Detecting machines compromised with malware
First Claim
1. At a host computer system having installed thereon one or more messaging applications that send and receive messages to or from one or more contacts, a method of the host computer system detecting the presence of malware at the host computer system using a decoy contact, the method comprising:
- an act of installing a decoy contact in a contact store at a host computer system, the contact store being used by a messaging application at the host computer system;
an act of installing a malware reporting module at the host computer system between the messaging application and a network interface that transmits messages to one or more recipients through a network, the malware reporting module being configured to intercept outgoing messages sent by the messaging application to the one or more recipients through the network prior to the outgoing messages actually reaching the network interface at the host computer system and prior to being received by the one or more recipients;
an act of the malware reporting module at the host computer system intercepting an outgoing message subsequent to the outgoing message being sent by the messaging application and prior to the outgoing message being received at the network interface;
an act of the malware reporting module at the host computer system identifying that the outgoing message is addressed to the decoy contact;
based on identifying that the outgoing message is addressed to the decoy contact, an act of the malware reporting module at the host computer system stopping communication of the outgoing message, such that the outgoing message is prevented from being sent to the network interface; and
an act of the malware reporting module at the host computer system determining that the host computer system has been compromised with malware based at least in part on identifying that the outgoing message is addressed to the decoy contact and prior to the outgoing message being communicated over the network interface.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer system can be configured to identify when it has been infected with or otherwise compromised by malware, such as viruses, worms, etc. In one implementation, a computer system receives and installs one or more decoy contacts in a contact store and further installs one or more malware reporting modules that effectively filter outgoing messages. For example, a malware reporting module can redirect messages with a decoy contact address to an alternate inbox associated with the decoy contact. The same malware reporting module, or another module in the system, can also generate one or more reports indicating the presence of malware, either due to detection of the decoy contact address, or due to identifying messages in the decoy contact inbox. The host computer system that sent the message to the decoy contact can then be flagged as infected with malware.
-
Citations
17 Claims
-
1. At a host computer system having installed thereon one or more messaging applications that send and receive messages to or from one or more contacts, a method of the host computer system detecting the presence of malware at the host computer system using a decoy contact, the method comprising:
-
an act of installing a decoy contact in a contact store at a host computer system, the contact store being used by a messaging application at the host computer system; an act of installing a malware reporting module at the host computer system between the messaging application and a network interface that transmits messages to one or more recipients through a network, the malware reporting module being configured to intercept outgoing messages sent by the messaging application to the one or more recipients through the network prior to the outgoing messages actually reaching the network interface at the host computer system and prior to being received by the one or more recipients; an act of the malware reporting module at the host computer system intercepting an outgoing message subsequent to the outgoing message being sent by the messaging application and prior to the outgoing message being received at the network interface; an act of the malware reporting module at the host computer system identifying that the outgoing message is addressed to the decoy contact; based on identifying that the outgoing message is addressed to the decoy contact, an act of the malware reporting module at the host computer system stopping communication of the outgoing message, such that the outgoing message is prevented from being sent to the network interface; and an act of the malware reporting module at the host computer system determining that the host computer system has been compromised with malware based at least in part on identifying that the outgoing message is addressed to the decoy contact and prior to the outgoing message being communicated over the network interface. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 16)
-
-
9. A computer system, comprising:
-
one or more processors; a network interface; and one or more computer storage devices having stored thereon computer-executable instructions that, when executed by the one or more processors, cause the computer system to perform a method of configuring the computer system to detect the presence of a malware application at the computer system using messages addressed to a decoy contact, the method comprising; identifying one or more messaging applications at the computer system; identifying one or more contact stores at the computer system that are used by the one or more messaging applications; adding one or more decoy contacts in any of the one or more contact stores; and installing one or more malware reporting modules at the computer system between the one or more messaging applications and the network interface, the one or more malware reporting modules configured, at least in part, to intercept and filter outgoing messages sent by the one or more messaging applications prior to the outgoing messages actually reaching the network interface at the computer system, and to detect outgoing messages that are addressed to one or more of the decoy contacts and prevent the outgoing messages addressed to one or more of the decoy contacts from being sent to the network interface at the computer system. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
17. A computer storage device having computer-executable instructions stored thereon that, when executed, cause one or more processors of a host computer system to perform a method comprising:
-
providing a decoy contact in a contact store at a host computer system, the contact store used by a messaging application at the host computer system; providing a malware module at the host computer system between the messaging application and a network interface that transmits messages to one or more recipients through a network, the malware module being configured to intercept outgoing messages sent by the messaging application to the one or more recipients through the network prior to the outgoing messages actually reaching the network interface at the host computer system and prior to being received by the one or more recipients; the malware module at the host computer system intercepting an outgoing message subsequent to the outgoing message being sent by the messaging application and prior to the outgoing message being received at the network interface; the malware module at the host computer system determining that the outgoing message is addressed to the decoy contact, and based on identifying that the outgoing message is addressed to the decoy contact, preventing the outgoing message from being sent to the network interface; and the malware module at the host computer system determining that the host computer system has been compromised with malware based at least in part on identifying that the outgoing message is addressed to the decoy contact and prior to the outgoing message being received at any messaging inbox, including any messaging inbox for the decoy contact.
-
Specification