CA2691129A1 - Activex object method and computer program system for protecting against crimeware key stroke loggers - Google Patents
Activex object method and computer program system for protecting against crimeware key stroke loggers Download PDFInfo
- Publication number
- CA2691129A1 CA2691129A1 CA 2691129 CA2691129A CA2691129A1 CA 2691129 A1 CA2691129 A1 CA 2691129A1 CA 2691129 CA2691129 CA 2691129 CA 2691129 A CA2691129 A CA 2691129A CA 2691129 A1 CA2691129 A1 CA 2691129A1
- Authority
- CA
- Canada
- Prior art keywords
- browser
- software program
- program according
- memory
- api
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The application describes a software (Poseidon Anti-key logger software) system and methodology for protecting against Crime ware key logger attacks that utilize, for example, form-grabbing, hook based and browser memory injection techniques. The application protects the browser and operating system from key logging Crime ware attacks, and the loss of critical user confidential information often entered into internet forms for the purpose of buying items or logging into financial institutions. An embodiment of a method for blocking memory injection form grabbing attacks comprises the following:
Using a static 0 ring API wrapper, the object creates a restorable virtualized API shell which upon detection of a memory injection form grabbing event, the browser memory tables are restored using default memory tables. Using VT-x (Intel IA32) and SVM/Pacifica (AMD64) virtualization and applying it system wide by wrapping system drivers and creating a repetitive restore memory shell in resident memory the software provides protection against hook based, form grabbers and memory injection (Zeus Trojan) key stroke loggers.
AKLAnti-Key logger API StackApplication Program Interface Stack BHOBrowser Helper Object DLLDynamic Link Library DDEDynamic Data Exchange Browser FormA user input area of a webpage API HookApplication Programming Interface Hook IRQInterrupt Request MalefactorsPersons designing and implementing Crime ware Memory Injection TrojanZeus Trojan using memory injection table alteration to dump browser form data
Using a static 0 ring API wrapper, the object creates a restorable virtualized API shell which upon detection of a memory injection form grabbing event, the browser memory tables are restored using default memory tables. Using VT-x (Intel IA32) and SVM/Pacifica (AMD64) virtualization and applying it system wide by wrapping system drivers and creating a repetitive restore memory shell in resident memory the software provides protection against hook based, form grabbers and memory injection (Zeus Trojan) key stroke loggers.
AKLAnti-Key logger API StackApplication Program Interface Stack BHOBrowser Helper Object DLLDynamic Link Library DDEDynamic Data Exchange Browser FormA user input area of a webpage API HookApplication Programming Interface Hook IRQInterrupt Request MalefactorsPersons designing and implementing Crime ware Memory Injection TrojanZeus Trojan using memory injection table alteration to dump browser form data
Description
FIELD OF THE INVENTION
The present invention relates to a software invention and methods for protection against the operation of Crime ware commonly used in identify-theft and cyber-fraud. In particular, but not by way of limitation, the present invention relates to software systems and methods for preventing key logger Crime ware that utilizes memory injection form grabbing, hook based and common form grabbing techniques to steal financial and identity information from users browsers.
The deployment of which is embodied in a Microsoft ActiveX object which installed in the Internet Explorer browser when a user visits a protected internet web page.
ActiveX is a framework for defining reusable software components (known as controls) that perform a particular function or a set of functions in Microsoft Windows in a way that is independent of the programming language used to implement them. A software application can then be composed from one or more of these components in order to provide its functionality.
It was introduced in 1996 by Microsoft as a development of its Component Object Model (COM) and Object Linking and Embedding (OLE) technologies and it is commonly used in its Windows operating system, although the technology itself is not tied to it.
Many Microsoft Windows applications - including many of those from Microsoft itself, such as Internet Explorer, Microsoft Office, Microsoft Visual Studio, and Windows Media Player -use ActiveX controls to build their feature-set and also encapsulate their own functionality as ActiveX controls which can then be embedded into other applications. Internet Explorer also allows embedding ActiveX controls onto web pages.
This delivery system becomes the foundation of the invention in delivering it to the user's browser to provide real time web based protection when a user visits a webpage invoking the object.
