Patent · US Active

Detecting bootkits resident on compromised computers

US9251343B1 · kind B1 · utility

235Cited by

126References

28Claims

0Family size

Assignee

FireEye, Inc. · US

Inventors

Michael Vincent · Sunnyvale, US
Abhishek Singh · Redmond, US
Muhammad Amin · Fremont, US
Zheng Bu · Fremont, US

Key dates

Filing date	Mar 15, 2013
Grant date	Feb 2, 2016
Priority date	—
Expiry date	Sep 14, 2033

Classification

Technology area (CPC G)Physics
CPC primaryG06F21/575
WIPO fieldComputer technology
WIPO sectorElectrical engineering

Abstract

Techniques detect bootkits resident on a computer by detecting a change or attempted change to contents of boot locations (e.g., the master boot record) of persistent storage, which may evidence a resident bootkit. Some embodiments may monitor computer operations seeking to change the content of boot locations of persistent storage, where the monitored operations may include API calls performing, for example, WRITE, READ or APPEND operations with respect to the contents of the boot locations. Other embodiments may generate a baseline hash of the contents of the boot locations at a first point of time and a hash snapshot of the boot locations at a second point of time, and compare the baseline hash and hash snapshot where any difference between the two hash values constitutes evidence of a resident bootkit.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.