Disabling malware that infects boot drivers
First Claim
1. A computer implemented method for detecting and correcting infected boot drivers, the method comprising the steps of:
- gleaning, by a computer, a valid entry point for each of a plurality of boot drivers running under an operating system, after the operating system has booted;
wherein at least one specific boot driver of the plurality has been infected by malicious code, such that attempts to access the at least one specific infected boot driver are diverted to at least one clean copy from which the at least one valid entry point of the at least one infected boot driver is gleaned;
storing, by the computer, the gleaned valid entry points of each boot driver of the plurality;
when the operating system is rebooted, loading, by the computer, a security boot driver prior to loading any of the boot drivers of the plurality;
reading, by the security boot driver, actual entry points of each boot driver of the plurality, before the boot drivers of the plurality have run;
wherein the security boot driver accesses the at least one infected boot driver and reads the at least one actual entry point, because attempts to access the at least one infected boot driver by the security boot driver are not diverted to the at least one clean copy, because associated malicious code to perform the diversion of the access attempts has not executed;
comparing, by the security boot driver, the actual entry points of each boot driver of the plurality to the stored valid entry points of each boot driver of the plurality;
responsive to the at least one actual entry point of the at least one infected boot driver not matching the at least one valid entry point of the at least one infected boot driver, detecting that the at least one infected boot driver is infected, by the security boot driver; and
correcting the detected at least one infected boot driver, by the security boot driver, by replacing the at least one actual entry point with the at least one valid entry point, before the at least one infected boot driver runs.
2 Assignments
0 Petitions
Accused Products
Abstract
A valid entry point for each boot driver running under an operating system is gleaned. When the operating system is rebooted, a security boot driver is loaded prior to loading other boot drivers. The security boot driver reads the actual entry points of each boot driver, before the boot drivers have run. The security boot driver compares the actual entry points to the corresponding valid entry points. Responsive to an actual entry point not matching its corresponding valid entry point, it is determined that the boot driver is infected. Infected boot drivers are corrected, by replacing their actual entry points with the corresponding, valid entry points. After infected boot drivers have been corrected, the infecting malicious code can be identified and disabled. Sections of boot drivers other than entry points can be gleaned, read and compared, up to entire boot drivers.
67 Citations
20 Claims
-
1. A computer implemented method for detecting and correcting infected boot drivers, the method comprising the steps of:
-
gleaning, by a computer, a valid entry point for each of a plurality of boot drivers running under an operating system, after the operating system has booted; wherein at least one specific boot driver of the plurality has been infected by malicious code, such that attempts to access the at least one specific infected boot driver are diverted to at least one clean copy from which the at least one valid entry point of the at least one infected boot driver is gleaned; storing, by the computer, the gleaned valid entry points of each boot driver of the plurality; when the operating system is rebooted, loading, by the computer, a security boot driver prior to loading any of the boot drivers of the plurality; reading, by the security boot driver, actual entry points of each boot driver of the plurality, before the boot drivers of the plurality have run; wherein the security boot driver accesses the at least one infected boot driver and reads the at least one actual entry point, because attempts to access the at least one infected boot driver by the security boot driver are not diverted to the at least one clean copy, because associated malicious code to perform the diversion of the access attempts has not executed; comparing, by the security boot driver, the actual entry points of each boot driver of the plurality to the stored valid entry points of each boot driver of the plurality; responsive to the at least one actual entry point of the at least one infected boot driver not matching the at least one valid entry point of the at least one infected boot driver, detecting that the at least one infected boot driver is infected, by the security boot driver; and correcting the detected at least one infected boot driver, by the security boot driver, by replacing the at least one actual entry point with the at least one valid entry point, before the at least one infected boot driver runs. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. At least one non-transitory computer readable storage medium storing a computer program product for detecting and correcting infected boot drivers, the computer program product comprising:
-
program code for gleaning a valid entry point for each of a plurality of boot drivers running under an operating system, after the operating system has booted; wherein at least one specific boot driver of the plurality has been infected by malicious code, such that attempts to access the at least one specific infected boot driver are diverted to at least one clean copy from which the at least one valid entry point of the at least one infected boot driver is gleaned; program code for storing the gleaned valid entry points of each boot driver of the plurality; program code for, when the operating system is rebooted, loading a security boot driver prior to loading any of the boot drivers of the plurality; program code for reading, by the security boot driver, actual entry points of each boot driver of the plurality, before the boot drivers of the plurality have run; wherein the security boot driver accesses the at least one infected boot driver and reads the at least one actual entry point, because attempts to access the at least one infected boot driver by the security boot driver are not diverted to the at least one clean copy, because associated malicious code to perform the diversion of the access attempts has not executed; program code for comparing, by the security boot driver, the actual entry points of each boot driver of the plurality to the stored valid entry points of each boot driver of the plurality; program code for, responsive to the at least one actual entry point of the at least one infected boot driver not matching the at least one valid entry point of the at least one infected boot driver, detecting that the at least one infected boot driver is infected, by the security boot driver; and program code for correcting the detected at least one infected boot driver, by the security boot driver, by replacing the at least one actual entry point with the at least one valid entry point, before the at least one infected boot driver runs. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer system for detecting and correcting infected boot drivers, the computer system comprising:
-
a processor; system memory; a gleaning module running in the system memory, the gleaning module being configured for gleaning a valid entry point for each of a plurality of boot drivers running under an operating system, after the operating system has booted; wherein at least one specific boot driver of the plurality has been infected by malicious code, such that attempts to access the at least one specific infected boot driver are diverted to at least one clean copy; a storing module running in the system memory, the storing module being configured for storing the gleaned valid entry points of each boot driver of the plurality; a security boot driver configured for being loaded into the system memory when the operating system is rebooted, prior to loading any of the boot drivers of the plurality; a reading module of the security boot driver, the reading module being configured for reading actual entry points of each boot driver of the plurality, before the boot drivers of the plurality have run; wherein the reading module of the security boot driver is further configured to access the at least one infected boot driver and to read the at least one actual entry point, because attempts to access the at least one infected boot driver by the security boot driver are not diverted to the at least one clean copy, because associated malicious code to perform the diversion of the access attempts has not executed; a comparing module of the security boot driver, the comparing module being configured for comparing the actual entry points of each boot driver of the plurality to the stored valid entry points of each boot driver of the plurality; a detecting module of the security boot driver, the detecting module being configured for, responsive to the at least one actual entry point of the at least one infected boot driver not matching the at least one valid entry point of the at least one infected boot driver, detecting that the at least one infected boot driver is infected; and a correcting module of the security boot driver, the correcting module being configured for correcting the detected at least one infected boot driver by replacing the at least one actual entry point with the at least one valid entry point, before the at least one infected boot driver runs. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification