Malware detection and identification via malware spoofing

US 8,056,134 B1
Filed: 04/21/2007
Issued: 11/08/2011
Est. Priority Date: 09/10/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

placing on a system a component extracted from a malware infection, without thereby infecting the system, in that the placed component does not behave maliciously in isolation from at least one other component of the malware infection which is not on the system;

using a utility to obtain a listing which, in the absence of filtering by malware, would list the placed malware component; and

checking the listing to determine whether the placed malware component is listed therein.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware spoof component may be a formed component which has some but not all characteristics of an actual malware file or other component. Alternately, a spoof component may be an isolated component extracted from actual malware. Malware spoof components may be placed on a target system, after which a listing is obtained and checked. If the placed spoof component does not appear in the listing, then the spoof component may have been filtered out by malware infecting the system, thereby revealing the malware'"'"'s presence.

131 Citations

View as Search Results

15 Claims

1. A method comprising:
- placing on a system a component extracted from a malware infection, without thereby infecting the system, in that the placed component does not behave maliciously in isolation from at least one other component of the malware infection which is not on the system;
  
  using a utility to obtain a listing which, in the absence of filtering by malware, would list the placed malware component; and
  
  checking the listing to determine whether the placed malware component is listed therein.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein placing the malware component comprises placing at least one of the following:
    - a file, a registry entry, a data structure containing a code isolation mechanism identifier, a data structure containing a malware signature.
  - 3. The method of claim 1, further comprising the step of exposing the system to a malware program, and wherein the placed malware component serves to immunize the system from infection by the malware program.
  - 4. The method of claim 1, further comprising the steps of:
    - exposing the system to a malware program; and
      
      determining that the malware program searches for the placed malware component.

5. A non-transitory computer-readable storage medium configured with data and instructions for performing the following method:
- (a) automatically placing on a system a malware spoof component, without thereby infecting the system with malware that is spoofed by that malware spoof component;
  
  (b) automatically using a utility to obtain a listing which, in the absence of filtering by malware, would list that placed malware spoof component;
  
  (c) automatically checking the listing to determine whether that placed malware spoof component is listed therein; and
  
  (d) automatically repeating steps (a) through (c) with at least one other malware spoof component, whereby the method automatically checks the system for malware using a plurality of malware spoof components.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The configured medium of claim 5, wherein the placed malware spoof components collectively spoof a plurality of malware programs, whereby the method checks the system for a plurality of malware programs using a plurality of malware spoof components.
  - 7. The configured medium of claim 5, wherein the malware spoof components placed include at least one component extracted from a malware infection.
  - 8. The configured medium of claim 5, wherein the malware spoof components placed include at least one component which was not extracted from a malware infection but shares a name and at least one other system characteristic with a corresponding component of a malware infection.
  - 9. The configured medium of claim 5, wherein the method further comprises the step of removing a placed malware spoof component from the system after an instance of the checking step.

10. A system, comprising:
- a processor in operable connection with a memory;
  
  the processor configured by data and instructions to perform the following;
  
  automatically place on a target system a plurality of malware spoof components, without thereby infecting the target system with malware that is spoofed by the malware spoof components;
  
  automatically use a utility to obtain at least one listing which, in the absence of filtering by malware, would list the placed malware spoof components; and
  
  automatically check the listing(s) to determine whether the placed malware spoof components are listed therein;
  
  whereby the target system is automatically checked for malware.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the target system is characterized in that no trusted non-infected baseline is available for the target system.
  - 12. The system of claim 10, wherein the malware spoof components comprise components of at least one of the following types:
    - processes, other code isolation mechanisms, files, registry entries, communication port assignments, interrupt vectors, other vector table entries, hashes, other signatures, elements in a linked data structure.
  - 13. The system of claim 10, wherein at least one of the malware spoof components is a rootkit component.
  - 14. The system of claim 10, wherein at least one of the malware spoof components spoofs a rootkit component with respect to at least two system characteristics while differing from the rootkit component in at least one system characteristic.
  - 15. The system of claim 10, further comprising selecting the malware spoof component to be placed from among components of a malware infection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
John W.L. Ogilvie
Original Assignee
John W.L. Ogilvie
Inventors
OGILVIE, JOHN W.
Primary Examiner(s)
Srivastava, Vivek
Assistant Examiner(s)
LAUZON, THOMAS C

Application Number

US11/738,487
Time in Patent Office

1,662 Days
Field of Search

726 22- 24, 713/188
US Class Current

726/24
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Malware detection and identification via malware spoofing

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

131 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection and identification via malware spoofing

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

131 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links