BACKGROUND
Identity Theft and Criminal Crime ware Targeting Browsers Personal computers and business computers are widely infected with malicious software that intercepts and steals critical personal account and financial information as it is being submitted by the user's browser during an internet session. Almost all online e-commerce and financial activity originates from a user electing to open an internet browser to conduct business, either with his or her bank, brokerage, investment manager, or online shopping e-commerce venue.
Because of the massive growth in online e-commerce, and the requirement and use of credit cards and personal data to facilitate that market, sophisticated criminal hackers have targeted this line of e-commerce with ever-evolving Crime ware. Much of this sophisticated Crime ware is not being caught by commercial anti-virus solutions due to encryption and obfuscation techniques which render anti-virus scanning heuristics ineffective. Thus, unwitting consumers, believing they are protected, often enter the stream of online commerce not recognizing that Crime ware can, and is, stealing their critical financial information. This sophisticated theft is taking place due in large part to the rise of what is called memory injection key logging Crime ware. Memory injection Key logging Crime ware is created, often by sophisticated criminal online syndicates, to facilitate the capture of passwords, credit card data, and personal credentials, generally without the person's knowledge. This new breed of Crime ware injects into the browsers memory alters memory tables and ultimately causes the browser to execute malicious commands and computer instructions. This causes the browser to turn on itself and become an attack vector.
Key Logging Crime ware Key logging is a method of capturing keyboard input to a computer or computing device. It is a common technique for obtaining passwords and sensitive information using unauthorized software placed on a victim's personal computer without consent. Once a key logger is deployed, traditional Antivirus is relied upon to detect it's presence on a personal computer. The short coming of this type of method of detection is that it is signature based. This creates an ongoing problem as users must wait for an Antivirus file signature to be generated before detection and removal can occur.
Software key loggers capture targeted personal data stored on the computers they infect. These software key loggers are utilized in conjunction with non-offending code on the infected system. The Crime ware relays the captured data to unauthorized recipients -- the people who have planted the Crime ware on the system -- by sending that data thru the internet using TCP/IP ports used by common user applications to bypass security. Software Key loggers utilize a number of techniques including hooking various operating system Application Programming Interfaces (APIs) and system drivers, screen capture, form grabbing, hook based keystroke logging and browser memory injection.
Not commonly known to the general public are the various classes of keystroke logger methods. These methods include hook based keystroke logging where the malware records each individual keystroke by hooking the native operating system keyboard API. The second common method is the interception of internet explorer browser API
calls. This allows malware to intercept form data submissions being passed thru the browser. The third common method used is called Kernel keystroke logging. This is where a low level device driver does hardware interrupt interceptions.
The forth and newest form of keystroke logging is a little known technique of browser memory injection. This is where the attacking malware injections malicious code into the browser memory table, alters it and inserts illegal code causing the browser to key log itself and send out that data to an attacker.
Hook-based key loggers are programs that insert a system API hook into an API
stack. This is done by placing a call object into the API stack, acting as a filter. When a user on his or her browser calls a website, the data are filtered thru this Crime ware call. This allows an attacker to record all the data being passed by the system driver such as keystrokes passing thru the operating system driver. For example, one type of hook-based key logger will monitor and record each key press that generates an Interrupt Request (IRQ) to the system driver on the motherboard. The key logger, as part of the Crime ware, sends this data to a text file. The text file is subsequently sent to a remote location for retrieval by malefactors.
Malefactors commonly deploy such Crime ware key loggers via the internet to the computers of thousands of unsuspecting users. The volume of data generated by such hook-based key loggers is great, and can amount to many Gigabytes of data within a short period. This mass of data is cumbersome to store and difficult to search for the purpose of extracting the very small percentage of data that represents credential and password information. As a result, malefactors have fine-tuned their Crime ware to meet these challenges and better reduce the large take of useless data stolen by their Crime ware.
Basic form grabbing techniques use API that hooks all Internet related functions to get access to the Internet Traffic,even though it might be encrypted with SSL or EV-SSL. Browser processes hooked by this method includes:
HttpOpenRequestA/W, HttpSendRequestA/W, InternetConnectW, InternetReadFile, lnternetReadFileExA/W, InternetWriteFile CommitUrlCacheEntryA/W.
Along with these hooking techniques a new method called memory injection form grabbing is used. This is active in memory when the Internet Explorer starts, it setups up export hooks, so that it gets access to all transmitted internet traffic and all data passing to and from the browser such as form submissions.
