WO2006110921A3 - System and method for scanning memory for pestware offset signatures - Google Patents
System and method for scanning memory for pestware offset signatures Download PDFInfo
- Publication number
- WO2006110921A3 WO2006110921A3 PCT/US2006/014405 US2006014405W WO2006110921A3 WO 2006110921 A3 WO2006110921 A3 WO 2006110921A3 US 2006014405 W US2006014405 W US 2006014405W WO 2006110921 A3 WO2006110921 A3 WO 2006110921A3
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- pestware
- executable memory
- offset
- portions
- reference point
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Abstract
Systems and methods for managing pestware processes on a protected computer are described. In one implementation, a reference point in the executable memory that is associated with a process running in the executable memory is located. A first and second sets of information from corresponding first and second portions of the executable memory are then retrieved. The first and second portions of the executable memory are separated by a defined offset, and each of the first and second portions of the executable memory are offset from the reference point. The process is identifiable as a particular type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are of the particular type of pestware. In some variations, the reference point is a starting address and/or an API implementation in the process.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP06758375A EP1872233A2 (en) | 2005-04-14 | 2006-04-14 | System and method for scanning memory for pestware offset signatures |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/105,977 | 2005-04-14 | ||
US11/105,977 US7591016B2 (en) | 2005-04-14 | 2005-04-14 | System and method for scanning memory for pestware offset signatures |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2006110921A2 WO2006110921A2 (en) | 2006-10-19 |
WO2006110921A3 true WO2006110921A3 (en) | 2008-01-17 |
Family
ID=37087710
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2006/014405 WO2006110921A2 (en) | 2005-04-14 | 2006-04-14 | System and method for scanning memory for pestware offset signatures |
Country Status (3)
Country | Link |
---|---|
US (2) | US7591016B2 (en) |
EP (1) | EP1872233A2 (en) |
WO (1) | WO2006110921A2 (en) |
Families Citing this family (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7591016B2 (en) * | 2005-04-14 | 2009-09-15 | Webroot Software, Inc. | System and method for scanning memory for pestware offset signatures |
US8452744B2 (en) * | 2005-06-06 | 2013-05-28 | Webroot Inc. | System and method for analyzing locked files |
US7861296B2 (en) * | 2005-06-16 | 2010-12-28 | Microsoft Corporation | System and method for efficiently scanning a file for malware |
US20070006311A1 (en) * | 2005-06-29 | 2007-01-04 | Barton Kevin T | System and method for managing pestware |
US20070074289A1 (en) * | 2005-09-28 | 2007-03-29 | Phil Maddaloni | Client side exploit tracking |
US20070094733A1 (en) * | 2005-10-26 | 2007-04-26 | Wilson Michael C | System and method for neutralizing pestware residing in executable memory |
US20070094726A1 (en) * | 2005-10-26 | 2007-04-26 | Wilson Michael C | System and method for neutralizing pestware that is loaded by a desirable process |
US8255992B2 (en) * | 2006-01-18 | 2012-08-28 | Webroot Inc. | Method and system for detecting dependent pestware objects on a computer |
US7996903B2 (en) | 2006-07-07 | 2011-08-09 | Webroot Software, Inc. | Method and system for detecting and removing hidden pestware files |
US8190868B2 (en) | 2006-08-07 | 2012-05-29 | Webroot Inc. | Malware management through kernel detection |
US11489857B2 (en) | 2009-04-21 | 2022-11-01 | Webroot Inc. | System and method for developing a risk profile for an internet resource |
US8438386B2 (en) * | 2009-04-21 | 2013-05-07 | Webroot Inc. | System and method for developing a risk profile for an internet service |
