System and method for below-operating system modification of malicious code on an electronic device

US 8,925,089 B2
Filed: 03/29/2011
Issued: 12/30/2014
Est. Priority Date: 03/29/2011
Status: Active Grant

First Claim

Patent Images

1. A method for securing an electronic device, comprising:

detecting, at a higher priority than all of one or more operating systems of the electronic device, presence of malicious code;

determining whether the malicious code is included in an operating system component;

in response to detecting the presence of malicious code in the operating system component, modifying, at a higher priority than all of one or more operating systems of the electronic device, the malicious code with trusted code for the operating system component;

in response to detecting the presence of malicious code as residing outside of operating system components, modifying, at a higher priority than all of one or more operating systems of the electronic device, the malicious code as embodied in a memory of the electronic device such that an entity including the malicious code self-terminates;

wherein;

the modification includes insertion of a call to an operating system exit routine; and

detecting the presence of malicious code as residing outside of operating system components includes detecting a difference in monitored file writes between an internal operating system monitor and external operating system monitor outside of the operating system;

determining whether the malicious code is embodied in storage of the electronic device;

performing corrective action upon the malicious code in storage of the electronic device based upon a determination that the malicious code is embodied in storage of the electronic device;

identifying a related portion of memory associated with a memory location of the malicious code; and

performing corrective action upon the related portion of memory.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for securing an electronic device, may include a memory, a processor, one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to detect presence of malicious code, and in response to detecting presence of the malicious code, modify the malicious code.

117 Citations

13 Claims

1. A method for securing an electronic device, comprising:
- detecting, at a higher priority than all of one or more operating systems of the electronic device, presence of malicious code;
  
  determining whether the malicious code is included in an operating system component;
  
  in response to detecting the presence of malicious code in the operating system component, modifying, at a higher priority than all of one or more operating systems of the electronic device, the malicious code with trusted code for the operating system component;
  
  in response to detecting the presence of malicious code as residing outside of operating system components, modifying, at a higher priority than all of one or more operating systems of the electronic device, the malicious code as embodied in a memory of the electronic device such that an entity including the malicious code self-terminates;
  
  wherein;
  
  the modification includes insertion of a call to an operating system exit routine; and
  
  detecting the presence of malicious code as residing outside of operating system components includes detecting a difference in monitored file writes between an internal operating system monitor and external operating system monitor outside of the operating system;
  
  determining whether the malicious code is embodied in storage of the electronic device;
  
  performing corrective action upon the malicious code in storage of the electronic device based upon a determination that the malicious code is embodied in storage of the electronic device;
  
  identifying a related portion of memory associated with a memory location of the malicious code; and
  
  performing corrective action upon the related portion of memory.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein modifying the malicious code includes modifying the malicious code as embodied in storage of the electronic device.
  - 3. The method of claim 2, wherein modifying the malicious code as embodied in storage of the electronic device comprises:
    - referencing collected information regarding a relationship of content stored in the memory to corresponding content stored in the storage; and
      
      modifying content in a location of storage corresponding to a location of the memory having the malicious code.
  - 4. The method of claim 1, wherein modifying the malicious code includes modifying the malicious code'"'"'s access to the memory or other resources of the electronic device to deny the malicious code any access to the memory or other resources of the electronic device.

5. A system for securing an electronic device, comprising:
- a memory;
  
  a processor;
  
  one or more operating systems residing in the memory for execution by the processor; and
  
  a security agent configured to execute on the electronic device at a higher priority than all of the operating systems of the electronic device, and further configured to;
  
  detect presence of malicious code;
  
  determine whether the malicious code infects an operating system component;
  
  in response to detecting presence of the malicious code infection in the operating system component, modify the malicious code with trusted code for the operating system component;
  
  in response to detecting the presence of the malicious code beyond the operating system component, modify the malicious code as embodied in a memory of the electronic device such that an entity including the malicious code self-terminates by inserting a call to an operating system exit routine, wherein;
  
  detecting the presence of malicious code as residing outside of operating system components includes detecting a difference in monitored file writes between file writes monitored by an internal operating system monitor and file writes monitored by an external operating system monitor residing outside of the operating system;
  
  determine whether storage of the electronic device also includes the malicious code;
  
  performing corrective action upon storage of the electronic device based upon a determination that the storage includes the malicious code;
  
  identify a portion of memory contiguous with a memory location of the malicious code; and
  
  performing corrective action for the malicious code upon a physical memory location translated from the portion of memory.
- View Dependent Claims (6, 7, 8)
- - 6. The system of claim 5, wherein modifying the malicious code includes modifying the malicious code as embodied in storage of the electronic device.
  - 7. The system of claim 6, wherein modifying the malicious code as embodied in storage of the electronic device comprises:
    - referencing collected information regarding a relationship of content stored in the memory to corresponding content stored in the storage; and
      
      modifying content in a location of storage corresponding to a location of the memory having the malicious code.
  - 8. The system of claim 5, wherein modifying the malicious code includes modifying the malicious code'"'"'s access to the memory or other resources of the electronic device to deny the malicious code any access to the memory or other resources of the electronic device.

9. An article of manufacture, comprising:
- a non-transitory computer readable medium;
  
  computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to, at a level below higher priority than all of one or more operating systems of an electronic device;
  
  detect presence of malicious code in the memory or storage of electronic device;
  
  determine whether the malicious code has infected an operating system component;
  
  in response to detecting the presence of the malicious code and that the malicious code has infected the operating system component, modify the malicious code by adding trusted code in the operating system component;
  
  in response to detecting the presence of the malicious code and that the operating system component is free from the malicious code, modify the malicious code as embodied in a memory of the electronic device such that an entity including the malicious code self-terminates by adding a call to an operating system exit routine, wherein;
  
  detecting the presence of malicious code as residing outside of operating system components includes detecting a difference in monitored file writes between file writes monitored by an internal operating system monitor and file writes monitored by an external operating system monitor residing outside of the operating system;
  
  determine whether storage of the electronic device includes the malicious code;
  
  perform corrective action upon the storage of the electronic device for the malicious code based upon a determination that the storage includes the malicious code;
  
  identify a related portion of memory associated with a memory location of the malicious code; and
  
  perform corrective action upon the related portion of memory.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The article of claim 9, wherein modifying the malicious code includes modifying the malicious code as embodied in storage of the electronic device.
  - 11. The article of claim 10, wherein modifying the malicious code as embodied in storage of the electronic device comprises:
    - referencing collected information regarding a relationship of content stored in the memory to corresponding content stored in the storage; and
      
      modifying content in a location of storage corresponding to a location of the memory having the malicious code.
  - 12. The article of claim 9, wherein modifying the malicious code includes modifying the malicious code'"'"'s access to the memory or other resources of the electronic device to deny the malicious code any access to the memory or other resources of the electronic device.
  - 13. The system of claim 9, wherein the processor is further caused to identify other portions of the memory potentially having malicious code based on physical memory address of the detected malicious code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said
Primary Examiner(s)
Chao, Michael
Assistant Examiner(s)
Gao, Shu Chun

Application Number

US13/074,925
Publication Number

US 20120255013A1
Time in Patent Office

1,372 Days
Field of Search

726 22- 25
US Class Current

726/24
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/564   by virus signature recognition

G06F 21/568   eliminating virus, restorin...

System and method for below-operating system modification of malicious code on an electronic device

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

117 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

System and method for below-operating system modification of malicious code on an electronic device

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

117 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others