Detecting user-mode rootkits

Information security – Monitoring or scanning of software or data including attack... – Intrusion detection

Reexamination Certificate

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

C713S164000

Reexamination Certificate

active

07874001

ABSTRACT:
A method and system for determining whether resources of a computer system are being hidden is provided. The security system invokes a high-level function of user mode that is intercepted and filtered by the malware to identify resources. The security system also directly invokes a low-level function of kernel mode that is not intercepted and filtered by the malware to identify resources. After invoking the high-level function and the low-level function, the security system compares the identified resources. If the low-level function identified a resource that was not identified by the high-level function, then the security system may consider the resource to be hidden.

REFERENCES:
patent: 7512977 (2009-03-01), Cook et al.
patent: 2002/0133590 (2002-09-01), McBrearty et al.
patent: 2005/0204205 (2005-09-01), Ring et al.
patent: 2006/0074896 (2006-04-01), Thomas et al.
patent: 2427716 (2005-06-01), None
Wang, Yi-Min, Doug Beck, Binh Vo, Roussi Roussev and Chad Verbowski, “Detecting Stealth Software with Strider GhostBuster,” Microsoft Technical Report MSR-TR-2005-25, publicly released on Feb. 21, 2005, Microsoft Research, 11 pages.
Wang, Yi-Min and Doug Beck, “How to ‘Root’ a Rootkit That Supports Root Processes Using Strider Ghostbuster Enterprise Scanner,” Microsoft Technical Report MSR-TR-2005-21, Feb. 11, 2005, Microsoft Research, 2 pages.
Muttik, Igor, “Stripping Down an AV Engine,” Virus Bulletin Conference, Sep. 2000, pp. 59-68.
“Working with the Applnit—DLLs registry value,” Microsoft Corporation, Article ID 197571, Copyright 2005 Microsoft Corporation, last review Feb. 19, 2005, revision 4.0, 1 page, http://support.microsoft.com/default.aspx?scid=kb;en-us; 197571.
“Applnit—DLLs Registry Value and Windows 95,” Microsoft Corporation, Article ID 134655, Copyright 2005 Microsoft Corporation, last review Mar. 1, 2005, revision 3.2, 2 pages, http://support.microsoft.com/kb/134655/.
Wang, Yi-Min, Binh Vo, Roussi Roussev, Chad Verbowski and Aaron Johnson, “Strider GhostBuster: Why It's A Bad Idea For Stealth Software To Hide Files,” Microsoft Research, Redmond, Aug. 2004, 1 page.
U.S. Appl. No. 11/183,318, filed Jul. 15, 2005, Yan et al.
Busleiman, Arturo Alberto, “Detecting and Understanding Rootkits—An Introduction and Just a Little-Bit-More,” Sep. 2003 (13 pages).
Compaq Computer Corporation, “BIOS Boot Specification Version 1.01,” Phoenix Technologies Ltd., Intel Corporation, Jan. 11, 1996 (46 pages).
Altunergil, Oktay, “Scanning for Rootkits,” O'Reilly linux devcenter.com, Feb. 7, 2002 (8 pages) http://www.linuxdevcenter.com/lpt/a/1427.
Dittrich, “‘Root Kits’ and hiding files/directories/processes after a break-in,” Jan. 5, 2002 (12 pages) http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq.
Microsoft Knowledge Base Article—159214, “How to Use the Windiff.exe Utility,” Copyright Microsoft Corporation 2004 (3 pages).
Poulsen, Kevin, The Register, “Windows Root kits a stealthy threat,” Mar. 7, 2003 (3 pages) http://www.theregister.co.uk/2003/03/07/windows—root—kits—a—stealthy/.
Altunergil, Oktay, “Understanding Rootkits,” Dec. 14, 2001, O'Reilly linux devcenter.com (3 pages) http://www.linuxdevcenter.com/lpt/a/1428.
Wang, Yi-Min, Binh Vo, Roussi Roussev, Chad Verbowski and Aaron Johnson, “Strider GhostBuster: Why It's A Bad Idea For Stealth Software To Hide Files,” Jul. 24, 2004, Microsoft Technical Report MSR-TR-2004-71 (15 pages).
U.S. Appl. No. 10/997,768, filed Nov. 23, 2004, Beck et al.
Wang, Yi-Min, Roussi Roussev, Chad Verbowski, Aaron Johnson and David Ladd, “AskStrider: What Has Changed on My Machine Lately?,” Jan. 5, 2004, Microsoft Technical Report MSR-TR-2004-03 (12 pages).
Kodmaker@syshell.org, “NTIllusion: A Portable Win 32 userland rootkit,” Phrack Inc., Jul. 13, 2004 (28 pages) http://www.phrack.org/show.php?p=62&a=12.
holy—father@phreaker.net, “Invisibility on NT boxes—How to become unseen on Windows NT,” Code Breakers Journal, vol. 1, No. 2 (2004), May 8, 2003 (26 pages).
NTQuerySystemInformation, Copyright Microsoft 2005 (4 pages) http://msdn.microsoft.com/library/en-s/sysinfo/base
tquerysysteminformation.asp?frame=true.
Schneier, Bruce, “Schneier on Security: GhostBuster—A weblog covering security and security technology,” Feb. 15, 2005 (9 pages) http://www.schneier.com/blog/archives/2005/02/ghostbuster.html.

LandOfFree

Say what you really think

Search LandOfFree.com for the USA inventors and patents. Rate them and share your experience with other people.

Rating

Detecting user-mode rootkits does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with Detecting user-mode rootkits, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Detecting user-mode rootkits will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFUS-PAI-O-2622924

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.