These hook core windows functions to compromise the system.
Form-Grabbing and Memory Injection Key Loggers Form-grabbing and memory injection key loggers insert a hook that captures the form data in live internet browsing sessions, and only form data inputs. The form information being stolen is, essentially, those forms used for online banking and other online commerce that require users to enter personal information, card data, passwords, reminder questions, and mother's maiden name. This perfection of the Crime ware allows more precise targeting of stolen credentials, and it greatly increases the odds that credentials stolen will be found and used. Previous methods often resulted in so much data being siphoned out by Crime ware that credentials of interest to financial criminals and identity thieves were lost in the sea of stolen data. This is no longer the case with form-grabbing and memory injection key loggers.
Form-grabbing and memory injection key loggers have become a preferred type of key logger for sophisticated cyber criminals due to their resistance to detection and lack of effective countermeasures, their effect of substantially reducing the volume of captured data that must be searched to extract credentials, and because almost all credentials used for online transactions are entered at some point into a web form. Form-grabbing and memory injection key loggers have become the method of first choice for cyber criminals when targeting bank login data.
Form grabbers sit in between the internet browser and the called internet page. This allows an inserted browser helper object to inject or directly access the browser's API call functions. This allows all data passed to the form to be recorded as it is passed by the browser to the server to which the criminals are sending the targeted data. This method of action defeats all known anti-key loggers as they do not protect the web form or the browser window API's. As an example, when a user submits data to a legitimate banking website using web forms, a form-grabbing key logger that is monitoring the web browser can grab the submitted data by injecting and hooking API functions within the browser.
Because the API hook is being protected within the system driver this does not protect the data being passed from the browser. Form grabbers deal with the browser and the data being passed over the internet. Hook-based key logger's record data as it is passed thru the API or system driver.
Form-grabbing and memory injection key loggers also succeed in recording and stealing automatic form filler data as well as any data copied from another location such as data pasted from a clip board.
Memory injection Key loggers such as Zeus alter browser memory tables to achieve the logging functions.
Methods to Detect and Stop Key-Loggers Software is available to detect and remove many types of Crime ware. Attempts to combat all forms of key logger Crime ware have not been successful. Moreover, consumers falsely rely on commercial anti-virus products that are often not updated with the latest version, and even when fully updated or patched, are ineffective to address the root problem of form-grabbing key loggers.
Software is available to address some elements of software key loggers. A
number of methods are available to detect and/or disable hook-based key loggers. All known methods deal with accessing the API stack directly. One method used is the unhooking of API's that insert themselves into the API stack.
This method is represented by the Key Scrambler product from QFX Software Corporation (Ormand Beach, FL) which employs an encryption based method wherein keystroke data is encrypted at the source (keyboard) and passed to the form in a decrypted format. Another variation on this method is used in the GuardlD product of StrikeForce Technologies Inc. of Edison, New Jersey that utilizes similar API hooking and key-scrambling methods but does not protect the user if the Crime ware is inserting itself as a hook based key logger at the first instance in the stack.
Moreover, this technology does not effectively protect users against form grabber threats.
These methods do not protect against the action of hook based key loggers that are programmed to insert themselves prior to the anti-key logger ("AKL") itself within the API
stack. Accordingly, prior to the present invention, there is no effective method to protect against the action of form-grabbing key loggers.
It is an object of the present invention to provide a solution to protect against key loggers that is not disruptive of the system and does not depend on user experience. This solution does not depend on detection of Crime ware at all. The solution, instead, defeats the action of form-grabbing key loggers, and can likewise defeat the action of hook based key loggers that are capable of operating in the presence of scramblers.
TECHNICAL SUMMARY OF THE INVENTION
Exemplary embodiments of the present invention that are shown in the drawings are summarized below. These and other embodiments are more fully described in the Detailed Description section. It is to be understood, however, that there is no intention to limit the invention to the forms described in this Summary of the Invention or in the Detailed Description. One skilled in the art can recognize that there are numerous modifications, equivalents and alternative constructions that fall within the spirit and scope of the invention as expressed in the embodiments.
The main indented embodiment and deployment mechanism will be the ActiveX
framework developed by Microsoft. This framework serves as both the delivery and deployment method for this invention.
