Instant messaging malware protection

US 8,850,569 B1
Filed: 04/15/2008
Issued: 09/30/2014
Est. Priority Date: 04/15/2008
Status: Active Grant

First Claim

Patent Images

1. A method of preventing transmission of malware-created instant messages comprising:

detecting that an active instant messaging (IM) window, specifically for entering text, has been opened on a computing device;

detecting a first text being typed into the active IM window by a human being using a keyboard;

copying the first text or a first timestamp associated with said first text into a data storage area on said computing device, said data storage area including a stored text or a stored timestamp of all instant messages typed into an active IM window on said computing device;

intercepting an IM packet before the IM packet is transmitted from the computing device onto a network;

parsing the IM packet to obtain a second text or a second timestamp;

determining whether the second text or the second timestamp matches respectively with a text or a timestamp stored in the data storage area; and

blocking transmission of the IM packet from said computing device when the second text is determined not to match or when the second timestamp is determined not to match.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device capable of instant messaging (IM) contains IM anti-malware software for preventing the transmission of malware-created IMs and opening potentially harmful IMs that it receives. When transmitting an IM, the software checks to ensure that the message being sent was created by the user (a human being) and not by IM malware, such as an IM BOT. This is done by copying details of a message as it is being typed by a user into a database and searching for that data before an IM is transmitted from the device. The software also ensures that when it receives an IM from an outside source, that the message contains a special encrypted signal that was inserted into the message by the source when the source has determined that the message was created by a human being. If the special signal is not found, it is presumed that the message was created by malware and may be discarded. Ensuring that an IM message is created by a human being is by leveraging a feature in IM client software that provides the name of the person typing the message as the message is being created.

Citations

19 Claims

1. A method of preventing transmission of malware-created instant messages comprising:
- detecting that an active instant messaging (IM) window, specifically for entering text, has been opened on a computing device;
  
  detecting a first text being typed into the active IM window by a human being using a keyboard;
  
  copying the first text or a first timestamp associated with said first text into a data storage area on said computing device, said data storage area including a stored text or a stored timestamp of all instant messages typed into an active IM window on said computing device;
  
  intercepting an IM packet before the IM packet is transmitted from the computing device onto a network;
  
  parsing the IM packet to obtain a second text or a second timestamp;
  
  determining whether the second text or the second timestamp matches respectively with a text or a timestamp stored in the data storage area; and
  
  blocking transmission of the IM packet from said computing device when the second text is determined not to match or when the second timestamp is determined not to match.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method as recited in claim 1 wherein the data storage area is an IM operation detail database having one or more IM operation detail records.
  - 3. A method as recited in claim 2 wherein the copying step further comprises storing the first text in an IM text field of an IM operation detail record.
  - 4. A method as recited in claim 1 further comprising:
    - allowing transmission of the IM packet when the second text and the first text are determined to match or when the second timestamp and the first timestamp are determined to match.
  - 5. The method as recited in claim 1 further comprising:
    - storing a property of the first text in the data storage area, wherein the property is a timestamp, metadata of an attached file, an IM type, or sender name;
      
      parsing the IM packet to obtain a property of the second text;
      
      determining whether the property of the second text matches the property of the first text stored in the data storage area; and
      
      blocking transmission of the IM packet when the property of the second text and the property of the first text are determined not to match.
  - 6. A method as recited in claim 1 wherein said data storage area does not include information regarding instant messages that have not been typed into an active IM window on said computing device.

