a predetermined network address of a security server but is able to access network addresses other than the address of the security server, the beacon message addressed to the network location represented by the beacon name and describing a security state of the client device; and
  
  responsive to receiving the beacon message, performing a remedial action.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The non-transitory computer-readable storage medium of claim 7, wherein detection of the beacon message comprises detecting a DNS server failure associated with an attempt to resolve the beacon name.
  - 9. The non-transitory storage medium of claim 8, wherein detecting the DNS server failure comprises identifying a DNS server failure log entry associated with the beacon name.
  - 10. The non-transitory storage medium of claim 7, wherein detection of the beacon message comprises monitoring network traffic for messages addressed to the beacon name.
  - 11. The non-transitory computer-readable storage medium of claim 7, wherein the remedial action comprises sending a notification of malware infection of the client device to a security server.

12. A computer-implemented device for responding to a client indication of malware infection, comprising:
- a computer processor;
  
  a beacon name information repository;
  
  a distress signal receiver module that when executed by the computer processor performs actions comprising;
  
  receiving beacon name-generation parameters;
  
  generating a beacon name based at least in part on the received parameters, the beacon name representing a network location;
  
  storing the received parameters and the generated beacon name in the beacon name information repository;
  
  detecting a beacon message sent by a client device responsive to the client device determining that the client device is unable to access a predetermined network address of a security server but is able to access network addresses other than the address of the security server, the beacon message addressed to the network location represented by the beacon name and describing a security state of the client device; and
  
  responsive to receiving the beacon message, performing a remedial action.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer-implemented device of claim 12, wherein the beacon name-generation parameters are distributed to a plurality of devices located remotely from each other, the performed actions further comprising:
    - generating a second beacon name responsive to occurrence of a condition specified by the received parameters, the second beacon name representing a second network location; and
      
      detecting a second beacon message sent by a client device and addressed to the second network location represented by the second beacon name.
  - 14. The computer-implemented device of claim 12, wherein detection of the beacon message comprises detecting a DNS server failure associated with an attempt to resolve the beacon name.
  - 15. The computer-implemented device of claim 14, wherein detecting the DNS server failure comprises identifying a DNS server failure log entry associated with the beacon name.
  - 16. The computer-implemented device of claim 12, wherein detection of the beacon message comprises monitoring network traffic for messages addressed to the beacon name.
  - 17. The computer-implemented device of claim 12, wherein the remedial action comprises sending a notification of malware infection of the client device to a security server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Schepis, Adam, Walters, Robert, Santoyo, Javier
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Sims, Jing

Application Number

US12/512,906
Time in Patent Office

1,216 Days
Field of Search

726 22- 25
US Class Current

726/24
CPC Class Codes

G06F 21/552 involving long-term monitor...

Programmatic communication in the event of host malware infection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

96 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Programmatic communication in the event of host malware infection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links