SYSTEM, METHOD AND PROGRAM PRODUCT FOR DETECTING PRESENCE OF MALICIOUS SOFTWARE RUNNING ON A COMPUTER SYSTEM
A system, method and program product for detecting presence of malicious software running on a computer system. The method includes locally querying the system to enumerate a local inventory of tasks and network services running on the system for detecting presence of malicious software running on the system and remotely querying the system from a remote system via a network to enumerate a remote inventory of tasks and network services running on the system for detecting presence of malicious software running on the system, where the local inventory enumerates ports in use on the system and where the remote inventory enumerates ports in use on the system. Further, the method includes collecting the local inventory and the remote inventory and comparing the local inventory with the remote inventory to identify any discrepancies between the local and the remote inventories for detecting presence of malicious software running on the system.
Latest IBM Patents:
The present invention relates to computer systems and software, and more specifically to a technique for detecting presence of malicious software, such as, a malicious service agent running on a computer system.
BACKGROUND OF THE INVENTIONUnwanted software and malware frequently use complex techniques to hide their installation from users of the host. Various technologies have been proposed to detect “rootkits” and other stealth install techniques. These existing techniques require the querying of the host through local means in a powered and unpowered state. These existing techniques, in particular the process of assessing a host in an unpowered state is highly disruptive and time consuming. As such, there is a need for administrators to effectively identify the presence of such installations without powering down the host.
SUMMARY OF THE INVENTIONThe present invention resides in a system, method and program product for detecting presence of malicious software and malware, using a program or tool, in accordance with an embodiment of the invention. The method includes locally querying a computer system to enumerate a local inventory of tasks and network services currently running on the computer system in order to detect presence of a malicious service agent running on the computer system, wherein the local inventory of tasks and network services enumerated includes respective ports in use on the computer system and remotely querying via a network the computer system from a remote computer system to enumerate a remote inventory of tasks and network services currently running on the computer system in order to detect presence of the malicious service agent running on the computer system, wherein the remote inventory of tasks and network services enumerated includes respective ports in use on the computer system. Further, the method includes collecting each of the local inventory of tasks and network services enumerated and collecting each of the remote inventory of tasks and network services enumerated and comparing the local inventory of tasks and network services enumerated with the remote inventory of tasks and network services enumerated to identify any discrepancies between the local inventory of tasks and network services enumerated and the remote inventory of tasks and network services enumerated for detecting presence of the malicious service agent running on the computer system. In an embodiment, the locally querying step further includes providing a first tool for locally detecting presence of the malicious service agent running on the computer system and utilizing the first tool to conduct a local scan of the computer system to locally query the computer system. In an embodiment, the remotely querying step further includes providing a second tool for remotely detecting presence of the malicious service agent running on the computer system and utilizing the second tool to conduct a remote scan of the computer system to remotely query the computer system. In an embodiment, a port of the respective ports includes at least one of: an open port, a closed port and a filtered port. In an embodiment, the method further includes flagging the computer system having any discrepancies identified for conducting further tests to evaluate any discrepancies identified for determining presence of the malicious service agent running on the computer system.
The accompanying drawings, which are incorporated in and form a part of this specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention:
Many of the functional units described in this specification have been labeled as modules, in order to more particularly emphasize their implementation independence. For example, a module may be implemented as a hardware circuit comprising custom VLSI circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components. A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
Modules may also be implemented in software for execution by various types of processors. An identified module or component of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be organized as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations which, when joined logically together, comprise the module and achieve the stated purpose for the module.
Further, a module of executable code could be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices. Similarly, operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices, over disparate memory devices, and may exist, at least partially, merely as electronic signals on a system or network.
Furthermore, modules may also be implemented as a combination of software and one or more hardware devices. For instance, a module may be embodied in the combination of a software executable code stored on a memory device. In a further example, a module may be the combination of a processor that operates on a set of operational data. Still further, a module may be implemented in the combination of an electronic signal communicated via transmission circuitry.
Reference throughout this specification to “one embodiment,” “an embodiment,” or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “in one embodiment,” “in an embodiment,” and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.
Moreover, the described features, structures, or characteristics of the invention may be combined in any suitable manner in one or more embodiments. It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents. Reference will now be made in detail to the preferred embodiments of the invention.