In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the invention and embodiments thereof.
It will be apparent, however, to one skilled in the art that the invention can be practiced without these specific details. In other instances, structures and devices are shown in block diagram form in order to aid in understanding the embodiments of the invention.
Reference in this specification to one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
Moreover, various features are described which may be exhibited by some embodiments and not by others. Similarly, various requirements are described which may be requirements for some embodiments but not other embodiments.
The present invention provides a system and method for managing Crime ware. In one embodiment, a form-grabbing key logger inserts a hook Dynamic Link Library file into the system-wide hook chain, and all key messages are intercepted by the Hook DLL unless it is kicked off the chain by another program or deprived of receiving messages by its top hook DLL. In a preferred embodiment, the present invention includes an Anti-Key Logger (AKL) software program in the form of a browser helper object and a DLL
file. In this embodiment, these two files act in concert, the effect of which is to act to prevent the action of this hook, thereby protecting data as it passes through its normal browser API route. The present system acts under the assumption that the user computer may already be compromised and that an undetected key logger may be in place.
Another embodiment of the invention, as an alternative to the DLL and Browser Helper Object (BHO) combination, is to embody the embodiment in a browser's source code.
In another embodiment of the invention, software containing anti-key logger functionality can be distributed by a financial institution to thousands or millions of its customers which have online access to their accounts. This software is downloaded to each individual accountholder PC upon initiation of an online access session with the financial institution. The anti-key logger software operating on each individual PC incorporates processes enabling it to communicate with a master server appliance or hierarchy of server appliances within the financial institution in order to allow tracking of accountholder PCs that have downloaded and installed this software. After installation, upon initiation of each subsequent online access session with the financial institution the software verifies its presence on the PC and identifies itself.
In the case of an accountholder that initiates an online access session (account login) from a PC which does not have the AKL installed, the financial institution can choose to deny access or require a higher level of authentication. In addition, the financial institution may recommend to the user that his or her password be changed based on the greater exposure to theft of credentials during use of a browser running on a PC that is not protected by the AKL.
Another aspect of the embodiment that uses AKL functions distributed to multiple online accountholders from a central server is the addition of blacklist, white list, or both blacklists and white lists to the AKL functions. Such signature lists can include known Phishing sites which target the financial institution's accountholders or, in the case of white lists, can include newly launched sites which are used to deliver services to the institution's customers. By focusing on blacklists of sites that target the host financial institution, as opposed to incorporating broad-based blacklists, the signature list updates can be provided in small size files which do not cause noticeable waits or otherwise degrade system performance. The addition of such lists complements the effectiveness of the AKL in preventing the ability for Crime ware to comprise the credentials of an online user.
Moreover, the server to PC
communications processes which verify the presence and identity of software in accordance with the present invention upon the initiation of each new online session can be used as an occasion to update such signature lists. This creates the opportunity to update signature lists in a more timely fashion.
Timely updating of newly identified malicious sites is a significant benefit given that the window of operation for many Phishing sites is five to twenty four hours which is shorter than the update cycle of most commercial anti-virus and anti-spyware products.
Another embodiment includes a toolbar interface that allows the user to be aware of its operation. The use of such toolbars is well known in the art as these programs are commonly used to provide awareness of the operation of security monitoring functions. When a method according to the invention is incorporated into a software program containing blacklist-driven, heuristic-based, or other anti-phishing functionality, the users will be provided with graphic alerts when the browser is directed to web sites which are considered to be risky.
In an alternative embodiment, software embodying the invention can be packaged as a stand alone component to allow the product to be delivered to the client in a manner requiring minimal interaction.
For example, one embodiment would utilize the component object model (COM) developed by Microsoft for Windows platforms. Software based on ActiveX technology is prevalent in the form of Internet Explorer plug-ins and, more commonly, in ActiveX controls.
In yet another embodiment of the invention, a portable device containing an installable embodiment of the invention can be used by an accountholder of a financial institution when accessing his or her account via a browser on a public use or other PC that is not known to be protected by the invention.
Examples of such PCs might be those available in airports, internet cafes, or hotel business centers.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG.1 is a diagram of the context of operation of embodiments of the present invention FIG. 2 is a diagram of the action of embodiments of the present invention is defeating the operation of key loggers using actions of the present Invention in defeating the operation of key loggers by using a static 0 ring API wrapper, the object creates a restorable virtualized API
shell which upon detection of a memory injection form grabbing event, the browser memory tables are restored using default memory tables.
