Identifying exploitation of vulnerabilities using error report
First Claim
1. A computer-implemented method of computer forensics to determine whether an error report contains evidence of an attempted exploit, the method comprising:
- obtaining the error report generated by a computing system and including error data related to one or more errors within the computing system;
scanning, with a computer processor, the error report for a memory pattern indicative of an unsuccessful attempt to subvert a security mechanism of the computing system;
scanning, with the computer processor, the error report for exception information indicative of a point of attack within the computing system of the unsuccessful attempt to subvert the security mechanism; and
recording, with the computer processor, forensic data associated with a result of any of the scanning steps onto a computer-readable storage medium.
3 Assignments
0 Petitions
Accused Products
Abstract
A tool and method examine error report information from a computer to determine not only whether a virus or other malware may be present on the computer but also may determine what vulnerability a particular exploit was attempting to use to subvert security mechanism to install the virus. A system monitor may collect both error reports and information about the error report, such as geographic location, hardware configuration, and software/operating system version information to build a profile of the spread of an attack and to be able to issue notifications related to increased data collection for errors, including crashes related to suspected services under attack.
66 Citations
20 Claims
-
1. A computer-implemented method of computer forensics to determine whether an error report contains evidence of an attempted exploit, the method comprising:
-
obtaining the error report generated by a computing system and including error data related to one or more errors within the computing system; scanning, with a computer processor, the error report for a memory pattern indicative of an unsuccessful attempt to subvert a security mechanism of the computing system; scanning, with the computer processor, the error report for exception information indicative of a point of attack within the computing system of the unsuccessful attempt to subvert the security mechanism; and recording, with the computer processor, forensic data associated with a result of any of the scanning steps onto a computer-readable storage medium. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for collecting and managing error report data that determines when an attempted exploit has taken place on one or more networked computers, the system comprising:
-
a network connection for receiving error report data from a plurality of networked computers, the error report data being related to occurrence of one or more errors within one or more of the plurality of networked computers; a data store for collecting the error report data from the plurality of networked computers; a notification module responsive to an identification of a successful exploit and to an identification of an unsuccessful exploit in a service of one of the plurality of networked computers that sends a notice to each of the plurality of computers to collect and forward maximal error data associated with the service; a data collection module that obtains state data regarding a configuration of the one of the plurality of computers; and an analysis module that analyzes the error report data in the data store and state data to produce the identification of the successful exploit, if the exploit is successful, and the unsuccessful exploit, if the exploit is unsuccessful, in the service. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A computer-implemented method of performing computer forensics to determine whether an error report contains evidence of an exploit, the method comprising:
-
receiving an error report file including error data related to one or more errors within a computing system; performing exploit analysis on the error report, even though the exploit was unsuccessful and even when the error report reflects a known-benign error condition, the exploit analysis comprising; scanning, with a computer processor, the error report for a known exploit at an executable memory location; scanning, with the processor, the error report for a memory pattern indicative of NOPSleds; scanning, with the processor, the error report for a memory pattern indicative of a decoder loop; scanning, with the processor, the error report for a memory pattern indicative of each of a malicious text, a malicious string, and a malicious binary sequence; scanning, with the processor, the error report for evidence of a disabled defense program; scanning, with the processor, the error report for a memory pattern indicative of a hijacked control structure; examining, with the processor, exception information for a location of a vulnerability that indicates a point of attack; and reporting one of the error report file and the result of the exploit analysis to a system monitor via a network connection. - View Dependent Claims (20)
-
Specification