7. A method of preventing a message of instant messaging (IM) from infecting a computing device, the method comprising:
- receiving the message at the computing device from a transmitting device;
  
  determining whether the message includes non-secret text indicating that the transmitting device includes an IM anti-malware software;
  
  determining whether the message includes an embedded encrypted secret code wherein the encrypted secret code is generated at the transmitting device by an encryption software of the IM anti-malware software;
  
  preventing the message from being opened on the computing device when the transmitting device is determined to include the IM anti-malware software and when the encrypted secret code is determined to be not found in the message,wherein the encrypted secret code is embedded into the message at the transmitting device if the transmitting device determines that a human being created the message, such that the encrypted secret code is transmitted, in the message, from the IM anti-malware software in the transmitting device to the computing device.
- View Dependent Claims (8, 9, 10, 11)
- - 8. A method as recited in claim 7 wherein the transmitting device determines whether a human being created the message by determining whether an IM window on the transmitting device was active immediately before the message was transmitted.
  - 9. A method as recited in claim 7 wherein an IM sender name appears in an IM window displayed on the transmitting device and wherein the IM anti-malware software on the transmitting device determines that the message was created by a human being when the IM sender name is provided to the IM anti-malware software on the transmitting device by an IM client on the transmitting device to indicate that the message was created by a human being.
  - 10. The method as recited in claim 7 wherein the transmitting device determines whether a human being created the message by detecting whether the message is being typed on a keyboard of said transmitting device.
  - 11. The method as recited in claim 7 wherein the encrypted secret code is not embedded into the message when the transmitting device determines that a human being did not create the message.

12. A method of preventing a message of instant messaging (IM) from infecting a computing device, the method comprising:
- inserting a non-secret text in the message indicating a presence of an IM anti-malware software on a transmitting device;
  
  determining whether a human being created the message on the transmitting device;
  
  embedding an encrypted secret code in the message when it is determined that the human being created the message, wherein the encrypted secret code is generated by an encryption software of the IM anti-malware software; and
  
  transmitting the message from the transmitting device to the computing device, wherein the computing device can determine that the message was not created by the human being when the non-secret text is found in the message and the encrypted secret code is not found in the message.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method as recited in claim 12 wherein the determining step comprises:
    - determining whether a human being created the message by determining whether an IM window on the transmitting device was active immediately before the message is to be transmitted.
  - 14. The method as recited in claim 12 wherein the determining step comprises:
    - receiving a message from an IM client on the transmitting device indicating that the message was created by a human being.
  - 15. The method as recited in claim 12 further comprising:
    - determining whether a human being created the message by determining whether the message is being typed on a keyboard of said computing device.
  - 16. The method as recited in claim 12 further comprising:
    - not embedding said encrypted secret code when it is determined that the human being did not create the message.

17. A method of preventing transmission of malware-created instant messages comprising:
- detecting that an active instant messaging (IM) window, specifically for entering text, has been opened on a computing device;
  
  detecting a first text being typed into the active IM window by a human being using a keyboard;
  
  copying the first text or a first timestamp associated with said first text into a data storage area on said computing device, said data storage area including a stored text or a stored timestamp of all instant messages typed into an active IM window on said computing device;
  
  intercepting an IM packet before the IM packet is transmitted from the computing device onto a network;
  
  parsing the IM packet to obtain a second text or a second timestamp;
  
  determining whether the second text or the second timestamp matches respectively with the first text or the first timestamp stored in the data storage area; and
  
  allowing transmission of the IM packet from the computing device when the second text and the first text are determined to match or when the second timestamp and the first timestamp are determined to match.
- View Dependent Claims (18, 19)
- - 18. A method as recited in claim 17 wherein said data storage area does not include information regarding instant messages that have not been typed into an active IM window on said computing device.
  - 19. A method as recited in claim 17 further comprising:
    - blocking transmission of the IM packet from said computing device when the second text is determined not to match or when the second timestamp is determined not to match.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Yang, Shun-Fa, Chen, Wei-Chin, Huang, Chih-Jung, Lai, Cheng-Jyun, Chen, Kevin Chien-Yu
Primary Examiner(s)
Vostal, Ondrej

Application Number

US12/103,124
Time in Patent Office

2,359 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 21/54   by adding security routines...

G06F 21/56   Computer malware detection ...

G06F 21/64   Protecting data integrity, ...

H04L 51/04   Real-time or near real-time...

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Instant messaging malware protection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Instant messaging malware protection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links