CN102812431A (en) | 2010-03-22 | 2012-12-05 | Lrdc系统有限公司 | A method of identifying and protecting the integrity of a set of source data |
US9330259B2 (en) * | 2013-03-19 | 2016-05-03 | Trusteer, Ltd. | Malware discovery method and system |
US9792436B1 (en) * | 2013-04-29 | 2017-10-17 | Symantec Corporation | Techniques for remediating an infected file |
US10528735B2 (en) | 2014-11-17 | 2020-01-07 | Morphisec Information Security 2014 Ltd. | Malicious code protection for computer systems based on process modification |
WO2017137804A1 (en) | 2016-02-11 | 2017-08-17 | Morphisec Information Security Ltd. | Automated classification of exploits based on runtime environmental features |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5485575A (en) * | 1994-11-21 | 1996-01-16 | International Business Machines Corporation | Automatic analysis of a computer virus structure and means of attachment to its hosts |
US20030212902A1 (en) * | 2002-05-13 | 2003-11-13 | Van Der Made Peter A.J. | Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine |
US20040255165A1 (en) * | 2002-05-23 | 2004-12-16 | Peter Szor | Detecting viruses using register state |
Family Cites Families (54)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5442669A (en) * | 1993-12-27 | 1995-08-15 | Medin; David L. | Perishable good integrity indicator |
US5812848A (en) * | 1995-08-23 | 1998-09-22 | Symantec Corporation | Subclassing system for computer that operates with portable-executable (PE) modules |
US5826013A (en) * | 1995-09-28 | 1998-10-20 | Symantec Corporation | Polymorphic virus detection module |
US5696822A (en) * | 1995-09-28 | 1997-12-09 | Symantec Corporation | Polymorphic virus detection module |
US6357008B1 (en) * | 1997-09-23 | 2002-03-12 | Symantec Corporation | Dynamic heuristic method for detecting computer viruses using decryption exploration and evaluation phases |
US6192512B1 (en) * | 1998-09-24 | 2001-02-20 | International Business Machines Corporation | Interpreter with virtualized interface |
JP3837244B2 (en) * | 1998-10-23 | 2006-10-25 | 松下電器産業株式会社 | Program linking apparatus and method |
US6851057B1 (en) * | 1999-11-30 | 2005-02-01 | Symantec Corporation | Data driven detection of viruses |
US6971019B1 (en) * | 2000-03-14 | 2005-11-29 | Symantec Corporation | Histogram-based virus detection |
US6775780B1 (en) * | 2000-03-16 | 2004-08-10 | Networks Associates Technology, Inc. | Detecting malicious software by analyzing patterns of system calls generated during emulation |
US6735703B1 (en) * | 2000-05-08 | 2004-05-11 | Networks Associates Technology, Inc. | Multi-platform sequence-based anomaly detection wrapper |
US6973577B1 (en) * | 2000-05-26 | 2005-12-06 | Mcafee, Inc. | System and method for dynamically detecting computer viruses through associative behavioral analysis of runtime state |
US6931540B1 (en) * | 2000-05-31 | 2005-08-16 | Networks Associates Technology, Inc. | System, method and computer program product for selecting virus detection actions based on a process by which files are being accessed |
US6973578B1 (en) * | 2000-05-31 | 2005-12-06 | Networks Associates Technology, Inc. | System, method and computer program product for process-based selection of virus detection actions |
US7093239B1 (en) | 2000-07-14 | 2006-08-15 | Internet Security Systems, Inc. | Computer immune system and method for detecting unwanted code in a computer system |
US6954861B2 (en) | 2000-07-14 | 2005-10-11 | America Online, Inc. | Identifying unauthorized communication systems based on their memory contents |
US7178166B1 (en) * | 2000-09-19 | 2007-02-13 | Internet Security Systems, Inc. | Vulnerability assessment and authentication of a computer by a local scanner |
US7150045B2 (en) * | 2000-12-14 | 2006-12-12 | Widevine Technologies, Inc. | Method and apparatus for protection of electronic media |
US7328453B2 (en) | 2001-05-09 | 2008-02-05 | Ecd Systems, Inc. | Systems and methods for the prevention of unauthorized use and manipulation of digital content |
