US20100107257A1

US20100107257A1 - System, method and program product for detecting presence of malicious software running on a computer system

Info

Publication number: US20100107257A1
Application number: US12/261,026
Authority: US
Inventors: Gunter Ollmann
Original assignee: International Business Machines Corp
Current assignee: Kyndryl Inc
Priority date: 2008-10-29
Filing date: 2008-10-29
Publication date: 2010-04-29
Also published as: US8931096B2; US20120084862A1; US9251345B2; KR20110076976A; EP2294786B1; CA2719495C; JP5490127B2; US20150074812A1; CA2719495A1; WO2010049273A2; EP2294786A2; WO2010049273A3; JP2012507094A; CN102171987A

Abstract

A system, method and program product for detecting presence of malicious software running on a computer system. The method includes locally querying the system to enumerate a local inventory of tasks and network services running on the system for detecting presence of malicious software running on the system and remotely querying the system from a remote system via a network to enumerate a remote inventory of tasks and network services running on the system for detecting presence of malicious software running on the system, where the local inventory enumerates ports in use on the system and where the remote inventory enumerates ports in use on the system. Further, the method includes collecting the local inventory and the remote inventory and comparing the local inventory with the remote inventory to identify any discrepancies between the local and the remote inventories for detecting presence of malicious software running on the system.

Description

FIELD OF THE INVENTION

The present invention relates to computer systems and software, and more specifically to a technique for detecting presence of malicious software, such as, a malicious service agent running on a computer system.

BACKGROUND OF THE INVENTION

Unwanted software and malware frequently use complex techniques to hide their installation from users of the host. Various technologies have been proposed to detect “rootkits” and other stealth install techniques. These existing techniques require the querying of the host through local means in a powered and unpowered state. These existing techniques, in particular the process of assessing a host in an unpowered state is highly disruptive and time consuming. As such, there is a need for administrators to effectively identify the presence of such installations without powering down the host.

SUMMARY OF THE INVENTION

The present invention resides in a system, method and program product for detecting presence of malicious software and malware, using a program or tool, in accordance with an embodiment of the invention. The method includes locally querying a computer system to enumerate a local inventory of tasks and network services currently running on the computer system in order to detect presence of a malicious service agent running on the computer system, wherein the local inventory of tasks and network services enumerated includes respective ports in use on the computer system and remotely querying via a network the computer system from a remote computer system to enumerate a remote inventory of tasks and network services currently running on the computer system in order to detect presence of the malicious service agent running on the computer system, wherein the remote inventory of tasks and network services enumerated includes respective ports in use on the computer system. Further, the method includes collecting each of the local inventory of tasks and network services enumerated and collecting each of the remote inventory of tasks and network services enumerated and comparing the local inventory of tasks and network services enumerated with the remote inventory of tasks and network services enumerated to identify any discrepancies between the local inventory of tasks and network services enumerated and the remote inventory of tasks and network services enumerated for detecting presence of the malicious service agent running on the computer system. In an embodiment, the locally querying step further includes providing a first tool for locally detecting presence of the malicious service agent running on the computer system and utilizing the first tool to conduct a local scan of the computer system to locally query the computer system. In an embodiment, the remotely querying step further includes providing a second tool for remotely detecting presence of the malicious service agent running on the computer system and utilizing the second tool to conduct a remote scan of the computer system to remotely query the computer system. In an embodiment, a port of the respective ports includes at least one of: an open port, a closed port and a filtered port. In an embodiment, the method further includes flagging the computer system having any discrepancies identified for conducting further tests to evaluate any discrepancies identified for determining presence of the malicious service agent running on the computer system.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and form a part of this specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention:

FIG. 1 is a schematic block diagram illustrating one embodiment of a system for detecting presence of malicious software and malware running on a computer system, in accordance with an embodiment of the present invention.

FIG. 2 depicts an embodiment of a computer system having deployed thereon a local scanning tool for performing a local scan of the computer system for detecting presence of malicious software and malware running on the computer system, in accordance with an embodiment of the present invention.

FIG. 3 depicts an embodiment of a computer system having deployed thereon a remote scanning tool for performing a remote scan of a remote computer system for detecting presence of malicious software and malware running on the remote computer system, in accordance with an embodiment of the present invention.

FIG. 4 depicts an embodiment of a computer system having deployed thereon a results correlation engine or program for performing analysis or evaluation of the local scanning results received and the remote scanning results received for detecting presence of malicious software and malware running on a computer system, in accordance with an embodiment of the present invention.

FIG. 5 depicts a computer infrastructure for detecting presence of malicious software and malware running on a computer system, in accordance with an embodiment of the present invention.

FIG. 6 depicts a flowchart outlining the steps performed by a host computer system for locally detecting presence of malicious software and malware running on the host computer system, in accordance with an embodiment of the present invention.