FIG. 3 shows block diagrams of the API stacks with and without key loggers and with protection by embodiments of the present invention.
FIG. 4 portrays the configuration of a system wherein servers at a financial institution communicate with multiple accountholder PCs for the distribution, update and authentication of software incorporating AKL functionality and other processes.
FIG. 5 portrays examples of internet forms commonly protected used by consumers and targeted by form-grabbing key loggers.
The present invention relates to a software invention and methods for protection against the operation of Crime ware commonly used in identify-theft and cyber-fraud. In particular, but not by way of limitation, the present invention relates to software systems and methods for preventing key logger Crime ware that utilizes memory injection form grabbing, hook based and common form grabbing techniques to steal financial and identity information from users browsers.
The deployment of which is embodied in a Microsoft ActiveX object which installed in the Internet Explorer browser when a user visits a protected internet web page.
ActiveX is a framework for defining reusable software components (known as controls) that perform a particular function or a set of functions in Microsoft Windows in a way that is independent of the programming language used to implement them. A software application can then be composed from one or more of these components in order to provide its functionality.
It was introduced in 1996 by Microsoft as a development of its Component Object Model (COM) and Object Linking and Embedding (OLE) technologies and it is commonly used in its Windows operating system, although the technology itself is not tied to it.
Many Microsoft Windows applications - including many of those from Microsoft itself, such as Internet Explorer, Microsoft Office, Microsoft Visual Studio, and Windows Media Player -use ActiveX controls to build their feature-set and also encapsulate their own functionality as ActiveX controls which can then be embedded into other applications. Internet Explorer also allows embedding ActiveX controls onto web pages.
This delivery system becomes the foundation of the invention in delivering it to the user's browser to provide real time web based protection when a user visits a webpage invoking the object.
BACKGROUND
Identity Theft and Criminal Crime ware Targeting Browsers Personal computers and business computers are widely infected with malicious software that intercepts and steals critical personal account and financial information as it is being submitted by the user's browser during an internet session. Almost all online e-commerce and financial activity originates from a user electing to open an internet browser to conduct business, either with his or her bank, brokerage, investment manager, or online shopping e-commerce venue.
Because of the massive growth in online e-commerce, and the requirement and use of credit cards and personal data to facilitate that market, sophisticated criminal hackers have targeted this line of e-commerce with ever-evolving Crime ware. Much of this sophisticated Crime ware is not being caught by commercial anti-virus solutions due to encryption and obfuscation techniques which render anti-virus scanning heuristics ineffective. Thus, unwitting consumers, believing they are protected, often enter the stream of online commerce not recognizing that Crime ware can, and is, stealing their critical financial information. This sophisticated theft is taking place due in large part to the rise of what is called memory injection key logging Crime ware. Memory injection Key logging Crime ware is created, often by sophisticated criminal online syndicates, to facilitate the capture of passwords, credit card data, and personal credentials, generally without the person's knowledge. This new breed of Crime ware injects into the browsers memory alters memory tables and ultimately causes the browser to execute malicious commands and computer instructions. This causes the browser to turn on itself and become an attack vector.
Key Logging Crime ware Key logging is a method of capturing keyboard input to a computer or computing device. It is a common technique for obtaining passwords and sensitive information using unauthorized software placed on a victim's personal computer without consent. Once a key logger is deployed, traditional Antivirus is relied upon to detect it's presence on a personal computer. The short coming of this type of method of detection is that it is signature based. This creates an ongoing problem as users must wait for an Antivirus file signature to be generated before detection and removal can occur.
Software key loggers capture targeted personal data stored on the computers they infect. These software key loggers are utilized in conjunction with non-offending code on the infected system. The Crime ware relays the captured data to unauthorized recipients -- the people who have planted the Crime ware on the system -- by sending that data thru the internet using TCP/IP ports used by common user applications to bypass security. Software Key loggers utilize a number of techniques including hooking various operating system Application Programming Interfaces (APIs) and system drivers, screen capture, form grabbing, hook based keystroke logging and browser memory injection.