US7421587B2 (en) * | 2001-07-26 | 2008-09-02 | Mcafee, Inc. | Detecting computer programs within packed computer files |
US7827611B2 (en) * | 2001-08-01 | 2010-11-02 | Mcafee, Inc. | Malware scanning user interface for wireless devices |
US7234167B2 (en) * | 2001-09-06 | 2007-06-19 | Mcafee, Inc. | Automatic builder of detection and cleaning routines for computer viruses |
US7107617B2 (en) | 2001-10-15 | 2006-09-12 | Mcafee, Inc. | Malware scanning of compressed computer files |
US7506374B2 (en) * | 2001-10-31 | 2009-03-17 | Computer Associates Think, Inc. | Memory scanning system and method |
US7150042B2 (en) * | 2001-12-06 | 2006-12-12 | Mcafee, Inc. | Techniques for performing malware scanning of files stored within a file storage device of a computer network |
US20030115479A1 (en) * | 2001-12-14 | 2003-06-19 | Jonathan Edwards | Method and system for detecting computer malwares by scan of process memory after process initialization |
US7266843B2 (en) | 2001-12-26 | 2007-09-04 | Mcafee, Inc. | Malware scanning to create clean storage locations |
US6681972B1 (en) * | 2002-03-19 | 2004-01-27 | J&C Tapocik, Inc. | Hands-free holder which will hold an airline ticket, an identification, credit cards and cash while worn around a user's neck |
ATE426858T1 (en) * | 2002-04-13 | 2009-04-15 | Computer Ass Think Inc | SYSTEM AND METHOD FOR DETECTING MALICIOUS CODE |
US7155742B1 (en) * | 2002-05-16 | 2006-12-26 | Symantec Corporation | Countering infections to communications modules |
US7418729B2 (en) * | 2002-07-19 | 2008-08-26 | Symantec Corporation | Heuristic detection of malicious computer code by page tracking |
GB2391965B (en) * | 2002-08-14 | 2005-11-30 | Messagelabs Ltd | Method of, and system for, heuristically detecting viruses in executable code |
US7337471B2 (en) * | 2002-10-07 | 2008-02-26 | Symantec Corporation | Selective detection of malicious computer code |
US7216367B2 (en) * | 2003-02-21 | 2007-05-08 | Symantec Corporation | Safe memory scanning |
WO2004077294A1 (en) * | 2003-02-26 | 2004-09-10 | Secure Ware Inc. | Unauthorized processing judgment method, data processing device, computer program, and recording medium |
US8171551B2 (en) * | 2003-04-01 | 2012-05-01 | Mcafee, Inc. | Malware detection using external call characteristics |
GB2400197B (en) * | 2003-04-03 | 2006-04-12 | Messagelabs Ltd | System for and method of detecting malware in macros and executable scripts |
US7231667B2 (en) * | 2003-05-29 | 2007-06-12 | Computer Associates Think, Inc. | System and method for computer virus detection utilizing heuristic analysis |
US7257842B2 (en) | 2003-07-21 | 2007-08-14 | Mcafee, Inc. | Pre-approval of computer files during a malware detection |
US7644441B2 (en) * | 2003-09-26 | 2010-01-05 | Cigital, Inc. | Methods for identifying malicious software |
US8627458B2 (en) * | 2004-01-13 | 2014-01-07 | Mcafee, Inc. | Detecting malicious computer program activity using external program calls with dynamic rule sets |
US7620990B2 (en) * | 2004-01-30 | 2009-11-17 | Microsoft Corporation | System and method for unpacking packed executables for malware evaluation |
US7707634B2 (en) * | 2004-01-30 | 2010-04-27 | Microsoft Corporation | System and method for detecting malware in executable scripts according to its functionality |
US7913305B2 (en) * | 2004-01-30 | 2011-03-22 | Microsoft Corporation | System and method for detecting malware in an executable code module according to the code module's exhibited behavior |
US20050262567A1 (en) * | 2004-05-19 | 2005-11-24 | Itshak Carmona | Systems and methods for computer security |
US20050268112A1 (en) * | 2004-05-28 | 2005-12-01 | Microsoft Corporation | Managing spyware and unwanted software through auto-start extensibility points |
US7568230B2 (en) * | 2004-06-09 | 2009-07-28 | Lieberman Software Corporation | System for selective disablement and locking out of computer system objects |