FIG. 7 depicts a flowchart outlining the steps performed by a remote computer system for remotely detecting presence of malicious software and malware running on the host computer system, in accordance with an embodiment of the present invention.

FIG. 8 depicts a flowchart outlining the overall steps performed by a results correlation computer system for detecting presence of malicious software and malware running on the host computer system, in accordance with an embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

Many of the functional units described in this specification have been labeled as modules, in order to more particularly emphasize their implementation independence. For example, a module may be implemented as a hardware circuit comprising custom VLSI circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components. A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
Modules may also be implemented in software for execution by various types of processors. An identified module or component of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be organized as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations which, when joined logically together, comprise the module and achieve the stated purpose for the module.
Further, a module of executable code could be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices. Similarly, operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices, over disparate memory devices, and may exist, at least partially, merely as electronic signals on a system or network.
Furthermore, modules may also be implemented as a combination of software and one or more hardware devices. For instance, a module may be embodied in the combination of a software executable code stored on a memory device. In a further example, a module may be the combination of a processor that operates on a set of operational data. Still further, a module may be implemented in the combination of an electronic signal communicated via transmission circuitry.
Reference throughout this specification to “one embodiment,” “an embodiment,” or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “in one embodiment,” “in an embodiment,” and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.
Moreover, the described features, structures, or characteristics of the invention may be combined in any suitable manner in one or more embodiments. It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents. Reference will now be made in detail to the preferred embodiments of the invention.
In one embodiment, the invention provides a system for detecting presence of malicious software and malware running on a computer system or host system, in accordance with an embodiment of the invention. Reference is now made to FIG. 1, reference numeral 100, which schematically illustrates an embodiment of a system for detecting presence of malicious software and malware, such as, a malicious service agent running on a computer system, in accordance with an embodiment of the invention. As shown in FIG. 1, the system infrastructure 100 includes a first host computer system 102 that is remotely connected to a network 120. In an embodiment, the first host computer system 102 has a local interrogation agent program or local scanning agent or tool installed thereon for conducting a local query or interrogation of the first host computer system 102. The local interrogation agent or software is run on the first computer system 102 to determine local tasks and network services currently running on the first host computer system 102. Further, the system infrastructure 100 includes a second host computer 104 that is also connected to the network 120 and is remote to the first host computer system 102. In an embodiment, the second host computer 104 includes a network interrogation tool for conducting a remote query or interrogation of the first host computer system 102 for enumerating a remote inventory of tasks and network services currently running on the first host computer system 102. Further, the system infrastructure 100 includes a third computer system 106 connected to the network 120, the third computer system 106 having a results correlation engine deployed thereon for correlating results received from the first computer system 102 and the second computer system 104. In an embodiment, the third computer system 106 collects results of the local query or interrogation conducted by the first host computer system 102. Further, the third computer system 106 also collects results of the remote query or interrogation conducted by the second host computer system 104 on the first host computer system 102. Furthermore, the results correlation engine deployed on the third computer system 106 compares the local inventory of tasks and network services results enumerated by the first host computer system 102 with the remote inventory of tasks and network services results enumerated by the second host computer system 104 to identify any discrepancies between the local inventory results obtained from the first host computer system 102 and the remote inventory results obtained from the second host computer system 104 for detecting presence of any malicious software, such as, a malicious service agent running on the first host computer system 102. Further, in an embodiment, the third computer system 106 includes a reporting tool for generating a discrepancy report 108 that identifies any discrepancies between the local scan performed by the first host computer system 102 and the remote scan performed by the second host computer system 104 on the first host computer system 102 for detecting presence of any malicious software running on the first host computer system 102.
Reference is now made to FIG. 2, reference numeral 200, which depicts an embodiment of a host computer system or server (for instance, the host computer system 102 shown in FIG. 1) having deployed thereon a computer program product, namely, a local scanning agent program or tool for conducting a local scan or interrogation of the host computer system suspected of having malicious software running thereon, in accordance with an embodiment of the present invention. In an embodiment, the local scanning tool or program 220 is run within the host computer system or server 200. Preferably, the computer system 200 is a computer system or server that includes a central processing unit (CPU) 204, a local storage device 202, a user interface 206, a network interface 208, and a memory 210. The CPU 204 is configured generally to execute operations within the host system/server 200. The user interface 206, in one embodiment, is configured to allow a user or operator to interact with the computer system or server 200, including allowing input of commands and/or data for conducting a local scan of the computer system 200. The network interface 208 is configured, in one embodiment, to facilitate network communications of the host system or server 200 over a communications channel of a network, such as the network 120, shown in FIG. 1. In an embodiment, the memory 210 is configured to store one or