WO2006110921A3 - System and method for scanning memory for pestware offset signatures - Google Patents

System and method for scanning memory for pestware offset signatures Download PDF

Info

Publication number
WO2006110921A3
WO2006110921A3 PCT/US2006/014405 US2006014405W WO2006110921A3 WO 2006110921 A3 WO2006110921 A3 WO 2006110921A3 US 2006014405 W US2006014405 W US 2006014405W WO 2006110921 A3 WO2006110921 A3 WO 2006110921A3
Authority
WO
WIPO (PCT)
Prior art keywords
pestware
executable memory
offset
portions
reference point
Prior art date
Application number
PCT/US2006/014405
Other languages
French (fr)
Other versions
WO2006110921A2 (en
Inventor
Jefferson Delk Horne
Original Assignee
Webroot Software Inc
Jefferson Delk Horne
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Webroot Software Inc, Jefferson Delk Horne filed Critical Webroot Software Inc
Priority to EP06758375A priority Critical patent/EP1872233A2/en
Publication of WO2006110921A2 publication Critical patent/WO2006110921A2/en
Publication of WO2006110921A3 publication Critical patent/WO2006110921A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Abstract

Systems and methods for managing pestware processes on a protected computer are described. In one implementation, a reference point in the executable memory that is associated with a process running in the executable memory is located. A first and second sets of information from corresponding first and second portions of the executable memory are then retrieved. The first and second portions of the executable memory are separated by a defined offset, and each of the first and second portions of the executable memory are offset from the reference point. The process is identifiable as a particular type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are of the particular type of pestware. In some variations, the reference point is a starting address and/or an API implementation in the process.
PCT/US2006/014405 2005-04-14 2006-04-14 System and method for scanning memory for pestware offset signatures WO2006110921A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP06758375A EP1872233A2 (en) 2005-04-14 2006-04-14 System and method for scanning memory for pestware offset signatures

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/105,977 2005-04-14
US11/105,977 US7591016B2 (en) 2005-04-14 2005-04-14 System and method for scanning memory for pestware offset signatures

Publications (2)

Publication Number Publication Date
WO2006110921A2 WO2006110921A2 (en) 2006-10-19
WO2006110921A3 true WO2006110921A3 (en) 2008-01-17

Family

ID=37087710

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2006/014405 WO2006110921A2 (en) 2005-04-14 2006-04-14 System and method for scanning memory for pestware offset signatures

Country Status (3)

Country Link
US (2) US7591016B2 (en)
EP (1) EP1872233A2 (en)
WO (1) WO2006110921A2 (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7591016B2 (en) * 2005-04-14 2009-09-15 Webroot Software, Inc. System and method for scanning memory for pestware offset signatures
US8452744B2 (en) * 2005-06-06 2013-05-28 Webroot Inc. System and method for analyzing locked files
US7861296B2 (en) * 2005-06-16 2010-12-28 Microsoft Corporation System and method for efficiently scanning a file for malware
US20070006311A1 (en) * 2005-06-29 2007-01-04 Barton Kevin T System and method for managing pestware
US20070074289A1 (en) * 2005-09-28 2007-03-29 Phil Maddaloni Client side exploit tracking
US20070094733A1 (en) * 2005-10-26 2007-04-26 Wilson Michael C System and method for neutralizing pestware residing in executable memory
US20070094726A1 (en) * 2005-10-26 2007-04-26 Wilson Michael C System and method for neutralizing pestware that is loaded by a desirable process
US8255992B2 (en) * 2006-01-18 2012-08-28 Webroot Inc. Method and system for detecting dependent pestware objects on a computer
US7996903B2 (en) 2006-07-07 2011-08-09 Webroot Software, Inc. Method and system for detecting and removing hidden pestware files
US8190868B2 (en) 2006-08-07 2012-05-29 Webroot Inc. Malware management through kernel detection
US11489857B2 (en) 2009-04-21 2022-11-01 Webroot Inc. System and method for developing a risk profile for an internet resource
US8438386B2 (en) * 2009-04-21 2013-05-07 Webroot Inc. System and method for developing a risk profile for an internet service
CN102812431A (en) 2010-03-22 2012-12-05 Lrdc系统有限公司 A method of identifying and protecting the integrity of a set of source data
US9330259B2 (en) * 2013-03-19 2016-05-03 Trusteer, Ltd. Malware discovery method and system
US9792436B1 (en) * 2013-04-29 2017-10-17 Symantec Corporation Techniques for remediating an infected file
US10528735B2 (en) 2014-11-17 2020-01-07 Morphisec Information Security 2014 Ltd. Malicious code protection for computer systems based on process modification
WO2017137804A1 (en) 2016-02-11 2017-08-17 Morphisec Information Security Ltd. Automated classification of exploits based on runtime environmental features

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5485575A (en) * 1994-11-21 1996-01-16 International Business Machines Corporation Automatic analysis of a computer virus structure and means of attachment to its hosts
US20030212902A1 (en) * 2002-05-13 2003-11-13 Van Der Made Peter A.J. Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine
US20040255165A1 (en) * 2002-05-23 2004-12-16 Peter Szor Detecting viruses using register state