Not commonly known to the general public are the various classes of keystroke logger methods. These methods include hook based keystroke logging where the malware records each individual keystroke by hooking the native operating system keyboard API. The second common method is the interception of internet explorer browser API
calls. This allows malware to intercept form data submissions being passed thru the browser. The third common method used is called Kernel keystroke logging. This is where a low level device driver does hardware interrupt interceptions.
The forth and newest form of keystroke logging is a little known technique of browser memory injection. This is where the attacking malware injections malicious code into the browser memory table, alters it and inserts illegal code causing the browser to key log itself and send out that data to an attacker.
Hook-based key loggers are programs that insert a system API hook into an API
stack. This is done by placing a call object into the API stack, acting as a filter. When a user on his or her browser calls a website, the data are filtered thru this Crime ware call. This allows an attacker to record all the data being passed by the system driver such as keystrokes passing thru the operating system driver. For example, one type of hook-based key logger will monitor and record each key press that generates an Interrupt Request (IRQ) to the system driver on the motherboard. The key logger, as part of the Crime ware, sends this data to a text file. The text file is subsequently sent to a remote location for retrieval by malefactors.
Malefactors commonly deploy such Crime ware key loggers via the internet to the computers of thousands of unsuspecting users. The volume of data generated by such hook-based key loggers is great, and can amount to many Gigabytes of data within a short period. This mass of data is cumbersome to store and difficult to search for the purpose of extracting the very small percentage of data that represents credential and password information. As a result, malefactors have fine-tuned their Crime ware to meet these challenges and better reduce the large take of useless data stolen by their Crime ware.
Basic form grabbing techniques use API that hooks all Internet related functions to get access to the Internet Traffic,even though it might be encrypted with SSL or EV-SSL. Browser processes hooked by this method includes:
HttpOpenRequestA/W, HttpSendRequestA/W, InternetConnectW, InternetReadFile, lnternetReadFileExA/W, InternetWriteFile CommitUrlCacheEntryA/W.
Along with these hooking techniques a new method called memory injection form grabbing is used. This is active in memory when the Internet Explorer starts, it setups up export hooks, so that it gets access to all transmitted internet traffic and all data passing to and from the browser such as form submissions.
These hook core windows functions to compromise the system.
Form-Grabbing and Memory Injection Key Loggers Form-grabbing and memory injection key loggers insert a hook that captures the form data in live internet browsing sessions, and only form data inputs. The form information being stolen is, essentially, those forms used for online banking and other online commerce that require users to enter personal information, card data, passwords, reminder questions, and mother's maiden name. This perfection of the Crime ware allows more precise targeting of stolen credentials, and it greatly increases the odds that credentials stolen will be found and used. Previous methods often resulted in so much data being siphoned out by Crime ware that credentials of interest to financial criminals and identity thieves were lost in the sea of stolen data. This is no longer the case with form-grabbing and memory injection key loggers.
Form-grabbing and memory injection key loggers have become a preferred type of key logger for sophisticated cyber criminals due to their resistance to detection and lack of effective countermeasures, their effect of substantially reducing the volume of captured data that must be searched to extract credentials, and because almost all credentials used for online transactions are entered at some point into a web form. Form-grabbing and memory injection key loggers have become the method of first choice for cyber criminals when targeting bank login data.
Form grabbers sit in between the internet browser and the called internet page. This allows an inserted browser helper object to inject or directly access the browser's API call functions. This allows all data passed to the form to be recorded as it is passed by the browser to the server to which the criminals are sending the targeted data. This method of action defeats all known anti-key loggers as they do not protect the web form or the browser window API's. As an example, when a user submits data to a legitimate banking website using web forms, a form-grabbing key logger that is monitoring the web browser can grab the submitted data by injecting and hooking API functions within the browser.
Because the API hook is being protected within the system driver this does not protect the data being passed from the browser. Form grabbers deal with the browser and the data being passed over the internet. Hook-based key logger's record data as it is passed thru the API or system driver.
Form-grabbing and memory injection key loggers also succeed in recording and stealing automatic form filler data as well as any data copied from another location such as data pasted from a clip board.
Memory injection Key loggers such as Zeus alter browser memory tables to achieve the logging functions.