more applications or programs 212, such as, word processing application(s), spreadsheet application(s), etc. In one embodiment, as shown in FIG. 2, the local scanning agent program or tool 220 which runs on the host server or system 200 comprises a logic unit that contains a plurality of modules configured to functionally execute the necessary steps of performing a local scan of the host computer system 200 for enumerating a local inventory of tasks and network services running on the host computer system. In an embodiment, shown in FIG. 2, the local scanning tool or agent program 220 running on the host computer system 200 includes an initiation module 222, a tasks module 224, a network services module 226, a list generation module 228, a results log module 230, a forwarding module 232 and a communication module 234. In an embodiment, the initiation module 222 is configured to initiate a local scan of the host computer system 200. The tasks module 224 is configured to enumerate or list all the tasks running on the host computer system 200. Further, the network services module 226 is configured to enumerate or list all the network services running on the host computer system 200. In an embodiment, the list generation module 228 is configured to generate a list enumerating all of the tasks and network services running on the host computer system. The results log module 230 is configured to generate a log of the results of the local scan conducted on the host computer system. In an embodiment, the local scan results log 214 generated by the results log module 230 are stored in a local storage 202 within the host computer system 200. The forwarding module 232 is configured to forward the results of the local scan performed on the host computer system 200 to another computer system comprising a results correlation engine (for instance, computer system 400, shown in FIG. 4) for evaluating the local scan results received from the host computer system 200. The communication module 234 is configured to permit communication between the various modules of the local scanning tool 220, memory 210, local storage 202 and with external computer systems, such as, the computer system comprising the results correlation engine, which is connected to the host computer system over a network.
Reference is now made to FIG. 3, reference numeral 300, which depicts an embodiment of a remote host computer system or server (for instance, the remote host computer system 104 shown in FIG. 1) having deployed thereon a computer program product, namely, a remote scanning agent program or tool for opening connections with the first host computer system and for conducting a remote scan or interrogation of the first host computer system suspected of having malicious software running thereon, in accordance with an embodiment of the present invention. In an embodiment, the remote scanning tool or program 320 is run within the second host computer system or server 300. Preferably, the computer system 300 is a computer system or server that includes a central processing unit (CPU) 304, a storage device 302, a user interface 306, a network interface 308, and a memory 310. The CPU 304 is configured generally to execute operations within the host system/server 300. The user interface 306, in one embodiment, is configured to allow a user or operator to interact with the computer system or server 300, including allowing input of commands and/or data for conducting a remote scan of a host computer system remote to the computer system 300, such as, the computer system 200, shown in FIG. 2. The network interface 308 is configured, in one embodiment, to facilitate network communications of the host system or server 300 over a communications channel of a network, such as the network 120, shown in FIG. 1. In an embodiment, the memory 310 is configured to store one or more applications or programs 312, such as, word processing application(s), spreadsheet application(s), etc. In one embodiment, as shown in FIG. 3, the local scanning agent program or tool 320 which runs on the host server or system 300 comprises a logic unit that contains a plurality of modules configured to functionally execute the necessary steps of performing a remote scan of the remote computer system 200 (FIG. 2) for enumerating a remote inventory of tasks and network services running on the remote host computer system 200. In an embodiment, shown in FIG. 3, the remote scanning tool or agent program 320 running on the host computer system 300 includes an initiation module 322, a tasks module 324, a network services module 326, a list generation module 328, a results log module 330, a forwarding module 332 and a communication module 334. In an embodiment, the initiation module 322 is configured to initiate a remote scan of all ports of the remote host computer system 200 over a network. The tasks module 324 is configured to enumerate or list all the tasks running on the remote host computer system 200. Further, the network services module 326 is configured to enumerate or list all the network services running on the remote host computer system 200. In an embodiment, the list generation module 328 is configured to generate a list enumerating all of the tasks and network services running on the remote host computer system 200. The results log module 330 is configured to generate a log of the results of the remote scan conducted on the remote host computer system 200. In an embodiment, the remote scan results log 314 generated by the results log module 330 are stored in a local storage 302 within the host computer system 300. The forwarding module 332 is configured to forward the results of the remote scan performed on the remote host computer system 200 to another computer system comprising a results correlation engine (for instance, computer system 400, shown in FIG. 4) for evaluating the remote scan results received from the host computer system 300. The communication module 334 is configured to permit communication between the various modules of the remote scanning tool 320, memory 310, local storage 302 and with external computer systems, such as, the computer system 400 (shown in FIG. 4) comprising the results correlation engine, which is connected to the host computer system 300 over a network.
