Disabling malware that infects boot drivers

US 8,479,292 B1
Filed: 11/19/2010
Issued: 07/02/2013
Est. Priority Date: 11/19/2010
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for detecting and correcting infected boot drivers, the method comprising the steps of:

gleaning, by a computer, a valid entry point for each of a plurality of boot drivers running under an operating system, after the operating system has booted;

wherein at least one specific boot driver of the plurality has been infected by malicious code, such that attempts to access the at least one specific infected boot driver are diverted to at least one clean copy from which the at least one valid entry point of the at least one infected boot driver is gleaned;

storing, by the computer, the gleaned valid entry points of each boot driver of the plurality;

when the operating system is rebooted, loading, by the computer, a security boot driver prior to loading any of the boot drivers of the plurality;

reading, by the security boot driver, actual entry points of each boot driver of the plurality, before the boot drivers of the plurality have run;

wherein the security boot driver accesses the at least one infected boot driver and reads the at least one actual entry point, because attempts to access the at least one infected boot driver by the security boot driver are not diverted to the at least one clean copy, because associated malicious code to perform the diversion of the access attempts has not executed;

comparing, by the security boot driver, the actual entry points of each boot driver of the plurality to the stored valid entry points of each boot driver of the plurality;

responsive to the at least one actual entry point of the at least one infected boot driver not matching the at least one valid entry point of the at least one infected boot driver, detecting that the at least one infected boot driver is infected, by the security boot driver; and

correcting the detected at least one infected boot driver, by the security boot driver, by replacing the at least one actual entry point with the at least one valid entry point, before the at least one infected boot driver runs.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A valid entry point for each boot driver running under an operating system is gleaned. When the operating system is rebooted, a security boot driver is loaded prior to loading other boot drivers. The security boot driver reads the actual entry points of each boot driver, before the boot drivers have run. The security boot driver compares the actual entry points to the corresponding valid entry points. Responsive to an actual entry point not matching its corresponding valid entry point, it is determined that the boot driver is infected. Infected boot drivers are corrected, by replacing their actual entry points with the corresponding, valid entry points. After infected boot drivers have been corrected, the infecting malicious code can be identified and disabled. Sections of boot drivers other than entry points can be gleaned, read and compared, up to entire boot drivers.

67 Citations

View as Search Results

20 Claims

1. A computer implemented method for detecting and correcting infected boot drivers, the method comprising the steps of:
- gleaning, by a computer, a valid entry point for each of a plurality of boot drivers running under an operating system, after the operating system has booted;
  
  wherein at least one specific boot driver of the plurality has been infected by malicious code, such that attempts to access the at least one specific infected boot driver are diverted to at least one clean copy from which the at least one valid entry point of the at least one infected boot driver is gleaned;
  
  storing, by the computer, the gleaned valid entry points of each boot driver of the plurality;
  
  when the operating system is rebooted, loading, by the computer, a security boot driver prior to loading any of the boot drivers of the plurality;
  
  reading, by the security boot driver, actual entry points of each boot driver of the plurality, before the boot drivers of the plurality have run;
  
  wherein the security boot driver accesses the at least one infected boot driver and reads the at least one actual entry point, because attempts to access the at least one infected boot driver by the security boot driver are not diverted to the at least one clean copy, because associated malicious code to perform the diversion of the access attempts has not executed;
  
  comparing, by the security boot driver, the actual entry points of each boot driver of the plurality to the stored valid entry points of each boot driver of the plurality;
  
  responsive to the at least one actual entry point of the at least one infected boot driver not matching the at least one valid entry point of the at least one infected boot driver, detecting that the at least one infected boot driver is infected, by the security boot driver; and
  
  correcting the detected at least one infected boot driver, by the security boot driver, by replacing the at least one actual entry point with the at least one valid entry point, before the at least one infected boot driver runs.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein gleaning, by the computer, the valid entry point for each of the plurality of boot drivers running under the operating system after the operating system has booted further comprises:
    - reading, by the computer, an operating system component to obtain an inventory of boot drivers running under the operating system; and
      
      reading, by the computer, a valid entry point for each boot driver running under the operating system from a corresponding image on disk.
  - 3. The method of claim 1 further comprising:
    - after correcting the detected at least one infected boot driver, identifying, by the computer, the malicious code that infected the at least one infected boot driver; and
      
