Systems and methods for blocking and removing internet-traversing malware

US 8,739,284 B1
Filed: 01/06/2010
Issued: 05/27/2014
Est. Priority Date: 01/06/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for blocking and removing Internet-traversing malware, the method comprising:

identifying, at a computing device of a user that comprises at least one processor, a cookie file that was created by a web browser installed on the computing device and that contains session information that is used to access an account of the user;

identifying, at the computing device, an attempt by the web browser executing on the computing device to access the cookie file;

determining that the web browser is attempting to access the cookie file on behalf of an executable object;

determining, at the computing device, that the executable object is not authorized to access the cookie file by;

generating a score based at least in part on at least one of;

multiple characteristics of the executable object that indicate that the executable object'"'"'s attempt to access the cookie file is unauthorized;

multiple characteristics of the web browser'"'"'s attempt to access the cookie file that indicate that the executable object'"'"'s attempt to access the cookie file is unauthorized;

determining that the score exceeds a predetermined threshold; and

in response to determining that the executable object is not authorized to access the cookie file, blocking the attempt by the web browser to access the cookie file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for blocking and removing Internet-traversing malware may include: 1) identifying a persistent storage object of an Internet client application, 2) identifying an attempt by an executable object to access the persistent storage object, 3) determining that the executable object is not authorized to access the persistent storage object, and then 4) performing a security action based on the determination. Various other methods, systems, and computer-readable media are also disclosed.

51 Citations

View as Search Results

17 Claims

1. A computer-implemented method for blocking and removing Internet-traversing malware, the method comprising:
- identifying, at a computing device of a user that comprises at least one processor, a cookie file that was created by a web browser installed on the computing device and that contains session information that is used to access an account of the user;
  
  identifying, at the computing device, an attempt by the web browser executing on the computing device to access the cookie file;
  
  determining that the web browser is attempting to access the cookie file on behalf of an executable object;
  
  determining, at the computing device, that the executable object is not authorized to access the cookie file by;
  
  generating a score based at least in part on at least one of;
  
  multiple characteristics of the executable object that indicate that the executable object'"'"'s attempt to access the cookie file is unauthorized;
  
  multiple characteristics of the web browser'"'"'s attempt to access the cookie file that indicate that the executable object'"'"'s attempt to access the cookie file is unauthorized;
  
  determining that the score exceeds a predetermined threshold; and
  
  in response to determining that the executable object is not authorized to access the cookie file, blocking the attempt by the web browser to access the cookie file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein blocking the attempt by the web browser to access the cookie file comprises changing security settings of the web browser to block the web browser from accessing the cookie file.
  - 3. The computer-implemented method of claim 2, wherein changing the security settings of the web browser to block the web browser from accessing the cookie file comprises at least one of:
    - preventing the web browser from using cookies;
      
      preventing the web browser from using cookie files.
  - 4. The computer-implemented method of claim 1, wherein the executable object comprises at least a portion of at least one of:
    - an application;
      
      a library;
      
      a plug-in;
      
      a process.
  - 5. The computer-implemented method of claim 1, wherein identifying the attempt by the web browser to access the cookie file comprises intercepting an attempt by the web browser to access the cookie file via a file system of the computing device.
  - 6. The computer-implemented method of claim 1, wherein determining that the web browser is attempting to access the cookie file on behalf of the executable object comprises analyzing an execution stack of the web browser.
  - 7. The computer-implemented method of claim 1, further comprising at least one of:
    - flagging the executable object as potentially malicious;
      
      quarantining the executable object;
      
      removing the executable object.
  - 8. The computer-implemented method of claim 1, wherein the executable object is a web-browser plug-in and the method further comprises disabling the web-browser plug-in.
  - 9. The computer-implemented method of claim 1, wherein identifying the cookie file comprises monitoring a storage location on the computing device that contains cookie files generated by the web browser.
  - 10. The computer-implemented method of claim 1, wherein identifying the attempt by the web browser to access the cookie file comprises at least one of:
    - determining that the executable object is directly responsible for initiating the attempt to access the cookie file;
      
      determining that the executable object comprises a parent process of a process that initiated the attempt to access the cookie file;
      
      determining that the executable object was the last in a chain of applications to execute instructions that initiated the attempt to access the cookie file.

11. A system for blocking and removing Internet-traversing malware, the system comprising:
- at least one hardware processor programmed to;
  
  identify a cookie file that was created by a web browser installed on the system and that contains session information that is used to access an account of a user;
  
  identify an attempt by the web browser executing on the system to access the cookie file;
  
  determine that the web browser is attempting to access the cookie file on behalf of an executable object;
  
  determine that the executable object is not authorized to access the cookie file by;
  
  generating a score based at least in part on at least one of;
  
  multiple characteristics of the executable object that indicate that the executable object'"'"'s attempt to access the cookie file is unauthorized;
  
  multiple characteristics of the web browser'"'"'s attempt to access the cookie file that indicate that the executable object'"'"'s attempt to access the cookie file is unauthorized;
  
  determining that the score exceeds a predetermined threshold; and
  
  in response to determining that the executable object is not authorized to access the cookie file, block the attempt by the web browser to access the cookie file.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The system of claim 11, wherein the hardware processor is programmed to block the attempt by the web browser to access the cookie file by changing security settings of the web browser to block the web browser from accessing the cookie file.
  - 13. The system of claim 12, wherein the hardware processor is programmed to change the security settings of the web browser to block the web browser from accessing the cookie file by at least one of:
    - preventing the web browser from using cookies;
      
      preventing the web browser from using cookie files.
  - 14. The system of claim 11, wherein the executable object comprises at least a portion of at least one of:
    - an application;
      
      a library;
      
      a plug-in;
      
      a process.
  - 15. The system of claim 11, wherein the hardware processor is programmed to identify the attempt by the web browser to access the cookie file by intercepting an attempt by the web browser to access the cookie file via a file system of the system.
  - 16. The system of claim 11, wherein the hardware processor is programmed to determine that the web browser is attempting to access the cookie file on behalf of the executable object by analyzing an execution stack of the web browser.

17. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify a cookie file that was created by a web browser installed on the computing device and that contains session information that is used to access an account of a user;
  
  identify an attempt by the web browser executing on the computing device to access the cookie file;
  
  determine that the web browser is attempting to access the cookie file on behalf of an executable object;
  
  determine that the executable object is not authorized to access the cookie file by;
  
  generating a score based at least in part on at least one of;
  
  multiple characteristics of the executable object that indicate that the executable object'"'"'s attempt to access the cookie file is unauthorized;
  
  multiple characteristics of the web browser'"'"'s attempt to access the cookie file that indicate that the executable object'"'"'s attempt to access the cookie file is unauthorized;
  
  determining that the score exceeds a predetermined threshold; and
  
  in response to determining that the executable object is not authorized to access the cookie file, block the attempt by the web browser to access the cookie file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Gardner, Patrick
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
HO, DAO Q

Application Number

US12/683,168
Time in Patent Office

1,602 Days
Field of Search

726/17, 726/24, 726 26- 27
US Class Current

726/24
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

H04L 63/145   the attack involving the pr...

Systems and methods for blocking and removing internet-traversing malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for blocking and removing internet-traversing malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links