Reference is now made to FIG. 4, reference numeral 400, which depicts an embodiment of a computer system or server (for instance, the computer system 106 shown in FIG. 1) having deployed thereon a computer program product, namely, a results correlation program or tool or engine 420 for correlating local scan results received from a first host computer system or server and remote scan results of the first host computer system received from a second host computer system or server for detecting presence of any malicious software running on the first computer system, in accordance with an embodiment of the present invention. Preferably, the computer system 400 is a computer system or server that includes a central processing unit (CPU) 404, a storage device 402, a user interface 406, a network interface 408, and a memory 410. The CPU 404 is configured generally to execute operations within the host system/server 400. The user interface 406, in one embodiment, is configured to allow a user or operator to interact with the computer system or server 400, including allowing input of commands and/or data for collecting scan results from one or more computer systems or servers, such as, computer system 200 (FIG. 2) and/or computer system 300 (FIG. 3). The network interface 408 is configured, in one embodiment, to facilitate network communications of the computer system or server 400 over a communications channel of a network, such as the network 120, shown in FIG. 1. In an embodiment, the memory 410 is configured to store one or more applications or programs 412, such as, word processing application(s), spreadsheet application(s), etc. In one embodiment, as shown in FIG. 4, the results correlation program or tool 420 which runs on the computer server or system 400 comprises a logic unit that contains a plurality of modules configured to functionally execute the necessary steps of performing an evaluation of the scanning results received from both the local host computer system 200 (FIG. 2) and the remote host computer system 300 (FIG. 3) for detecting presence of any malicious software or malware running on the host computer system 200. In an embodiment, shown in FIG. 4, the results correlation program or tool 420 running on the computer system or server 400 includes a receiving module 422, a comparison module 424, an evaluation module 426, a flag module 428, a report generation module 430, and a communication module 432. In an embodiment, the receiving module 422 is configured to receive both local scan results from a host computer server or system that is suspected of having malicious software or malware running thereon and remote scan results from a remote computer system or server that conducts a remote scan of the host computer system or server over a network. The comparison module 424 is configured to compare the list of all the tasks enumerated to be running on the host computer system 200 as a result of the local scan performed with the list of all the remote tasks enumerated to be running on the host computer system 200 as a result of the remote scan performed on the host computer system 200. In an embodiment, the comparison module 424 compares the service listings obtained from the local port by the local computer system versus the service listings obtained remotely from the same port by the remote computer system. Further, the evaluation module 426 is configured to evaluate the comparisons conducted by the comparison module 424 in order to generate correlation results stored in the correlation results log 414 in local storage 402 as to whether or not there are any discrepancies found between the local scanning results and the remote scanning results. The flag module 428 is configured to flag the computer system suspected of having malicious software or malware running thereon as a result of the evaluation conducted by the evaluation module 426. The report generation module 430 is configured to generate a discrepancy report enumerating the discrepancies found between the local scan and the remote scan evaluated by the computer system 400. In an embodiment, the communication module 432 is configured to permit communication between the various modules of the results correlation tool 420, memory 410, local storage 402 and with external computer systems, such as, the computer system 200 (shown in FIG. 2) and the computer system 300 (FIG. 3), which are connected to the computer system 400 over a network.
Referring now to FIG. 5, there is illustrated a system 500 within an infrastructure 502 that includes a server or computer system 504 that has deployed thereon a computer program product, namely, the local scanning agent program or tool 514, which implements the invention for dynamically performing a local scan of the computer system 504, in accordance with an embodiment of the present invention. The computer program product comprises a computer readable or computer-usable storage medium, which provides program code namely, the local scanning agent program or tool 514, for use by or in connection with a computer server or computer system or any instruction execution system. The local scanning program or tool 514 can be loaded into memory 514 of the host computer system 504 from a computer readable storage medium or media reference numeral 516, such as, a magnetic tape or disk, optical media, DVD, memory stick, semiconductor memory, etc. or downloaded from the server via a network adapter card (reference numerals 518) installed on the respective systems or servers. As depicted in FIG. 5, system 500 includes a computer infrastructure 502, which is intended to represent any type of computer architecture that is maintained in a secure environment (i.e., for which access control is enforced). Further, as shown, infrastructure 502 includes a computer server or system 504 that typically represents an application server or system 504 or the like that includes a local scanning agent program or tool 514. It should be understood, however, that although not shown, other hardware and software components (e.g., additional computer systems, routers, firewalls, etc.) could be included in infrastructure 502.
In general, the host system 504 is connected via a network to infrastructure 502. The host system 504 includes the local scanning tool or agent program 514 that is run on the host system 504 for performing a local scan of the tasks and network services currently running on the host computer system 504. Further, as shown in FIG. 5, the host system 504 (computer system 102 in FIG. 1) can communicate with computer server or system 530 (computer system 104 in FIG. 1) and/or computer server or system 540 (computer system 106 in FIG. 1) over a network (reference numeral 120 in FIG. 1), as discussed herein above with respect to FIG. 1. For instance, the computer system or server 530 can interface with infrastructure 502 in order to run a remote scan of the computer system or server 504 using a remote scanning program or tool 534 that is loaded into the local memory 533 of the host computer system 530 from a computer readable storage medium or media reference numeral 532, such as, a magnetic tape or disk, optical media, DVD, memory stick, semiconductor memory, etc. or downloaded from the server via a network adapter card (reference numerals 554) installed on the respective system or server 530. Similarly, the computer system or server 540 can interface with infrastructure 502 in order to receive results of the local scan performed by system or server 504 and can receives results of the remote scan of the computer system or server 504 performed by the server 530. In an embodiment, a results correlation too or program is loaded into the local memory 543 of the host computer system 540 from a computer readable storage medium or media reference numeral 542, such as, a magnetic tape or disk, optical media, DVD, memory stick, semiconductor memory, etc. or downloaded from the server via a network adapter card (reference numerals 556) installed on the respective system or server 540. As such, the computer system or server 540 receive results of the local scan conducted by the computer system 504 and the results of the remote scan conducted by the computer system 530 of computer system 504 and can compare the local scan results with the remote scan results to determine whether or not the host system 504 may be running a malicious software or malware. It should be understood that under the present invention, infrastructure 502 could be owned and/or operated by a party such as provider 526, or by an independent entity. Regardless, use of infrastructure 502 and the teachings described herein could be offered to the parties on a subscription or fee-basis.