      disabling, by the computer, the identified malicious code.
  - 4. The method of claim 3 wherein the malicious code further comprises:
    - at least a root kit configured to infect at least one boot driver.
  - 5. The method of claim 3 wherein the malicious code further comprises:
    - at least malicious code configured to divert attempts to access at least one infected boot driver.
  - 6. The method of claim 1 further comprising:
    - gleaning, by the computer, at least one valid section of each boot driver of the plurality in addition to the valid entry point;
      
      storing, by the computer, the gleaned at least one valid additional section of each boot driver of the plurality;
      
      reading, by the security boot driver, actual at least one additional sections of each boot driver of the plurality, before the boot drivers of the plurality have run;
      
      comparing, by the security boot driver, the at least one actual additional section of each boot driver of the plurality to the stored at least one valid additional section of each boot driver of the plurality;
      
      responsive to the at least one actual additional section of the at least one infected boot driver not matching the at least one valid additional section of the at least one infected boot driver, detecting that the at least one infected boot driver is infected, by the security boot driver; and
      
      correcting the detected at least one infected boot driver, by the security boot driver, by replacing the at least one actual additional section with the at least one valid additional section, before the at least one infected boot driver runs.
  - 7. The method of claim 6 wherein the at least one additional section of each boot driver further comprises:
    - the entire boot driver.

8. At least one non-transitory computer readable storage medium storing a computer program product for detecting and correcting infected boot drivers, the computer program product comprising:
- program code for gleaning a valid entry point for each of a plurality of boot drivers running under an operating system, after the operating system has booted;
  
  wherein at least one specific boot driver of the plurality has been infected by malicious code, such that attempts to access the at least one specific infected boot driver are diverted to at least one clean copy from which the at least one valid entry point of the at least one infected boot driver is gleaned;
  
  program code for storing the gleaned valid entry points of each boot driver of the plurality;
  
  program code for, when the operating system is rebooted, loading a security boot driver prior to loading any of the boot drivers of the plurality;
  
  program code for reading, by the security boot driver, actual entry points of each boot driver of the plurality, before the boot drivers of the plurality have run;
  
  wherein the security boot driver accesses the at least one infected boot driver and reads the at least one actual entry point, because attempts to access the at least one infected boot driver by the security boot driver are not diverted to the at least one clean copy, because associated malicious code to perform the diversion of the access attempts has not executed;
  
  program code for comparing, by the security boot driver, the actual entry points of each boot driver of the plurality to the stored valid entry points of each boot driver of the plurality;
  
  program code for, responsive to the at least one actual entry point of the at least one infected boot driver not matching the at least one valid entry point of the at least one infected boot driver, detecting that the at least one infected boot driver is infected, by the security boot driver; and
  
  program code for correcting the detected at least one infected boot driver, by the security boot driver, by replacing the at least one actual entry point with the at least one valid entry point, before the at least one infected boot driver runs.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8 wherein the program code for gleaning the valid entry point for each of the plurality of boot drivers running under the operating system after the operating system has booted further comprises:
    - program code for reading an operating system component to obtain an inventory of boot drivers running under the operating system; and
      
      program code for reading a valid entry point for each boot driver running under the operating system from a corresponding image on disk.
  - 10. The computer program product of claim 8 further comprising:
    - program code for, after correcting the detected at least one infected boot driver, identifying the malicious code that infected the at least one infected boot driver; and
      
      program code for disabling the identified malicious code.
  - 11. The computer program product of claim 10 wherein the malicious code further comprises:
    - at least a root kit configured to infect at least one boot driver.
  - 12. The computer program product of claim 10 wherein the malicious code further comprises:
    - at least malicious code configured to divert attempts to access at least one infected boot driver.
  - 13. The computer program product of claim 8 further comprising:
    - program code for gleaning at least one valid section of each boot driver of the plurality in addition to the valid entry point;
      
      program code for storing the gleaned at least one valid additional section of each boot driver of the plurality;
      
      program code for reading, by the security boot driver, actual at least one additional sections of each boot driver of the plurality, before the boot drivers of the plurality have run;
      
      program code for comparing, by the security boot driver, the at least one actual additional section of each boot driver of the plurality to the stored at least one valid additional section of each boot driver of the plurality;
      
      program code for, responsive to the at least one actual additional section of the at least one infected boot driver not matching the at least one valid additional section of the at least one infected boot driver, detecting that the at least one infected boot driver is infected, by the security boot driver; and
      
      program code for correcting the detected at least one infected boot driver, by the security boot driver, by replacing the at least one actual additional section with the at least one valid additional section, before the at least one infected boot driver runs.
  - 14. The computer program product of claim 13 wherein the at least one additional section of each boot driver further comprises:
    - the entire boot driver.