Family Cites Families (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5442669A (en) * 1993-12-27 1995-08-15 Medin; David L. Perishable good integrity indicator
US5812848A (en) * 1995-08-23 1998-09-22 Symantec Corporation Subclassing system for computer that operates with portable-executable (PE) modules
US5826013A (en) * 1995-09-28 1998-10-20 Symantec Corporation Polymorphic virus detection module
US5696822A (en) * 1995-09-28 1997-12-09 Symantec Corporation Polymorphic virus detection module
US6357008B1 (en) * 1997-09-23 2002-03-12 Symantec Corporation Dynamic heuristic method for detecting computer viruses using decryption exploration and evaluation phases
US6192512B1 (en) * 1998-09-24 2001-02-20 International Business Machines Corporation Interpreter with virtualized interface
JP3837244B2 (en) * 1998-10-23 2006-10-25 松下電器産業株式会社 Program linking apparatus and method
US6851057B1 (en) * 1999-11-30 2005-02-01 Symantec Corporation Data driven detection of viruses
US6971019B1 (en) * 2000-03-14 2005-11-29 Symantec Corporation Histogram-based virus detection
US6775780B1 (en) * 2000-03-16 2004-08-10 Networks Associates Technology, Inc. Detecting malicious software by analyzing patterns of system calls generated during emulation
US6735703B1 (en) * 2000-05-08 2004-05-11 Networks Associates Technology, Inc. Multi-platform sequence-based anomaly detection wrapper
US6973577B1 (en) * 2000-05-26 2005-12-06 Mcafee, Inc. System and method for dynamically detecting computer viruses through associative behavioral analysis of runtime state
US6931540B1 (en) * 2000-05-31 2005-08-16 Networks Associates Technology, Inc. System, method and computer program product for selecting virus detection actions based on a process by which files are being accessed
US6973578B1 (en) * 2000-05-31 2005-12-06 Networks Associates Technology, Inc. System, method and computer program product for process-based selection of virus detection actions
US7093239B1 (en) 2000-07-14 2006-08-15 Internet Security Systems, Inc. Computer immune system and method for detecting unwanted code in a computer system
US6954861B2 (en) 2000-07-14 2005-10-11 America Online, Inc. Identifying unauthorized communication systems based on their memory contents
US7178166B1 (en) * 2000-09-19 2007-02-13 Internet Security Systems, Inc. Vulnerability assessment and authentication of a computer by a local scanner
US7150045B2 (en) * 2000-12-14 2006-12-12 Widevine Technologies, Inc. Method and apparatus for protection of electronic media
US7328453B2 (en) 2001-05-09 2008-02-05 Ecd Systems, Inc. Systems and methods for the prevention of unauthorized use and manipulation of digital content
US7421587B2 (en) * 2001-07-26 2008-09-02 Mcafee, Inc. Detecting computer programs within packed computer files
US7827611B2 (en) * 2001-08-01 2010-11-02 Mcafee, Inc. Malware scanning user interface for wireless devices
US7234167B2 (en) * 2001-09-06 2007-06-19 Mcafee, Inc. Automatic builder of detection and cleaning routines for computer viruses
US7107617B2 (en) 2001-10-15 2006-09-12 Mcafee, Inc. Malware scanning of compressed computer files
US7506374B2 (en) * 2001-10-31 2009-03-17 Computer Associates Think, Inc. Memory scanning system and method
US7150042B2 (en) * 2001-12-06 2006-12-12 Mcafee, Inc. Techniques for performing malware scanning of files stored within a file storage device of a computer network
US20030115479A1 (en) * 2001-12-14 2003-06-19 Jonathan Edwards Method and system for detecting computer malwares by scan of process memory after process initialization
US7266843B2 (en) 2001-12-26 2007-09-04 Mcafee, Inc. Malware scanning to create clean storage locations
US6681972B1 (en) * 2002-03-19 2004-01-27 J&C Tapocik, Inc. Hands-free holder which will hold an airline ticket, an identification, credit cards and cash while worn around a user's neck
ATE426858T1 (en) * 2002-04-13 2009-04-15 Computer Ass Think Inc SYSTEM AND METHOD FOR DETECTING MALICIOUS CODE
US7155742B1 (en) * 2002-05-16 2006-12-26 Symantec Corporation Countering infections to communications modules
US7418729B2 (en) * 2002-07-19 2008-08-26 Symantec Corporation Heuristic detection of malicious computer code by page tracking
GB2391965B (en) * 2002-08-14 2005-11-30 Messagelabs Ltd Method of, and system for, heuristically detecting viruses in executable code
US7337471B2 (en) * 2002-10-07 2008-02-26 Symantec Corporation Selective detection of malicious computer code
US7216367B2 (en) * 2003-02-21 2007-05-08 Symantec Corporation Safe memory scanning
WO2004077294A1 (en) * 2003-02-26 2004-09-10 Secure Ware Inc. Unauthorized processing judgment method, data processing device, computer program, and recording medium
US8171551B2 (en) * 2003-04-01 2012-05-01 Mcafee, Inc. Malware detection using external call characteristics
GB2400197B (en) * 2003-04-03 2006-04-12 Messagelabs Ltd System for and method of detecting malware in macros and executable scripts
US7231667B2 (en) * 2003-05-29 2007-06-12 Computer Associates Think, Inc. System and method for computer virus detection utilizing heuristic analysis
US7257842B2 (en) 2003-07-21 2007-08-14 Mcafee, Inc. Pre-approval of computer files during a malware detection
US7644441B2 (en) * 2003-09-26 2010-01-05 Cigital, Inc. Methods for identifying malicious software
US8627458B2 (en) * 2004-01-13 2014-01-07 Mcafee, Inc. Detecting malicious computer program activity using external program calls with dynamic rule sets
US7620990B2 (en) * 2004-01-30 2009-11-17 Microsoft Corporation System and method for unpacking packed executables for malware evaluation
US7707634B2 (en) * 2004-01-30 2010-04-27 Microsoft Corporation System and method for detecting malware in executable scripts according to its functionality
US7913305B2 (en) * 2004-01-30 2011-03-22 Microsoft Corporation System and method for detecting malware in an executable code module according to the code module's exhibited behavior
US20050262567A1 (en) * 2004-05-19 2005-11-24 Itshak Carmona Systems and methods for computer security
US20050268112A1 (en) * 2004-05-28 2005-12-01 Microsoft Corporation Managing spyware and unwanted software through auto-start extensibility points
US7568230B2 (en) * 2004-06-09 2009-07-28 Lieberman Software Corporation System for selective disablement and locking out of computer system objects
US7596809B2 (en) * 2004-06-14 2009-09-29 Lionic Corporation System security approaches using multiple processing units
US7401184B2 (en) * 2004-11-19 2008-07-15 Intel Corporation Matching memory transactions to cache line boundaries
US7636856B2 (en) * 2004-12-06 2009-12-22 Microsoft Corporation Proactive computer malware protection through dynamic translation
US7836504B2 (en) * 2005-03-01 2010-11-16 Microsoft Corporation On-access scan of memory for malware
US7571476B2 (en) * 2005-04-14 2009-08-04 Webroot Software, Inc. System and method for scanning memory for pestware
US7591016B2 (en) * 2005-04-14 2009-09-15 Webroot Software, Inc. System and method for scanning memory for pestware offset signatures
US7349931B2 (en) * 2005-04-14 2008-03-25 Webroot Software, Inc. System and method for scanning obfuscated files for pestware