The host computer system or server 504 is shown to include a CPU (hereinafter “processing unit 506”), a memory 512, a bus 510, and input/output (I/O) interfaces 508. Further, the server 504 is shown in communication with external I/O devices/resources 520 and storage system 522. In general, processing unit 506 executes computer program code stored in memory 512, such as the local scanning agent program or tool 514 to determine the tasks and services currently running on the computer system 504. In an embodiment, the local scanning results 524 produced by the execution of the local scanning agent program or tool 514 is stored in storage 522. Although not shown in FIG. 5, the computer systems or servers 530 and 540 each include a CPU, a memory, a bus, and input/output (I/O) interfaces, similar to computer system 504. Further, the server 530 is in communication with external I/O devices/resources (not shown) and storage system 536, whereas, computer system or server 540 is in communication with I/O devices or resources (not shown) and storage system 546. In general, processing unit 506 executes computer program code stored in memory 512, such as the local scanning agent program or tool 514 to determine the tasks and services currently running on the computer system 504, whereas, the processing unit of computer system 530 executes computer program code stored in memory 533, such as, the remote scanning agent program 534 to determine tasks and services running on the computer system 504. Similarly, the processing unit of computer system 540 executes computer program code stored in memory 543, such as, the results correlation tool or program 544 to determine any discrepancies between the local scan and the remote scan of the computer system 504. Further, in an embodiment, the local scanning results 524 produced by the execution of the local scanning agent program or tool 514 running on computer system 504 is stored in storage 522, whereas, the remote scanning results 538 produced by the execution of the remote scanning agent 534 is stored in storage 536 of computer system 530, and whereas, the correlation results 548 performed by the execution of the results correlation tool 544 on computer system 540 is stored in storage 546 of computer system 540. While executing the local scanning tool or program 514 on the computer system 504, the processing unit 506 can read and/or write data, to/from memory 512, storage system 522, and/or I/O interfaces 508, such as, the local scanning results 524 stored in storage 522. Alternatively, the local scanning tool 514 may store the local scanning results 524 in memory 512. Bus 510 provides a communication link between each of the components in computer system 500, such that information can be communicated within the infrastructure 502. External devices 524 can comprise any devices (e.g., keyboard, pointing device, display, etc.) that enable a user to interact with computer system 500 and/or any devices (e.g., network card, modem, etc.) that enable host system 504 to communicate with one or more other computing devices, such as, servers 530 and/or 540. Similarly, while executing the remote scanning tool or program 534 on the computer system 530, the processing unit can read and/or write data, to/from memory 533, storage system 536, such as, the local scanning results 538 stored in storage 536. Alternatively, the remote scanning tool 534 may store the remote scanning results 538 in memory 533. Further, while executing the results correlation tool or program 544 on the computer system 540, the processing unit can read and/or write data, to/from memory 543, storage system 546, such as, the correlation results 548 stored in storage 546. Alternatively, the results correlation tool 544 may store the correlation results 548 in memory 543
Computer infrastructure 502 is only illustrative of various types of computer infrastructures for implementing the invention. For example, in one embodiment, computer infrastructure 502 may comprise two or more server groups or clusters that communicate over a network to perform the various process steps of the invention. Moreover, computer system 500 is only representative of various possible computer systems that can include numerous combinations of hardware. To this extent, in other embodiments, computer system 500 can comprise any specific purpose computing article of manufacture comprising hardware and/or computer program code for performing specific functions, any computing article of manufacture that comprises a combination of specific purpose and general purpose hardware/software, or the like. In each case, the program code and hardware can be created using standard programming and engineering techniques, respectively. Moreover, processing unit 506 may comprise a single processing unit, or be distributed across one or more processing units in one or more locations, e.g., on a client and server. Similarly, memory 512 and/or storage system 522 can comprise any combination of various types of data storage and/or transmission media that reside at one or more physical locations. Further, I/O interfaces 508 can comprise any system for exchanging information with one or more external devices 520. Still further, it is understood that one or more additional components (e.g., system software, math co-processing unit, etc.) not shown in FIG. 5 can be included in computer system 500.
Storage systems 522, 536 and 546 can be any type of system (e.g., a database) capable of providing storage for information under the present invention. To this extent, storage systems 522, 536 and 546 could include one or more storage devices, such as a magnetic disk drive or an optical disk drive. In another embodiment, systems 522, 536 and 546 include data distributed across, for example, a local area network (LAN), wide area network (WAN) or a storage area network (SAN) (not shown). Although not shown, additional components, such as cache memory, communication systems, system software, etc., may be incorporated into computer system 500.