15. A computer system for detecting and correcting infected boot drivers, the computer system comprising:
- a processor;
  
  system memory;
  
  a gleaning module running in the system memory, the gleaning module being configured for gleaning a valid entry point for each of a plurality of boot drivers running under an operating system, after the operating system has booted;
  
  wherein at least one specific boot driver of the plurality has been infected by malicious code, such that attempts to access the at least one specific infected boot driver are diverted to at least one clean copy;
  
  a storing module running in the system memory, the storing module being configured for storing the gleaned valid entry points of each boot driver of the plurality;
  
  a security boot driver configured for being loaded into the system memory when the operating system is rebooted, prior to loading any of the boot drivers of the plurality;
  
  a reading module of the security boot driver, the reading module being configured for reading actual entry points of each boot driver of the plurality, before the boot drivers of the plurality have run;
  
  wherein the reading module of the security boot driver is further configured to access the at least one infected boot driver and to read the at least one actual entry point, because attempts to access the at least one infected boot driver by the security boot driver are not diverted to the at least one clean copy, because associated malicious code to perform the diversion of the access attempts has not executed;
  
  a comparing module of the security boot driver, the comparing module being configured for comparing the actual entry points of each boot driver of the plurality to the stored valid entry points of each boot driver of the plurality;
  
  a detecting module of the security boot driver, the detecting module being configured for, responsive to the at least one actual entry point of the at least one infected boot driver not matching the at least one valid entry point of the at least one infected boot driver, detecting that the at least one infected boot driver is infected; and
  
  a correcting module of the security boot driver, the correcting module being configured for correcting the detected at least one infected boot driver by replacing the at least one actual entry point with the at least one valid entry point, before the at least one infected boot driver runs.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer system of claim 15 wherein the gleaning module is further configured for gleaning a valid entry point for each of a plurality of boot drivers running under an operating system by:
    - reading an operating system component to obtain an inventory of boot drivers running under the operating system; and
      
      reading a valid entry point for each boot driver running under the operating system from a corresponding image on disk.
  - 17. The computer system of claim 15 further comprising:
    - a malicious code identifying module running in the system memory, the malicious code identifying module being configured for identifying the malicious code that infected the at least one infected boot driver, after the detected at least one infected boot driver has been corrected; and
      
      a malicious code disabling module running in the system memory, the malicious code disabling module being configured for disabling the identified malicious code.
  - 18. The computer system of claim 17 wherein the malicious code further comprises:
    - at least a root kit configured to infect at least one boot driver.
  - 19. The computer system of claim 15 wherein:
    - the gleaning module is further configured for gleaning at least one valid section of each boot driver of the plurality in addition to the valid entry point;
      
      the storing module is further configured for storing the gleaned at least one valid additional section of each boot driver of the plurality;
      
      the reading module is further configured for reading actual at least one additional sections of each boot driver of the plurality, before the boot drivers of the plurality have run;
      
      the comparing module is further configured for comparing the at least one actual additional section of each boot driver of the plurality to the stored at least one valid additional section of each boot driver of the plurality;
      
      the detecting module is further configured for detecting, responsive to the at least one actual additional section of the at least one infected boot driver not matching the at least one valid additional section of the at least one infected boot driver, that the at least one infected boot driver is infected; and
      
      the correcting module is further configured for correcting the detected at least one infected boot driver by replacing the at least one actual additional section with the at least one valid additional section, before the at least one infected boot driver runs.
  - 20. The computer system of claim 19 wherein the at least one additional section of each boot driver further comprises:
    - the entire boot driver.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Linhardt, Peter
Primary Examiner(s)
Nalven, Andrew L
Assistant Examiner(s)
MALINOWSKI, WALTER J

Application Number

US12/950,785
Time in Patent Office

956 Days
Field of Search

713/1, 713/2, 713164-167, 713/188, 726/22, 726/23, 726/24, 726/25, 717/126, 717/127, 717/129
US Class Current

726/23
CPC Class Codes

G06F 21/54   by adding security routines...

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

Disabling malware that infects boot drivers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Disabling malware that infects boot drivers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links