US7596809B2 (en) * | 2004-06-14 | 2009-09-29 | Lionic Corporation | System security approaches using multiple processing units |
US7401184B2 (en) * | 2004-11-19 | 2008-07-15 | Intel Corporation | Matching memory transactions to cache line boundaries |
US7636856B2 (en) * | 2004-12-06 | 2009-12-22 | Microsoft Corporation | Proactive computer malware protection through dynamic translation |
US7836504B2 (en) * | 2005-03-01 | 2010-11-16 | Microsoft Corporation | On-access scan of memory for malware |
US7571476B2 (en) * | 2005-04-14 | 2009-08-04 | Webroot Software, Inc. | System and method for scanning memory for pestware |
US7591016B2 (en) * | 2005-04-14 | 2009-09-15 | Webroot Software, Inc. | System and method for scanning memory for pestware offset signatures |
US7349931B2 (en) * | 2005-04-14 | 2008-03-25 | Webroot Software, Inc. | System and method for scanning obfuscated files for pestware |
-
2005
- 2005-04-14 US US11/105,977 patent/US7591016B2/en active Active
-
2006
- 2006-04-14 EP EP06758375A patent/EP1872233A2/en not_active Withdrawn
- 2006-04-14 WO PCT/US2006/014405 patent/WO2006110921A2/en active Application Filing
-
2009
- 2009-09-14 US US12/559,434 patent/US7971249B2/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5485575A (en) * | 1994-11-21 | 1996-01-16 | International Business Machines Corporation | Automatic analysis of a computer virus structure and means of attachment to its hosts |
US20030212902A1 (en) * | 2002-05-13 | 2003-11-13 | Van Der Made Peter A.J. | Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine |
US20040255165A1 (en) * | 2002-05-23 | 2004-12-16 | Peter Szor | Detecting viruses using register state |
Also Published As
Publication number | Publication date |
---|---|
WO2006110921A2 (en) | 2006-10-19 |
US20060236396A1 (en) | 2006-10-19 |
US20100005530A1 (en) | 2010-01-07 |
EP1872233A2 (en) | 2008-01-02 |
US7591016B2 (en) | 2009-09-15 |
US7971249B2 (en) | 2011-06-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2006110921A3 (en) | System and method for scanning memory for pestware offset signatures | |
WO2006121572A3 (en) | System and method for scanning obfuscated files for pestware | |
EP2650817A3 (en) | Streaming malware definition updates | |
TW200625101A (en) | Backup/restore system and method thereof | |
WO2010141216A3 (en) | Self populating address book | |
WO2007130597A3 (en) | Content editing protected view | |
WO2006076661A3 (en) | Dynamic advertisement system and method | |
WO2009134462A3 (en) | Method and system to predict the likelihood of topics | |
WO2007009009A3 (en) | Systems and methods for identifying sources of malware | |
WO2011122845A3 (en) | Mobile communication terminal having a behavior-based malicious code detection function and detection method thereof | |
WO2011035150A3 (en) | Systems and methods for sharing user generated slide objects over a network | |
TW200634622A (en) | Register file regions for a processing system | |
WO2007125422A3 (en) | System and method for enforcing a security context on a downloadable | |
WO2006012449A3 (en) | Tracking objects modified between backup operations | |
WO2008157810A3 (en) | System and method for compending blogs | |
WO2008005948A3 (en) | A method and system for determining and sharing a user's web presence | |
WO2007124416A3 (en) | Backwards researching activity indicative of pestware | |
WO2007147089A3 (en) | Family code determination using brand and sub-brand | |
EP2083356A3 (en) | Information processing apparatus, system, method, and storage medium | |
WO2006130763A3 (en) | Partial page scheme for memory technologies | |
JP2005303981A5 (en) | ||
MXPA05009278A (en) | Rfid server internals design. | |
WO2008155188A3 (en) | Firewall control using remote system information | |
WO2009105702A3 (en) | License auditing for distributed applications | |
WO2010004243A3 (en) | Interrupt processing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006758375 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: RU |