In another embodiment, the invention provides a method or process for detecting the presence of malicious software and malware running on a computer system or host computer system, in accordance with an embodiment of the invention. Reference is now made to FIG. 6, reference numeral 600, which outlines the steps performed by a host computer system suspected of having unwanted malware or malicious software running thereon, in accordance with an embodiment of the invention. As shown in FIG. 6, in step 602, a local scanning software tool or agent program is run locally on the “suspicious” host computer system suspected of having a malicious software or malware running thereon in order to obtain a list of currently running or active network services. In step 604, the local scanning tool or agent program running locally on the host computer system enumerates and lists currently running or active services and their respective ports in use in the host computer system. The local scan results listing or enumerating the active services and their respective ports in use in the host computer system is sent (in step 606) to another computer system on the network, namely, a results correlation computer system running a results correlation engine for comparison and evaluation of the scanning results, as discussed herein below with respect to FIG. 8.
Reference is now made to FIG. 7, reference numeral 700, which outlines the steps performed by a remote computer system that is a computer system remote to the host computer system for detecting presence of unwanted malware or malicious software running on the host computer system, in accordance with an embodiment of the invention. A remote scanning tool or agent program is run on the remote computer system in step 702 for remotely connecting to the host computer system over a network and to obtain a list of open network ports on the host computer system. In step 704, the remote scanning tool or agent program remotely connects to the host computer system to enumerate and list currently running or active network services and their respective ports in use in the host computer system. In an embodiment, the remote scanning computer system attempts to connect to each open port on the host computer system and performs an interrogation of the services running to determine whether or not the service is a known or common service. As such, a list of open, closed and filtered ports is obtained by the remote computer system. Further, the remote scan results listing or enumerating the network ports and services visible over the network are sent in step 706 to the results correlation computer system running a results correlation engine for comparison and evaluation of the scanning results, as discussed herein below with respect to FIG. 8.
Reference is now made to FIG. 8, reference numeral 800, which outlines the steps performed by the results correlation computer system for detecting presence of unwanted malware or malicious software running on the host computer system, in accordance with an embodiment of the invention. In step 802, the results correlation computer system receives the local scanning results from the host computer system and, in step 804, the results correlation computer system receives the remote scanning results from the remote computer system. The results correlation computer system running a results correlation engine compares in step 806 the local list (corresponding to the local scan) and the remote list (corresponding to the remote scan) of network services running on the host computer system for any discrepancies. Any discrepancies found represent hidden services and are indicative of unwanted software or malware. In step 810, the results correlation engine determines whether or not there is a discrepancy between the local list and the remote list. If the results correlation engine determines in step 810 that there is no discrepancy between the local list and the remote list of network services running on the host computer system, that is, there are no suspicious network discrepancies found, then the process ends in step 812. However, if the results correlation engine determines in step 810 that there are one or more discrepancies found between the local list and the remote list of network services running on the host computer system, that is, there are suspicious network discrepancies that are found that are to be likely associated with unwanted or malicious software running on the host computer system, then the results correlation engine documents and logs the discrepancies in step 814. Further, in step 816, the results correlation engine flags or identifies the “suspicious” host computer system as possibly infected. Additionally, in step 818, further tests are run on the flagged host computer system and the flagged host computer system is monitored to evaluate the nature of the discrepancy found and the malicious or unwanted software currently installed on the host computer system, ending the process. In an embodiment, the host computer system has deployed thereon one or more test programs for testing and/or evaluating any discrepancies found by the results correlation engine. It will be understood by one skilled in the art that the testing and evaluation of the host computer system can be manually implemented, as necessary, by an administrator.
Accordingly, the invention provides a system, method and a program product for detecting the presence of malicious software and malware running on a computer system or host computer system, in accordance with an embodiment of the invention. The invention requires the ability to interrogate the host computer system both locally and remotely. Local interrogation could be conducted through a locally installed agent (user or administrator-level access), or through standard network service interrogation techniques that typically require administrative-level access. Remote service interrogation of the host computer system can be conducted with standard port scanning and vulnerability scanning technologies. The device labeled “suspicious host” may or may not originally be “suspicious” and the interrogation of the host may be a routine/scheduled event for preemptive detection of malicious activities and installation of unwanted services. Local host enumeration of network services could be achieved through the use of default operating system query tools, or custom tools. The network interrogator may use standard remote port scanning techniques to identify open ports and enumerate the services behind them. The results correlation engine could be a stand-alone device, part of the network interrogator toolset, or part of an additional software suite whose purpose is to act upon any discrepancies identified between the “local scanning results” and the “remote network scanning results”
The foregoing descriptions of specific embodiments of the present invention have been presented for the purpose of illustration and description. They are not intended to be exhaustive or to limit the invention to the precise forms disclosed, and obviously many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and its practical application, to thereby enable others skilled in the art to best utilize the invention and various embodiments with various modifications as are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the claims appended hereto and their equivalents.