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5485575A (en) * 1994-11-21 1996-01-16 International Business Machines Corporation Automatic analysis of a computer virus structure and means of attachment to its hosts
US20030212902A1 (en) * 2002-05-13 2003-11-13 Van Der Made Peter A.J. Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine
US20040255165A1 (en) * 2002-05-23 2004-12-16 Peter Szor Detecting viruses using register state

Also Published As

Publication number Publication date
WO2006110921A2 (en) 2006-10-19
US20060236396A1 (en) 2006-10-19
US20100005530A1 (en) 2010-01-07
EP1872233A2 (en) 2008-01-02
US7591016B2 (en) 2009-09-15
US7971249B2 (en) 2011-06-28

Similar Documents

Publication Publication Date Title
WO2006110921A3 (en) System and method for scanning memory for pestware offset signatures
WO2006121572A3 (en) System and method for scanning obfuscated files for pestware
EP2650817A3 (en) Streaming malware definition updates
TW200625101A (en) Backup/restore system and method thereof
WO2010141216A3 (en) Self populating address book
WO2007130597A3 (en) Content editing protected view
WO2006076661A3 (en) Dynamic advertisement system and method
WO2009134462A3 (en) Method and system to predict the likelihood of topics
WO2007009009A3 (en) Systems and methods for identifying sources of malware
WO2011122845A3 (en) Mobile communication terminal having a behavior-based malicious code detection function and detection method thereof
WO2011035150A3 (en) Systems and methods for sharing user generated slide objects over a network
TW200634622A (en) Register file regions for a processing system
WO2007125422A3 (en) System and method for enforcing a security context on a downloadable
WO2006012449A3 (en) Tracking objects modified between backup operations
WO2008157810A3 (en) System and method for compending blogs
WO2008005948A3 (en) A method and system for determining and sharing a user's web presence
WO2007124416A3 (en) Backwards researching activity indicative of pestware
WO2007147089A3 (en) Family code determination using brand and sub-brand
EP2083356A3 (en) Information processing apparatus, system, method, and storage medium
WO2006130763A3 (en) Partial page scheme for memory technologies
JP2005303981A5 (en)
MXPA05009278A (en) Rfid server internals design.
WO2008155188A3 (en) Firewall control using remote system information
WO2009105702A3 (en) License auditing for distributed applications
WO2010004243A3 (en) Interrupt processing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2006758375

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: RU