Method and apparatus for disrupting the command and control infrastructure of hostile programs

US 8,869,268 B1
Filed: 10/24/2007
Issued: 10/21/2014
Est. Priority Date: 10/24/2007
Status: Active Grant

First Claim

Patent Images

1. A method for securing a computer, comprising:

transmitting, by the computer, suspect command and control data to a control center, whereinthe suspect command and control data includes a reference to a domain name server (DNS) service, andthe control center is configured toanalyze the suspect command and control data, andupdate a command and control infrastructure library, if the suspect command and control data is identified as hostile;

detecting by the computer, a hostile program stored on the computer, whereinthe hostile program is identified by detecting that the reference to the DNS service in the suspect command and control data matches information in the command and control infrastructure library,the detecting the reference to the DNS service in the suspect command and control data is performed prior to the suspect command and control data being submitted to a DNS server,the hostile program is configured to be controlled by a hostile command and control infrastructure, andthe hostile command and control infrastructure is associated with a hostile computer; and

disrupting by the computer, the hostile command and control infrastructure, whereinthe disrupting comprises impairing communication with the hostile program.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for securing a computer is described. The method and apparatus comprise detecting one or more hostile programs residing upon a computer using a command and control infrastructure library and disrupting a command and control infrastructure of the one or more hostile programs.

Citations

24 Claims

1. A method for securing a computer, comprising:
- transmitting, by the computer, suspect command and control data to a control center, whereinthe suspect command and control data includes a reference to a domain name server (DNS) service, andthe control center is configured toanalyze the suspect command and control data, andupdate a command and control infrastructure library, if the suspect command and control data is identified as hostile;
  
  detecting by the computer, a hostile program stored on the computer, whereinthe hostile program is identified by detecting that the reference to the DNS service in the suspect command and control data matches information in the command and control infrastructure library,the detecting the reference to the DNS service in the suspect command and control data is performed prior to the suspect command and control data being submitted to a DNS server,the hostile program is configured to be controlled by a hostile command and control infrastructure, andthe hostile command and control infrastructure is associated with a hostile computer; and
  
  disrupting by the computer, the hostile command and control infrastructure, whereinthe disrupting comprises impairing communication with the hostile program.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 21, 22, 23, 24)
- - 2. The method of claim 1, further comprising:
    - creating the command and control infrastructure library, if the suspect command and control data is identified as hostile.
  - 3. The method of claim 2, wherein the creating comprises identifying at least one ofa domain name,an internet protocol address, ora machine access code address that forms the portion of a hostile command and control infrastructure.
  - 4. The method of claim 2, wherein the disrupting further comprises disrupting a connection between the hostile program and the hostile computer.
  - 5. The method of claim 4, wherein the disrupting, by the computer, further comprises disrupting a request for the DNS service related to a domain name within the command and control infrastructure library.
  - 6. The method of claim 5, wherein the disrupting, by the computer, further comprises polling cached information for the request for the DNS service related to the domain name within the command and control infrastructure library.
  - 7. The method of claim 5, wherein the disrupting, by the computer, further comprises rejecting the request for the DNS service related to the domain name within the command and control infrastructure library.
  - 8. The method of claim 5, whereinthe disrupting, by the computer, further comprising establishing a plurality of unacceptable domain names,the plurality of unacceptable domain names comprisesat least one domain name within the command and control infrastructure library, andcomparing the request for the DNS service to the plurality of unacceptable domain names.
  - 9. The method of claim 5, wherein the disrupting, by the computer, further comprisesmonitoring at least one DNS query;
    - anddetecting that the DNS query is related to a domain within the command and control infrastructure library.
  - 10. The method of claim 9, wherein the disrupting, by the computer, further comprises preventing transmission of the DNS query from the computer to the DNS server.
  - 11. The method of claim 9, wherein the disrupting, by the computer, further comprises preventing transmission of a response to the DNS query from the DNS server to the computer.
  - 12. The method of claim 1, further comprising creating an activity-based signature for the hostile program.
  - 21. The method of claim 1, whereinthe suspect control and command data comprises a DNS query,the detecting, by the computer, further comprisesthe computer detecting that the reference to the DNS service in the DNS query matches the information in the command and control infrastructure library, andthe computer detecting the reference to the DNS service in the DNS query is performed prior to the DNS query being submitted to the DNS server.
  - 22. The method of claim 21, whereinthe suspect control and command data further comprises data of a DNS cache, andthe detecting, by the computer, further comprisesthe computer detecting that the reference to the DNS service in the data of the DNS cache matches the information in the command and control infrastructure library.
  - 23. The method of claim 1, whereinthe reference to the DNS service indicates the DNS service is being performed using the DNS server.
  - 24. The method of claim 1, whereinthe hostile computer and the computer are separate computers, andthe hostile computer and the computer are communicatively coupled together via a network.