Claims

1. A method of detecting presence of a malicious service agent running on a computer system, said method comprising the steps of:

locally querying a computer system to enumerate a local inventory of tasks and network services currently running on said computer system in order to detect presence of a malicious service agent running on said computer system, wherein said local inventory of tasks and network services enumerated includes respective ports in use on said computer system;

remotely querying via a network said computer system from a remote computer system to enumerate a remote inventory of tasks and network services currently running on said computer system in order to detect presence of said malicious service agent running on said computer system, wherein said remote inventory of tasks and network services enumerated includes respective ports in use on said computer system;

collecting each of said local inventory of tasks and network services enumerated and collecting each of said remote inventory of tasks and network services enumerated; and

comparing said local inventory of tasks and network services enumerated with said remote inventory of tasks and network services enumerated to identify any discrepancies between said local inventory of tasks and network services enumerated and said remote inventory of tasks and network services enumerated for detecting presence of said malicious service agent running on said computer system.

2. The method according to claim 1, wherein said locally querying step further comprises the steps of:

providing a first tool for locally detecting presence of said malicious service agent running on said computer system; and

utilizing said first tool to conduct a local scan of said computer system to locally query said computer system.

3. The method according to claim 2, wherein said remotely querying step further comprises the steps of:

providing a second tool for remotely detecting presence of said malicious service agent running on said computer system; and

utilizing said second tool to conduct a remote scan of said computer system to remotely query said computer system.

4. The method according to claim 3, wherein a port of said respective ports comprises at least one of: an open port, a closed port and a filtered port.

5. The method according to claim 4, further comprising:

flagging said computer system having said any discrepancies identified for conducting further tests to evaluate said any discrepancies identified for determining presence of said malicious service agent running on said computer system.

6. A system for detecting presence of a malicious service agent running on a host computer system, comprising:

a network communications channel;

a host computer system connected to said network communications channel;

a first tool for locally detecting presence of a malicious service agent on said host computer system, said first tool being installed locally on said host computer system to conduct a local scan of said host computer system;

a remote computer system connected to said network communications channel;

a second tool for remotely detecting presence of said malicious service agent on said host computer system, said second tool being installed on said remote computer system for conducting a remote scan of said host computer system; and

a results correlation engine for correlating results collected from said local scan of said host computer system and said remote scan of said host computer system, said results correlation engine identifying any discrepancies between said local scan and said remote scan of said host computer system for detecting presence of said malicious service agent on said host computer system.

7. The system according to claim 6, further comprising:

a third tool for providing a discrepancy report, said discrepancy report reporting said any discrepancies identified between said local scan and said remote scan of said host computer system for detecting presence of said malicious service agent on said host computer system.

8. The system according to claim 7, wherein said first tool locally queries said host computer system to enumerate a local inventory of tasks and network services currently running on said host computer system, wherein said local inventory of tasks and network services enumerated includes respective ports in use on said host computer system, and wherein a port of said respective ports enumerated in said local inventory of tasks and network services currently running on said host computer system comprises at least one of: an open port, a closed port and a filtered port.

9. The system according to claim 8, wherein said second tool remotely queries said host computer system to enumerate a remote inventory of tasks and network services currently running on said host computer system, wherein said remote inventory of tasks and network services enumerated includes respective ports in use on said host computer system, and wherein a port of said respective ports enumerated in said remote inventory of tasks and network services currently running on said host computer system comprises at least one of: an open port, a closed port and a filtered port.

10. The system according to claim 9, further comprising a fourth tool for flagging said host computer system having said any discrepancies identified in order to conduct further tests to evaluate said any discrepancies for verifying presence of said malicious service agent running on said host computer system.

