Method and system for detecting obfuscatory pestware in a computer memory

US 8,418,245 B2
Filed: 01/18/2006
Issued: 04/09/2013
Est. Priority Date: 01/18/2006
Status: Active Grant

First Claim

Patent Images

1. A method for scanning a computer memory for obfuscatory pestware, comprising:

examining, by a pestware detection module, an import address table (IAT) of an executable object in the computer memory to identify at least one subroutine of the executable object that calls an application program interface (API), the API having a fixed address in the computer memory, the API being known to appear in a particular kind of polymorphic or metamorphic pestware;

locating, by the pestware detection module, the at least one subroutine within the executable object; and

searching, by the pestware detection module, for a predetermined check value at a known offset relative to an address, in the computer memory, at which the at least one subroutine calls the API, the predetermined check value identifying the executable object as the particular kind of polymorphic or metamorphic pestware when the check value is found at the known offset.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for detecting obfuscatory pestware in a computer memory is described. One illustrative embodiment identifies, within an executable object, a reference to a known procedure, the known procedure having a fixed address in the computer memory; and searches for a predetermined check value at a known offset relative to an address, in the computer memory, of the reference to the known procedure.

52 Citations

View as Search Results

9 Claims

1. A method for scanning a computer memory for obfuscatory pestware, comprising:
- examining, by a pestware detection module, an import address table (IAT) of an executable object in the computer memory to identify at least one subroutine of the executable object that calls an application program interface (API), the API having a fixed address in the computer memory, the API being known to appear in a particular kind of polymorphic or metamorphic pestware;
  
  locating, by the pestware detection module, the at least one subroutine within the executable object; and
  
  searching, by the pestware detection module, for a predetermined check value at a known offset relative to an address, in the computer memory, at which the at least one subroutine calls the API, the predetermined check value identifying the executable object as the particular kind of polymorphic or metamorphic pestware when the check value is found at the known offset.
- View Dependent Claims (4, 7)
- - 4. The method of claim 1, wherein the check value includes a uniform resource locator (URL).
  - 7. The method of claim 1, further comprising:
    - in response to finding the check value at the known offset, performing at least one of notifying a user that pestware has been detected, shielding a computer from pestware, and removing pestware from a computer.

2. A system for detecting obfuscatory pestware, comprising:
- a process; and
  
  a memory connected with the processor, the memory containing a plurality of program instructions executable by the processor, the plurality of program instructions including a pestware detection module to detect pestware on a computer, the pestware detection module being configured to cause the processor to;
  
  examine an import address table (IAT) of an executable object in a memory of the computer to identify at least one subroutine of the executable object that calls an application program interface (API), the API having a fixed address in the memory, the API being known to appear in a particular kind of polymorphic or metamorphic pestware;
  
  locate the at least one subroutine within the executable object; and
  
  search for a predetermined check value at a known offset relative to an address, in the memory, at which the at least one subroutine calls the API, the predetermined check value identifying the executable object as the particular kind of polymorphic or metamorphic pestware when the check value is found at the known offset.
- View Dependent Claims (5, 8)
- - 5. The system of claim 2, wherein the check value includes a uniform resource locator (URL).
  - 8. The system of claim 2, further comprising:
    - in response to finding the check value at the known offset, performing at least one of notifying a user that pestware has been detected, shielding a computer from pestware, and removing pestware from a computer.

3. A non-transitory computer-readable storage medium containing program instructions to scan for obfuscatory pestware on a computer, comprising:
- a first instruction segment of a pestware detection module that examines an import address table (IAT) of an executable object in a memory of the computer to identify at least one subroutine of the executable object that calls an application program interface (API), the API having a fixed address in the memory, the API being known to appear in a particular kind of polymorphic or metamorphic pestware;
  
  a second instruction segment of the pestware detection module that locates the at least one subroutine within the executable object; and
  
  a third instruction segment of the pestware detection module that searches for a predetermined check value at a known offset relative to an address, in the memory, at which the at least one subroutine calls the API, the predetermined check value identifying the executable object as the particular kind of polymorphic or metamorphic pestware when the check value is found at the known offset.
- View Dependent Claims (6, 9)
- - 6. The non-transitory computer-readable storage medium of claim 3, wherein the check value includes a uniform resource locator (URL).
  - 9. The non-transitory computer-readable storage medium of claim 3, further comprising:
    - in response to finding the check value at the known offset, performing at least one of notifying a user that pestware has been detected, shielding a computer from pestware, and removing pestware from a computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Horne, Jefferson Delk
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
AVERY, JEREMIAH L

Application Number

US11/334,317
Publication Number

US 20070168982A1
Time in Patent Office

2,638 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 21/564 by virus signature recognition

Method and system for detecting obfuscatory pestware in a computer memory

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting obfuscatory pestware in a computer memory

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links