13. An apparatus comprising:
- a non-transitory computer-readable memory; and
  
  a processor coupled to the non-transitory computer-readable memory, whereinthe processor is configured totransmit suspect command and control data to a control center, whereinthe suspect command and control data includes a reference to a domain name server (DNS) service, andthe control center is configured to
  
  analyze the suspect command and control data, and
  
  update a command and control infrastructure library, if the suspect command and control data is identified as hostile;
  
  detect a hostile program stored on the non-transitory computer-readable memory, whereinthe hostile program is identified by detecting that the reference to the DNS service in the suspect command and control data matches information in the command and control infrastructure library,the processor is configured to perform the detecting the reference to the DNS service in the suspect command and control data prior to the command and control data being submitted to a DNS server,the hostile program is configured to be controlled by a hostile command and control infrastructure, andthe hostile command and control infrastructure is associated with a hostile computer; and
  
  disrupt the hostile command and control infrastructure, whereinthe disrupting the hostile command and control infrastructure comprises impairing communication with the hostile program.
- View Dependent Claims (14, 15)
- - 14. The apparatus of claim 13, wherein the disrupting, by the computer, further comprises disrupting a query for the DNS service related to a domain name within the hostile command and control infrastructure.
  - 15. The apparatus of claim 13, wherein the processor is further configured to produce at least one of a snapshot of a memory of a computer or a hash value for each process in operation within the computer.

16. A non-transitory computer-readable storage medium storing instructions executable by a processor, wherein the instructions, when executed, perform a method comprising:
- transmitting suspect command and control data to a control center, whereinthe suspect command and control data includes a reference to a domain name server (DNS) service, andthe control center is configured toanalyze the suspect command and control data, andupdate a command and control infrastructure library, if the suspect command and control data is identified as hostile;
  
  detecting a hostile program stored on the non-transitory computer-readable storage medium, whereinthe hostile program is identified by detecting that the reference to the DNS service in the suspect command and control data matches information in the command and control infrastructure library,the detecting the reference to the DNS service in the suspect command and control data is performed prior to the suspect command and control data being submitted to a DNS server,the hostile program is configured to be controlled by a hostile command and control infrastructure, andthe hostile command and control infrastructure is associated with a hostile computer;
  
  disrupting the hostile command and control infrastructure, whereinthe disrupting comprises impairing communication with the hostile program.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable storage medium of claim 16, wherein the control center generates an activity-based signature for the hostile command and control infrastructure of the hostile program and integrates the activity-based signature into a security policy.
  - 18. The non-transitory computer-readable storage medium of claim 16, further comprising:
    - monitoring a DNS query from the DNS server,detecting that the DNS query is related to a domain within the hostile command and control infrastructure, andpreventing transmission of a response to the DNS query from the DNS server.
  - 19. The non-transitory computer-readable storage medium of claim 16, further comprising:
    - monitoring a DNS query from a DNS client,detecting that the DNS query is related to a domain within the command and control infrastructure library, andpreventing transmission of the DNS query to the DNS server.
  - 20. The non-transitory computer-readable storage medium of claim 16, further comprising:
    - polling cached information for at least one DNS query related to a domain name within the hostile command and control infrastructure library.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Barger, Richard
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Debnath, Suman

Application Number

US11/864,699
Time in Patent Office

2,554 Days
Field of Search

726/14, 726 22- 25, 709/217, 709/224, 709/225
US Class Current

726/22
CPC Class Codes

G06F 21/552 involving long-term monitor...

Method and apparatus for disrupting the command and control infrastructure of hostile programs

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for disrupting the command and control infrastructure of hostile programs

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links