Detecting machines compromised with malware

US 8,464,341 B2
Filed: 07/22/2008
Issued: 06/11/2013
Est. Priority Date: 07/22/2008
Status: Expired due to Fees

First Claim

Patent Images

1. At a host computer system having installed thereon one or more messaging applications that send and receive messages to or from one or more contacts, a method of the host computer system detecting the presence of malware at the host computer system using a decoy contact, the method comprising:

an act of installing a decoy contact in a contact store at a host computer system, the contact store being used by a messaging application at the host computer system;

an act of installing a malware reporting module at the host computer system between the messaging application and a network interface that transmits messages to one or more recipients through a network, the malware reporting module being configured to intercept outgoing messages sent by the messaging application to the one or more recipients through the network prior to the outgoing messages actually reaching the network interface at the host computer system and prior to being received by the one or more recipients;

an act of the malware reporting module at the host computer system intercepting an outgoing message subsequent to the outgoing message being sent by the messaging application and prior to the outgoing message being received at the network interface;

an act of the malware reporting module at the host computer system identifying that the outgoing message is addressed to the decoy contact;

based on identifying that the outgoing message is addressed to the decoy contact, an act of the malware reporting module at the host computer system stopping communication of the outgoing message, such that the outgoing message is prevented from being sent to the network interface; and

an act of the malware reporting module at the host computer system determining that the host computer system has been compromised with malware based at least in part on identifying that the outgoing message is addressed to the decoy contact and prior to the outgoing message being communicated over the network interface.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system can be configured to identify when it has been infected with or otherwise compromised by malware, such as viruses, worms, etc. In one implementation, a computer system receives and installs one or more decoy contacts in a contact store and further installs one or more malware reporting modules that effectively filter outgoing messages. For example, a malware reporting module can redirect messages with a decoy contact address to an alternate inbox associated with the decoy contact. The same malware reporting module, or another module in the system, can also generate one or more reports indicating the presence of malware, either due to detection of the decoy contact address, or due to identifying messages in the decoy contact inbox. The host computer system that sent the message to the decoy contact can then be flagged as infected with malware.

59 Citations

View as Search Results

17 Claims

1. At a host computer system having installed thereon one or more messaging applications that send and receive messages to or from one or more contacts, a method of the host computer system detecting the presence of malware at the host computer system using a decoy contact, the method comprising:
- an act of installing a decoy contact in a contact store at a host computer system, the contact store being used by a messaging application at the host computer system;
  
  an act of installing a malware reporting module at the host computer system between the messaging application and a network interface that transmits messages to one or more recipients through a network, the malware reporting module being configured to intercept outgoing messages sent by the messaging application to the one or more recipients through the network prior to the outgoing messages actually reaching the network interface at the host computer system and prior to being received by the one or more recipients;
  
  an act of the malware reporting module at the host computer system intercepting an outgoing message subsequent to the outgoing message being sent by the messaging application and prior to the outgoing message being received at the network interface;
  
  an act of the malware reporting module at the host computer system identifying that the outgoing message is addressed to the decoy contact;
  
  based on identifying that the outgoing message is addressed to the decoy contact, an act of the malware reporting module at the host computer system stopping communication of the outgoing message, such that the outgoing message is prevented from being sent to the network interface; and
  
  an act of the malware reporting module at the host computer system determining that the host computer system has been compromised with malware based at least in part on identifying that the outgoing message is addressed to the decoy contact and prior to the outgoing message being communicated over the network interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 16)
- - 2. The method as recited in claim 1, further comprising an act of replacing the installed decoy contact with one or more new decoy contacts.
  - 3. The method as recited in claim 2, further comprising an act of the malware reporting module at the host computer system intercepting an additional outgoing message sent by the messaging application that is addressed to one or more of the new decoy contacts.
  - 4. The method as recited in claim 1, wherein identifying that the outgoing message is addressed to the decoy contact comprises identifying an address of the decoy contact in the outgoing message.
  - 5. The method as recited in claim 1, further comprising, in response to determining that the host computer system has been compromised with malware, an act of the malware reporting module halting activities of the messaging application.
  - 6. The method as recited in claim 1, wherein the installed decoy contact comprises a contact address that includes an invalid network or domain address.
  - 7. The method as recited in claim 1, further comprising:
    - an act of hiding the installed decoy contact at the host computer system, such that the installed decoy contact is invisible to a user of the host computer system, and such that the installed decoy contact is unavailable for the user to send a message.
  - 8. The method as recited in claim 1, further comprising:
    - an act of the malware reporting module forwarding the outgoing message to an inbox at the host computer system that is associated with the decoy contact.
  - 16. The method as recited in claim 8, wherein the inbox at the host computer system comprises a storage partition of a user'"'"'s traditional mailbox for the messaging application.