In one embodiment, the invention provides a system for detecting presence of malicious software and malware running on a computer system or host system, in accordance with an embodiment of the invention. Reference is now made to
Reference is now made to
Reference is now made to
Reference is now made to
Referring now to
In general, the host system 504 is connected via a network to infrastructure 502. The host system 504 includes the local scanning tool or agent program 514 that is run on the host system 504 for performing a local scan of the tasks and network services currently running on the host computer system 504. Further, as shown in
The host computer system or server 504 is shown to include a CPU (hereinafter “processing unit 506”), a memory 512, a bus 510, and input/output (I/O) interfaces 508. Further, the server 504 is shown in communication with external I/O devices/resources 520 and storage system 522. In general, processing unit 506 executes computer program code stored in memory 512, such as the local scanning agent program or tool 514 to determine the tasks and services currently running on the computer system 504. In an embodiment, the local scanning results 524 produced by the execution of the local scanning agent program or tool 514 is stored in storage 522. Although not shown in
Computer infrastructure 502 is only illustrative of various types of computer infrastructures for implementing the invention. For example, in one embodiment, computer infrastructure 502 may comprise two or more server groups or clusters that communicate over a network to perform the various process steps of the invention. Moreover, computer system 500 is only representative of various possible computer systems that can include numerous combinations of hardware. To this extent, in other embodiments, computer system 500 can comprise any specific purpose computing article of manufacture comprising hardware and/or computer program code for performing specific functions, any computing article of manufacture that comprises a combination of specific purpose and general purpose hardware/software, or the like. In each case, the program code and hardware can be created using standard programming and engineering techniques, respectively. Moreover, processing unit 506 may comprise a single processing unit, or be distributed across one or more processing units in one or more locations, e.g., on a client and server. Similarly, memory 512 and/or storage system 522 can comprise any combination of various types of data storage and/or transmission media that reside at one or more physical locations. Further, I/O interfaces 508 can comprise any system for exchanging information with one or more external devices 520. Still further, it is understood that one or more additional components (e.g., system software, math co-processing unit, etc.) not shown in
Storage systems 522, 536 and 546 can be any type of system (e.g., a database) capable of providing storage for information under the present invention. To this extent, storage systems 522, 536 and 546 could include one or more storage devices, such as a magnetic disk drive or an optical disk drive. In another embodiment, systems 522, 536 and 546 include data distributed across, for example, a local area network (LAN), wide area network (WAN) or a storage area network (SAN) (not shown). Although not shown, additional components, such as cache memory, communication systems, system software, etc., may be incorporated into computer system 500.
In another embodiment, the invention provides a method or process for detecting the presence of malicious software and malware running on a computer system or host computer system, in accordance with an embodiment of the invention. Reference is now made to
Reference is now made to
Reference is now made to
Accordingly, the invention provides a system, method and a program product for detecting the presence of malicious software and malware running on a computer system or host computer system, in accordance with an embodiment of the invention. The invention requires the ability to interrogate the host computer system both locally and remotely. Local interrogation could be conducted through a locally installed agent (user or administrator-level access), or through standard network service interrogation techniques that typically require administrative-level access. Remote service interrogation of the host computer system can be conducted with standard port scanning and vulnerability scanning technologies. The device labeled “suspicious host” may or may not originally be “suspicious” and the interrogation of the host may be a routine/scheduled event for preemptive detection of malicious activities and installation of unwanted services. Local host enumeration of network services could be achieved through the use of default operating system query tools, or custom tools. The network interrogator may use standard remote port scanning techniques to identify open ports and enumerate the services behind them. The results correlation engine could be a stand-alone device, part of the network interrogator toolset, or part of an additional software suite whose purpose is to act upon any discrepancies identified between the “local scanning results” and the “remote network scanning results”
The foregoing descriptions of specific embodiments of the present invention have been presented for the purpose of illustration and description. They are not intended to be exhaustive or to limit the invention to the precise forms disclosed, and obviously many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and its practical application, to thereby enable others skilled in the art to best utilize the invention and various embodiments with various modifications as are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the claims appended hereto and their equivalents.
Claims
1. A method of detecting presence of a malicious service agent running on a computer system, said method comprising the steps of:
- locally querying a computer system to enumerate a local inventory of tasks and network services currently running on said computer system in order to detect presence of a malicious service agent running on said computer system, wherein said local inventory of tasks and network services enumerated includes respective ports in use on said computer system;
- remotely querying via a network said computer system from a remote computer system to enumerate a remote inventory of tasks and network services currently running on said computer system in order to detect presence of said malicious service agent running on said computer system, wherein said remote inventory of tasks and network services enumerated includes respective ports in use on said computer system;
- collecting each of said local inventory of tasks and network services enumerated and collecting each of said remote inventory of tasks and network services enumerated; and
- comparing said local inventory of tasks and network services enumerated with said remote inventory of tasks and network services enumerated to identify any discrepancies between said local inventory of tasks and network services enumerated and said remote inventory of tasks and network services enumerated for detecting presence of said malicious service agent running on said computer system.
