Generic RootKit detector

US 7,647,636 B2
Filed: 08/24/2005
Issued: 01/12/2010
Est. Priority Date: 08/24/2005
Status: Active Grant

First Claim

Patent Images

1. In a computer that includes a memory, a single operating system that loads a first version of a library into the memory to provide services to an application program, and a storage device that stores a second version of the library in a protected state, a method of determining whether malware is infecting the first version of the library, the method, which is implemented by the computer, comprising:

obtaining properties of the first version of the library that was loaded into memory to provide services to the application program;

obtaining properties of the second version of the library that is stored in a protected state on the storage device;

comparing the properties of the first version of the library with the properties of the second version of the library, wherein the properties of the first and the second versions of the library identify particular address locations in memory that are pointed to by the first and the second versions of the library, respectively, wherein comparing the properties of the first version of the library with the properties of the second version of the library includes comparing the value of a call address obtained from a component of the single operating system using data from the first version of a library with a value of the call address calculated from an offset value obtained from the second version of the library;

determining that the library is infected with malware when the properties of the first and second versions of the library point to different address locations in memory, or determining that the library is not infected with malware when the particular address locations pointed to by the properties of the first and second versions of the library are the same; and

wherein the library comprises executable code describing a set of routines accessible by an application program interface to be loaded into the memory to provide services to the application program upon an application program interface call;

wherein the method further includes using a virtual export table to associate routines in the library with call addresses that identify the respective memory locations of the routines and using an integrity modules to calculate a call address of a routine from data in the second version of the library and to store a value of the call address in the virtual export table.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A generic RootKit detector is disclosed that identifies when a malware, commonly known as RootKit, is resident on a computer. In one embodiment, the generic RootKit detector performs a method that compares the properties of different versions of a library used by the operating system to provide services to an application program. In this regard, when a library is loaded into memory, an aspect of the generic RootKit detector compares two versions of the library; a potentially infected version in memory and a second version stored in a protected state on a storage device. If certain properties of the first version of the library are different from the second version, a determination is made that a RootKit is infection the computer.

41 Citations

View as Search Results

21 Claims

1. In a computer that includes a memory, a single operating system that loads a first version of a library into the memory to provide services to an application program, and a storage device that stores a second version of the library in a protected state, a method of determining whether malware is infecting the first version of the library, the method, which is implemented by the computer, comprising:
- obtaining properties of the first version of the library that was loaded into memory to provide services to the application program;
  
  obtaining properties of the second version of the library that is stored in a protected state on the storage device;
  
  comparing the properties of the first version of the library with the properties of the second version of the library, wherein the properties of the first and the second versions of the library identify particular address locations in memory that are pointed to by the first and the second versions of the library, respectively, wherein comparing the properties of the first version of the library with the properties of the second version of the library includes comparing the value of a call address obtained from a component of the single operating system using data from the first version of a library with a value of the call address calculated from an offset value obtained from the second version of the library;
  
  determining that the library is infected with malware when the properties of the first and second versions of the library point to different address locations in memory, or determining that the library is not infected with malware when the particular address locations pointed to by the properties of the first and second versions of the library are the same; and
  
  wherein the library comprises executable code describing a set of routines accessible by an application program interface to be loaded into the memory to provide services to the application program upon an application program interface call;
  
  wherein the method further includes using a virtual export table to associate routines in the library with call addresses that identify the respective memory locations of the routines and using an integrity modules to calculate a call address of a routine from data in the second version of the library and to store a value of the call address in the virtual export table.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as recited in claim 1, wherein the malware is a RootKit that is configured to conceal malicious instructions that are resident on the computer.
  - 3. The method as recited in claim 1, further comprising if the first version of the library is infected with malware:
    - (a) tracing the flow of program execution to a set of instructions that implement the malware; and
      
      (b) scanning the set of instructions that implement the malware for a signature that uniquely identifies the malware.
  - 4. The method as recited in claim 3, wherein if a malware is identified, causing a cleaning routine to be executed that removes the malware from the computer.
  - 5. The method as recited in claim 1, wherein the library is a dynamically linked library that is linked to a calling application program at runtime.
  - 6. The method as recited in claim 1, wherein obtaining the properties of the first version of the library includes determining whether the first version of the library references an instruction outside of the memory image allocated to the first version of the library by the operating system;
    - andwherein if the first version of the library references an instruction outside of the memory image allocated to the first version of the library, determining that the library is infected with malware.
  - 7. The method as recited in claim 1, wherein obtaining the properties of the first version of the library that was loaded into memory to provide services to the application program includes obtaining a call address of a routine in the first version of the library from a component of the single operating system.
  - 8. The method as recited in claim 7, wherein obtaining the properties of the second version of the library that is stored in a protected state on the storage device includes:
    - (a) obtaining the offset value from the second version of the library that identifies the respective location of the routine in the library; and
      
      (b) calculating the call address using the offset value obtained from the second version of the library for the routine that identifies the memory location where the routine may be accessed.
  - 9. The method as recited in claim 3, further comprising informing a user that malware is infecting the first library.
  - 10. The method as recited in claim 9, further comprising providing the user with options for handling the malware within a graphical user interface comprising graphical elements including dialog boxes and menus, the options including at least a default option.

