Information security – Monitoring or scanning of software or data including attack... – Intrusion detection
Reexamination Certificate
2004-11-23
2009-12-01
Vu, Kimyen (Department: 2435)
Information security
Monitoring or scanning of software or data including attack...
Intrusion detection
C726S025000, C713S188000
Reexamination Certificate
active
07627898
ABSTRACT:
A method and system for detecting that a software system has been infected by software that attempts to hide properties related to the software system is provided. A detection system identifies that a suspect operating system has been infected by malware by comparing properties related to the suspect operating system as reported by the suspect operating system to properties as reported by another operating system that is assumed to be clean. The detection system compares the reported properties to the actual properties to identify any significant differences. A significant difference, such as the presence of an actual file not reported by the suspect operating system, may indicate that the suspect storage device is infected.
REFERENCES:
patent: 6550060 (2003-04-01), Hammond
patent: 2004/0039921 (2004-02-01), Chuang
T. Garfinkel and M. Rosenblum. “A Virtual Machine Introspection Based Architecture for Intrusion Detection”. In Proceedings of the Symposium on Network and Distributed Systems Security (SNDSS), pp. 191-206, Feb. 2003.
Busleiman, Arturo, “Detecting and Understating Rootkits,” Sep. 2003.
NISCC Technical note Aug. 2003, “Trojan Horse Programs and Rootkits”, Issued: Sep. 10, 2003.
Landsberg, G.L.; “Computer viruses and methods of combating them”; Institute of High Energy Physics, Protvino, Moscow Region, American Institute of Physics, Feb. 1991, pp. 185-200.
U.S. Appl. No. 11/183,318, filed Jul. 15, 2005, Yan et al.
Muttik, Igor, “Stripping Down an AV Engine,” Virus Bulletin Conference, Sep. 2000, pp. 59-68.
“Working with the Applnit—DLLs registry value,” Microsoft Corporation, Article ID 197571, last review Feb. 19, 2005, revision 4.0, 1 page, http://support.microsoft.com/default.aspx?scid=kb;en-us; 197571.
Wang, Yi-Min, Binh Vo, Roussi Roussev, Chad Verbowski and Aaron Johnson, “Strider GhostBuster: Why It's A Bad Idea For Stealth Software To Hide Files,” Microsoft Research, Redmond, Aug. 2004, 1 page.
“Applnit—DLLs Registry Value and Windows 95,” Microsoft Corporation, Article ID 134655, last review Mar. 1, 2005, revision 3.2, 2 pages, http://support.microsoft.com/kb/134655/.
Poulsen, Kevin, “Windows Root Kits a Stealthy Threat,” SecurityFocus News, Mar. 5, 2003 (3 pages).
Altunergil, Oktay, “Understanding Rootkits,” Linus Devcenter.com, Dec. 14, 2001 (3 pages).
Altunergil, Oktay, “Scanning for Tootkits,” Linux Devcenter.com, Feb. 7, 2002 (8 pages).
Busleiman, Arturo, “Detecting and Understanding Rootkits,” Sep. 2003 (13 pages).
Altunergil, Oktay, “Understanding Rootkits,” Linux Devcenter.com, Dec. 14, 2001 (5 pages).
Altunergil, Oktay, “Scanning for Rootkits,” Linux Devcenter.com, Feb. 7, 2002 (4 pages).
BIOS Boot Specification, Compaq Computer Corporation, Phoenix Technologies, Ltd., Intel Corporation, Version 1.01, Jan. 11, 1996 (46 pages).
“How to Use the Windiff.exe Utility,” Microsoft Knowlege Base Article—159214, Copyright 2004, Microsoft Corporation (3 pages) http://support.microsoft.com/default.aspx?scid=kb;en-us;159214.
Poulsen, Kevin, “Windows Root Kits a Stealthy Threat,” The Register, SecurityFocus Online, Mar. 7, 2003 (3 pages).
Dittrich, “Root Kits and Hiding Files/Directories/Processes After a Break-in,” Jan. 2002 (12 pages).
U.S. Appl. No. 11/183,225, filed Jul. 15, 2005, Beck et al.
Wang, Yi-Min, Binh Vo, Roussi Roussev, Chad Verbowski and Aaron Johnson, “Strider GhostBuster: Why It's A Bad Idea For Stealth Software To Hide Files,” Microsoft Research Technical Report MSR-TR-2004-71, Jul. 24, 2004 (15 pages).
Wang, Yi-Min, Doug Beck, Binh Vo, Roussi Roussev and Chad Verbowski, “Detecting Stealth Software with Strider GhostBuster,” Microsoft Research Technical Report MSR-TR-2005-25, Feb. 21, 2005 (11 pages).
Wang, Yi-Min, Roussi Roussev, Chad Verbowski, Aaron Johnson and David Ladd, “AskStrider: What Has Changed on My Machine Lately?,” Microsoft Research Technical Report MSR-TR-2004-03, Jan. 5, 2004 (13 pages).
Kodmaker@syshell.org, “NTIllusion: A Portable Win 32 userland rootkit,” Phrack Inc., Jul. 13, 2004 (28 pages) http://www.phrack.org/show.php?p=62&a=12.
holy—father@phreaker.net, “Invisibility on NT boxes—How to become unseen on Windows NT,” Code Breakers Journal, vol. 1, No. 2 (2004), May 8, 2003 (26 pages).
NTQuerySystemInformation, Microsoft, Copyright 2005 (4 pages) http://msdn.microsoft.com/library/en-s/sysinfo/base
tquerysysteminformation.asp?frame=true.
Schneier, Bruce, “Schneier on Security: GhostBuster:—A weblog covering security and security technology,” Feb. 15, 2005 http://www.schneier.com/blog/archives/2005/02/ghostbuster.html.
Wang, Yi-Min and Doug Beck, “How to ‘Root’ a Rootkit That Supports Root Processes Using Strider GhostBuster Enterprise Scanner,” Microsoft Research Technical Report MSR-TR-2005-21, Feb. 11, 2005 (2 pages).
Altunergil, Oktay, “Scanning for Rootkits,” Linux Devcenter.com, Feb. 7, 2002 (8 pages).
www.phrack.org, Phrack 62 download, 337kb, Jul. 13, 2004, pp. 1-28.
Beck Douglas Reed
Johnson Aaron Roy
Roussev Roussi A.
Verbowski Chad E.
Vo Binh Dou
Microsoft Corporation
Paliwal Yogesh
Perkins Coie LLP
Vu Kimyen
LandOfFree
Method and system for detecting infection of an operating... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system for detecting infection of an operating..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for detecting infection of an operating... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-4118694