US 11,727,111 B1
Detecting malware by linking background intelligent transfer service (BITS) and scheduled task service (STS) activities to a source program
Andrei Stanciu, Bucharest (RO); Teodor Anton, Ploiesti (RO); Alin Enachescu, Costesti (RO); and Robert A. Clyde, Spanish Fork, UT (US)
Assigned to GEN DIGITAL INC., Tempe, AZ (US)
Filed by GEN DIGITAL INC., Tempe, AZ (US)
Filed on Sep. 30, 2021, as Appl. No. 17/490,554.
Claims priority of provisional application 63/087,698, filed on Oct. 5, 2020.
Int. Cl. G06F 21/54 (2013.01); G06F 21/56 (2013.01); G06F 21/55 (2013.01)
CPC G06F 21/54 (2013.01) [G06F 21/554 (2013.01); G06F 21/564 (2013.01); G06F 21/568 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer-implemented method for detecting malware by linking transfer service activities to source programs, at least a portion of the method performed by a computing device comprising one or more processors, a memory, and an operating system stored within the memory, the computer-implemented method comprising:
buffering, in a detection buffer within the memory, a plurality of send Advanced Local Procedure Call (ALPC) messages and a plurality of receive ALPC messages created by the operating system when a Background Intelligent Transfer Service (BITS) of the operating system is used to download one or more files to the computing device from a network;
identifying a first send ALPC message within the plurality of send ALPC messages and a first receive ALPC message within the plurality of receive ALPC messages, wherein the first send ALPC message and the first receive ALPC message have a first common message ID;
pairing the first send ALPC message and the first receive ALPC message to create a first ALPC message pair, wherein the first ALPC message pair includes:
a first timestamp field having a value corresponding to a time of creation of at least one of the first send ALPC message and the first receive ALPC message,
a first ALPC source process ID corresponding to a send process ID of the first send ALPC message,
a first ALPC source thread ID corresponding to a send thread ID of the first send ALPC message,
a first ALPC destination process ID corresponding to a receive process ID of the first receive ALPC message, and
a first ALPC destination thread ID corresponding to a receive thread ID of the first receive ALPC message;
receiving a notification that a temporary file has been created by the BITS, the temporary file created as part of a file download initiated by the source program;
determining that (1) the value in the first timestamp field corresponds to a time of creation of the temporary file, and (2) the first ALPC destination process ID corresponds to a process ID of the temporary file, and (3) the first ALPC destination thread ID corresponds to a thread ID of the temporary file;
evaluating the first ALPC source process ID to identify the source program responsible for initiating the creation of the temporary file;
determining, based at least in part on the temporary file, that the source program is a malware program; and
performing a security action on the source program.