2. The method according to claim 1, wherein said locally querying step further comprises the steps of:
- providing a first tool for locally detecting presence of said malicious service agent running on said computer system; and
- utilizing said first tool to conduct a local scan of said computer system to locally query said computer system.
3. The method according to claim 2, wherein said remotely querying step further comprises the steps of:
- providing a second tool for remotely detecting presence of said malicious service agent running on said computer system; and
- utilizing said second tool to conduct a remote scan of said computer system to remotely query said computer system.
4. The method according to claim 3, wherein a port of said respective ports comprises at least one of: an open port, a closed port and a filtered port.
5. The method according to claim 4, further comprising:
- flagging said computer system having said any discrepancies identified for conducting further tests to evaluate said any discrepancies identified for determining presence of said malicious service agent running on said computer system.
6. A system for detecting presence of a malicious service agent running on a host computer system, comprising:
- a network communications channel;
- a host computer system connected to said network communications channel;
- a first tool for locally detecting presence of a malicious service agent on said host computer system, said first tool being installed locally on said host computer system to conduct a local scan of said host computer system;
- a remote computer system connected to said network communications channel;
- a second tool for remotely detecting presence of said malicious service agent on said host computer system, said second tool being installed on said remote computer system for conducting a remote scan of said host computer system; and
- a results correlation engine for correlating results collected from said local scan of said host computer system and said remote scan of said host computer system, said results correlation engine identifying any discrepancies between said local scan and said remote scan of said host computer system for detecting presence of said malicious service agent on said host computer system.
7. The system according to claim 6, further comprising:
- a third tool for providing a discrepancy report, said discrepancy report reporting said any discrepancies identified between said local scan and said remote scan of said host computer system for detecting presence of said malicious service agent on said host computer system.
8. The system according to claim 7, wherein said first tool locally queries said host computer system to enumerate a local inventory of tasks and network services currently running on said host computer system, wherein said local inventory of tasks and network services enumerated includes respective ports in use on said host computer system, and wherein a port of said respective ports enumerated in said local inventory of tasks and network services currently running on said host computer system comprises at least one of: an open port, a closed port and a filtered port.
9. The system according to claim 8, wherein said second tool remotely queries said host computer system to enumerate a remote inventory of tasks and network services currently running on said host computer system, wherein said remote inventory of tasks and network services enumerated includes respective ports in use on said host computer system, and wherein a port of said respective ports enumerated in said remote inventory of tasks and network services currently running on said host computer system comprises at least one of: an open port, a closed port and a filtered port.
10. The system according to claim 9, further comprising a fourth tool for flagging said host computer system having said any discrepancies identified in order to conduct further tests to evaluate said any discrepancies for verifying presence of said malicious service agent running on said host computer system.
11. A computer program product for detecting presence of a malicious service agent running on a host computer system, said computer program product comprising:
- a computer readable storage medium;
- first program instructions to locally query a computer system for enumeration of a local inventory of tasks and network services currently running on said computer system for detecting presence of a malicious service agent running on said computer system, wherein said local inventory of tasks and network services enumerated includes respective ports in use on said computer system;
- second program instructions to remotely query via a network said computer system from a remote computer system for enumeration of a remote inventory of tasks and network services currently running on said computer system for detecting presence of said malicious service agent running on said computer system, wherein said remote inventory of tasks and network services enumerated includes respective ports in use on said computer system;
- third program instructions to collect each of said local inventory of tasks and network services enumerated and to collect each of said remote inventory of tasks and network services enumerated;
- fourth program instructions to compare said local inventory of tasks and network services enumerated with said remote inventory of tasks and network services enumerated to identify any discrepancies between said local inventory of tasks and network services enumerated and said remote inventory of tasks and network services enumerated for detecting presence of said malicious service agent running on said computer system, and wherein said first, second, third and fourth program instructions are recorded on said computer readable storage medium.
12. The computer program product according to claim 11, further comprising:
- fifth program instructions to flag said computer system having said any discrepancies identified for conducting further tests to evaluate said any discrepancies, wherein said fifth program instructions are recorded on said computer readable medium.