11. A computer-readable storage medium storing computer-executable instructions which, when executed in a computer that includes a single operating system configured to copy a library into a memory address space available to an application program, carries out a method for determining whether a routine in the library that satisfies an Application Program Interface call is infected with malware, the method comprising:
- obtaining properties of the first version of the library that was loaded into memory to provide services to the application program;
  
  obtaining properties of the second version of the library that is stored in a protected state on the storage device;
  
  comparing the properties of the first version of the library with the properties of the second version of the library, wherein the properties of the first and the second versions of the library identify particular address locations in memory that are pointed to by the first and the second versions of the library, respectively, wherein comparing the properties of the first version of the library with the properties of the second version of the library includes comparing the value of a call address obtained from a component of the single operating system using data from the first version of a library with a value of the call address calculated from an offset value obtained from the second version of the library;
  
  determining that the library is infected with malware when the properties of the first and second versions of the library point to different address locations in memory, or determining that the library is not infected with malware when the particular address locations pointed to by the properties of the first and second versions of the library are the same; and
  
  wherein the library comprises executable code describing a set of routines accessible by an application program interface to be loaded into the memory to provide services to the application program upon an application program interface call;
  
  wherein the method further includes using a virtual export table to associate routines in the library with call addresses that identify the respective memory locations of the routines and using an integrity modules to calculate a call address of a routine from data in the second version of the library and to store a value of the call address in the virtual export table.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer-readable storage medium as recited in claim 11, further comprising if the first version of the library is infected with malware:
    - (a) tracing the flow of program execution to a set of instructions that implement the malware; and
      
      (b) scanning the set of instructions that implement the malware for a signature.
  - 13. The computer-readable storage medium as recited in claim 12, further comprising if a signature is identified:
    - (a) recording the value of the call address for the routine that was calculated using the offset value obtained from the second version of the library in a data store; and
      
      (b) using the recorded call address to locate the routine in memory when an Application Program Interface call is made that is handled by the routine.
  - 14. The computer-readable storage medium as recited in claim 11, wherein the method further includes calculating a call address for a routine by using an offset value obtained from the second version of the library and which includes determining whether the call address references a location that is outside the memory image of the library;
    - andwherein if the call address references a location outside of the memory image allocated to the first version of the library, determining that the library is infected with malware.
  - 15. The computer-readable storage medium as recited in claim 12, further comprising if the first library is infected with malware, informing a user.

16. A software system, the software system being performed in a computing environment comprising a processor, a memory, and a storage device, for determining whether a computer is infected with a RootKit, the software system comprising:
- a processor; and
  
  memory storing computer-executable instructions which, when executed by the processor, implement a method comprising;
  
  obtaining properties of the first version of the library that was loaded into memory to provide services to the application program;
  
  obtaining properties of the second version of the library that is stored in a protected state on the storage device;
  
  comparing the properties of the first version of the library with the properties of the second version of the library, wherein the properties of the first and the second versions of the library identify particular address locations in memory that are pointed to by the first and the second versions of the library, respectively;
  
  determining that the library is infected with malware when the properties of the first and second versions of the library point to different address locations in memory, or determining that the library is not infected with malware when the particular address locations pointed to by the properties of the first and second versions of the library are the same; and
  
  wherein the library comprises executable code describing a set of routines accessible by an application program interface to be loaded into the memory to provide services to the application program upon an application program interface call,wherein the system further comprises;
  
  a virtual export table operative to associates a routine in the library with a call address that identifies the memory location of the routine; and
  
  an integrity module that is configured to calculate a call address of a routine from data in the second version of the library and to store a value of the call address in the virtual export table.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The software system as recited in claim 16, wherein the operating system is further configured to identify the location of the routine in memory from data stored in the virtual export table.
  - 18. The software system as recited in claim 16, wherein the integrity module is implemented in a component of an operating system that operates in kernel mode.
  - 19. The software system as recited in claim 16, wherein the integrity module is implemented in an application program that operates in user mode.
  - 20. The software system as recited in claim 16, further comprising a user interaction system that provides notification to the user if it is determined the computer is infected with a RootKit.
  - 21. The software system as recited in claim 20, wherein the user interaction system provides graphical elements including dialog boxes and menus to communicate with the computer regarding options for handling of the RootKit, the handling of the RootKit including at least a default option.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Cowie, Neil A., Polyakov, Alexey A.
Primary Examiner(s)
Moazzami; Nasser G
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US11/210,565
Publication Number

US 20070055711A1
Time in Patent Office

1,602 Days
Field of Search

726/22, 726/24, 726/26, 726/27, 726/1, 707/1, 707/203, 717/124, 717/126, 713/187, 713/188, 714/38
US Class Current

726/24
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Generic RootKit detector

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Generic RootKit detector

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links