11. A computer program product for detecting presence of a malicious service agent running on a host computer system, said computer program product comprising:

a computer readable storage medium;

first program instructions to locally query a computer system for enumeration of a local inventory of tasks and network services currently running on said computer system for detecting presence of a malicious service agent running on said computer system, wherein said local inventory of tasks and network services enumerated includes respective ports in use on said computer system;

second program instructions to remotely query via a network said computer system from a remote computer system for enumeration of a remote inventory of tasks and network services currently running on said computer system for detecting presence of said malicious service agent running on said computer system, wherein said remote inventory of tasks and network services enumerated includes respective ports in use on said computer system;

third program instructions to collect each of said local inventory of tasks and network services enumerated and to collect each of said remote inventory of tasks and network services enumerated;

fourth program instructions to compare said local inventory of tasks and network services enumerated with said remote inventory of tasks and network services enumerated to identify any discrepancies between said local inventory of tasks and network services enumerated and said remote inventory of tasks and network services enumerated for detecting presence of said malicious service agent running on said computer system, and wherein said first, second, third and fourth program instructions are recorded on said computer readable storage medium.

12. The computer program product according to claim 11, further comprising:

fifth program instructions to flag said computer system having said any discrepancies identified for conducting further tests to evaluate said any discrepancies, wherein said fifth program instructions are recorded on said computer readable medium.

13. The computer program product according to claim 12, wherein said first program instructions further comprise instructions to provide a first tool for locally detecting presence of said malicious service agent running on said computer system, and to utilize said first tool to conduct a local scan of said computer system to locally query said computer system.

14. The computer program product according to claim 13, wherein said second program instructions further comprise instructions to provide a second tool for remotely detecting presence of said malicious service agent running on said computer system, and to utilize said second tool to conduct a remote scan of said computer system to remotely query said computer system.

15. The computer program product according to claim 14, wherein a port of said respective ports comprises at least one of: an open port, a closed port and a filtered port.

16. A computer system for detecting presence of a malicious service agent running on a host computer system, comprising:

fourth program instructions to compare said local inventory of tasks and network services enumerated with said remote inventory of tasks and network services enumerated to identify any discrepancies between said local inventory of tasks and network services enumerated and said remote inventory of tasks and network services enumerated for detecting presence of said malicious service agent running on said computer system;

a computer readable storage medium for storing each of said first, second, third and fourth program instructions; and

a central processing unit for executing each of said first, second, third and fourth program instructions.

17. The computer system according to claim 16, fifth program instructions to flag said computer system having said any discrepancies identified for conducting further tests to evaluate said any discrepancies, wherein said fifth program instructions are stored on said computer readable storage medium for execution by said central processing unit.

18. The computer system according to claim 17, wherein said first program instructions further comprise instructions to provide a first tool for locally detecting presence of said malicious service agent running on said computer system, and to utilize said first tool to conduct a local scan of said computer system to locally query said computer system.

19. The computer system according to claim 18, wherein said second program instructions further comprise instructions to provide a second tool for remotely detecting presence of said malicious service agent running on said computer system, and to utilize said second tool to conduct a remote scan of said computer system to remotely query said computer system.

20. The computer system according to claim 19, wherein a port of said respective ports comprises at least one of: an open port, a closed port and a filtered port.

21. A process for deploying computing infrastructure comprising integrating computer-readable code into a computing system, wherein said code in combination with said computing system is capable of detecting presence of a malicious service agent running on a host computer system, said process comprising the steps of:

locally running a first tool on a host computer system for conducting a local scan of said host computer system, said local scan enumerating a local inventory of tasks and network services currently running on said computer system and enumerating respective ports in use on said host computer system;

remotely running a second tool on said host computer system for conducting a remote scan of said host computer system, said remote scan enumerating a remote inventory of tasks and network services currently running on said computer system and enumerating respective ports in use on said host computer system; and

correlating results collected from said local scan and said remote scan of said host computer system to identify any discrepancies between said local inventory of tasks and network services enumerated and said remote inventory of tasks and network services enumerated for detecting presence of said malicious service agent running on said host computer system.

22. The process according to claim 21, wherein said correlating step includes the step of:

comparing said local inventory of tasks and network services enumerated with said remote inventory of tasks and network services enumerated to identify said any discrepancies.

23. The process according to claim 22, wherein a port of said respective ports enumerated in each of said local inventory of tasks and network services currently running on said host computer system and said remote inventory of tasks and network services currently running on said host computer system comprises at least one of: an open port, a closed port and a filtered port.

24. The process according to claim 23, further comprising:

providing a discrepancy report for reporting said any discrepancies identified for evaluating presence of said malicious service agent running on said host computer system.

25. The process according to claim 24, further comprising:

flagging said host computer system having said any discrepancies identified for conducting further tests to evaluate said any discrepancies identified for determining presence of said malicious service agent running on said host computer system.