13. The computer program product according to claim 12, wherein said first program instructions further comprise instructions to provide a first tool for locally detecting presence of said malicious service agent running on said computer system, and to utilize said first tool to conduct a local scan of said computer system to locally query said computer system.
14. The computer program product according to claim 13, wherein said second program instructions further comprise instructions to provide a second tool for remotely detecting presence of said malicious service agent running on said computer system, and to utilize said second tool to conduct a remote scan of said computer system to remotely query said computer system.
15. The computer program product according to claim 14, wherein a port of said respective ports comprises at least one of: an open port, a closed port and a filtered port.
16. A computer system for detecting presence of a malicious service agent running on a host computer system, comprising:
- first program instructions to locally query a computer system for enumeration of a local inventory of tasks and network services currently running on said computer system for detecting presence of a malicious service agent running on said computer system, wherein said local inventory of tasks and network services enumerated includes respective ports in use on said computer system;
- second program instructions to remotely query via a network said computer system from a remote computer system for enumeration of a remote inventory of tasks and network services currently running on said computer system for detecting presence of said malicious service agent running on said computer system, wherein said remote inventory of tasks and network services enumerated includes respective ports in use on said computer system;
- third program instructions to collect each of said local inventory of tasks and network services enumerated and to collect each of said remote inventory of tasks and network services enumerated;
- fourth program instructions to compare said local inventory of tasks and network services enumerated with said remote inventory of tasks and network services enumerated to identify any discrepancies between said local inventory of tasks and network services enumerated and said remote inventory of tasks and network services enumerated for detecting presence of said malicious service agent running on said computer system;
- a computer readable storage medium for storing each of said first, second, third and fourth program instructions; and
- a central processing unit for executing each of said first, second, third and fourth program instructions.
17. The computer system according to claim 16, fifth program instructions to flag said computer system having said any discrepancies identified for conducting further tests to evaluate said any discrepancies, wherein said fifth program instructions are stored on said computer readable storage medium for execution by said central processing unit.
18. The computer system according to claim 17, wherein said first program instructions further comprise instructions to provide a first tool for locally detecting presence of said malicious service agent running on said computer system, and to utilize said first tool to conduct a local scan of said computer system to locally query said computer system.
19. The computer system according to claim 18, wherein said second program instructions further comprise instructions to provide a second tool for remotely detecting presence of said malicious service agent running on said computer system, and to utilize said second tool to conduct a remote scan of said computer system to remotely query said computer system.
20. The computer system according to claim 19, wherein a port of said respective ports comprises at least one of: an open port, a closed port and a filtered port.
21. A process for deploying computing infrastructure comprising integrating computer-readable code into a computing system, wherein said code in combination with said computing system is capable of detecting presence of a malicious service agent running on a host computer system, said process comprising the steps of:
- locally running a first tool on a host computer system for conducting a local scan of said host computer system, said local scan enumerating a local inventory of tasks and network services currently running on said computer system and enumerating respective ports in use on said host computer system;
- remotely running a second tool on said host computer system for conducting a remote scan of said host computer system, said remote scan enumerating a remote inventory of tasks and network services currently running on said computer system and enumerating respective ports in use on said host computer system; and
- correlating results collected from said local scan and said remote scan of said host computer system to identify any discrepancies between said local inventory of tasks and network services enumerated and said remote inventory of tasks and network services enumerated for detecting presence of said malicious service agent running on said host computer system.
22. The process according to claim 21, wherein said correlating step includes the step of:
- comparing said local inventory of tasks and network services enumerated with said remote inventory of tasks and network services enumerated to identify said any discrepancies.
23. The process according to claim 22, wherein a port of said respective ports enumerated in each of said local inventory of tasks and network services currently running on said host computer system and said remote inventory of tasks and network services currently running on said host computer system comprises at least one of: an open port, a closed port and a filtered port.
24. The process according to claim 23, further comprising:
- providing a discrepancy report for reporting said any discrepancies identified for evaluating presence of said malicious service agent running on said host computer system.
25. The process according to claim 24, further comprising:
- flagging said host computer system having said any discrepancies identified for conducting further tests to evaluate said any discrepancies identified for determining presence of said malicious service agent running on said host computer system.
Type: Application
Filed: Oct 29, 2008
Publication Date: Apr 29, 2010
Applicant: International Business Machines Corporation (Armonk, NY)
Inventor: Gunter Ollmann (Norcross, GA)
Application Number: 12/261,026
International Classification: G06F 21/00 (20060101); G06F 17/30 (20060101); G06F 12/14 (20060101);