Patent attributes
A system for discovering, or at least providing information that might assist in discovering, compromised computers involved in a malicious distributed program. The system is based around a test computer which is deliberately infected by a component of the malicious distributed program. Traffic sent by that test computer when under control of that component is recorded. More sophisticated malicious programs alter the system files or system programs on the computer which they infect—this creates a problem in that automation of the discovery process is difficult to achieve. Embodiments described here overcome this problem by running through a list of malicious program components, and in between executing (58) each one, refreshing (52, 64) the environment (system files and system programs) in which the malicious program component runs. Such techniques could be used by network operators or groups of network operators in discovering and thereafter disabling harmful distributed programs which run on computers connected to the network they operate.