9. A computer system, comprising:
- one or more processors;
  
  a network interface; and
  
  one or more computer storage devices having stored thereon computer-executable instructions that, when executed by the one or more processors, cause the computer system to perform a method of configuring the computer system to detect the presence of a malware application at the computer system using messages addressed to a decoy contact, the method comprising;
  
  identifying one or more messaging applications at the computer system;
  
  identifying one or more contact stores at the computer system that are used by the one or more messaging applications;
  
  adding one or more decoy contacts in any of the one or more contact stores; and
  
  installing one or more malware reporting modules at the computer system between the one or more messaging applications and the network interface, the one or more malware reporting modules configured, at least in part, to intercept and filter outgoing messages sent by the one or more messaging applications prior to the outgoing messages actually reaching the network interface at the computer system, and to detect outgoing messages that are addressed to one or more of the decoy contacts and prevent the outgoing messages addressed to one or more of the decoy contacts from being sent to the network interface at the computer system.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computer system as recited in claim 9, wherein the one or more installed decoy contacts comprise a messaging address that directs messages to a local area network address.
  - 11. The computer system as recited in claim 10, wherein the local area network address comprises a network address for the computer system.
  - 12. The computer system as recited in claim 9, wherein the one or more installed malware reporting modules prepare one or more reports that indicate that an outgoing message has been addressed to an installed decoy contact.
  - 13. The computer system as recited in claim 9, wherein the one or more malware reporting modules are configured to halt activities by the one or more messaging applications upon detecting any outgoing message addressed to any of the one or more decoy contacts.
  - 14. The computer system as recited in claim 9, wherein the one or more contact stores comprise:
    - existing contacts created by a user of the one or more messaging applications;
      
      the one or more installed decoy contacts; and
      
      one or more addresses parsed from messages in the user'"'"'s inbox or outbox corresponding to the one or more messaging applications.
  - 15. The computer system as recited in claim 9, further comprising computer-executable instructions for instructing the one or more messaging applications to hide the one or more decoy contacts from a user of the one or more messaging applications so that the user cannot send a message to the one or more decoy contacts.

17. A computer storage device having computer-executable instructions stored thereon that, when executed, cause one or more processors of a host computer system to perform a method comprising:
- providing a decoy contact in a contact store at a host computer system, the contact store used by a messaging application at the host computer system;
  
  providing a malware module at the host computer system between the messaging application and a network interface that transmits messages to one or more recipients through a network, the malware module being configured to intercept outgoing messages sent by the messaging application to the one or more recipients through the network prior to the outgoing messages actually reaching the network interface at the host computer system and prior to being received by the one or more recipients;
  
  the malware module at the host computer system intercepting an outgoing message subsequent to the outgoing message being sent by the messaging application and prior to the outgoing message being received at the network interface;
  
  the malware module at the host computer system determining that the outgoing message is addressed to the decoy contact, and based on identifying that the outgoing message is addressed to the decoy contact, preventing the outgoing message from being sent to the network interface; and
  
  the malware module at the host computer system determining that the host computer system has been compromised with malware based at least in part on identifying that the outgoing message is addressed to the decoy contact and prior to the outgoing message being received at any messaging inbox, including any messaging inbox for the decoy contact.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Cohen, Rami
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
ZAIDI, SYED A

Application Number

US12/177,355
Publication Number

US 20100024034A1
Time in Patent Office

1,785 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Detecting machines compromised with malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting machines compromised with malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links