Methods to Detect and Stop Key-Loggers Software is available to detect and remove many types of Crime ware. Attempts to combat all forms of key logger Crime ware have not been successful. Moreover, consumers falsely rely on commercial anti-virus products that are often not updated with the latest version, and even when fully updated or patched, are ineffective to address the root problem of form-grabbing key loggers.
Software is available to address some elements of software key loggers. A
number of methods are available to detect and/or disable hook-based key loggers. All known methods deal with accessing the API stack directly. One method used is the unhooking of API's that insert themselves into the API stack.
This method is represented by the Key Scrambler product from QFX Software Corporation (Ormand Beach, FL) which employs an encryption based method wherein keystroke data is encrypted at the source (keyboard) and passed to the form in a decrypted format. Another variation on this method is used in the GuardlD product of StrikeForce Technologies Inc. of Edison, New Jersey that utilizes similar API hooking and key-scrambling methods but does not protect the user if the Crime ware is inserting itself as a hook based key logger at the first instance in the stack.
Moreover, this technology does not effectively protect users against form grabber threats.
These methods do not protect against the action of hook based key loggers that are programmed to insert themselves prior to the anti-key logger ("AKL") itself within the API
stack. Accordingly, prior to the present invention, there is no effective method to protect against the action of form-grabbing key loggers.
It is an object of the present invention to provide a solution to protect against key loggers that is not disruptive of the system and does not depend on user experience. This solution does not depend on detection of Crime ware at all. The solution, instead, defeats the action of form-grabbing key loggers, and can likewise defeat the action of hook based key loggers that are capable of operating in the presence of scramblers.
TECHNICAL SUMMARY OF THE INVENTION
Exemplary embodiments of the present invention that are shown in the drawings are summarized below. These and other embodiments are more fully described in the Detailed Description section. It is to be understood, however, that there is no intention to limit the invention to the forms described in this Summary of the Invention or in the Detailed Description. One skilled in the art can recognize that there are numerous modifications, equivalents and alternative constructions that fall within the spirit and scope of the invention as expressed in the embodiments.
The main indented embodiment and deployment mechanism will be the ActiveX
framework developed by Microsoft. This framework serves as both the delivery and deployment method for this invention.
In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the invention and embodiments thereof.
It will be apparent, however, to one skilled in the art that the invention can be practiced without these specific details. In other instances, structures and devices are shown in block diagram form in order to aid in understanding the embodiments of the invention.
Reference in this specification to one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
Moreover, various features are described which may be exhibited by some embodiments and not by others. Similarly, various requirements are described which may be requirements for some embodiments but not other embodiments.
The present invention provides a system and method for managing Crime ware. In one embodiment, a form-grabbing key logger inserts a hook Dynamic Link Library file into the system-wide hook chain, and all key messages are intercepted by the Hook DLL unless it is kicked off the chain by another program or deprived of receiving messages by its top hook DLL. In a preferred embodiment, the present invention includes an Anti-Key Logger (AKL) software program in the form of a browser helper object and a DLL
file. In this embodiment, these two files act in concert, the effect of which is to act to prevent the action of this hook, thereby protecting data as it passes through its normal browser API route. The present system acts under the assumption that the user computer may already be compromised and that an undetected key logger may be in place.
Another embodiment of the invention, as an alternative to the DLL and Browser Helper Object (BHO) combination, is to embody the embodiment in a browser's source code.
In another embodiment of the invention, software containing anti-key logger functionality can be distributed by a financial institution to thousands or millions of its customers which have online access to their accounts. This software is downloaded to each individual accountholder PC upon initiation of an online access session with the financial institution. The anti-key logger software operating on each individual PC incorporates processes enabling it to communicate with a master server appliance or hierarchy of server appliances within the financial institution in order to allow tracking of accountholder PCs that have downloaded and installed this software. After installation, upon initiation of each subsequent online access session with the financial institution the software verifies its presence on the PC and identifies itself.
In the case of an accountholder that initiates an online access session (account login) from a PC which does not have the AKL installed, the financial institution can choose to deny access or require a higher level of authentication. In addition, the financial institution may recommend to the user that his or her password be changed based on the greater exposure to theft of credentials during use of a browser running on a PC that is not protected by the AKL.
Another aspect of the embodiment that uses AKL functions distributed to multiple online accountholders from a central server is the addition of blacklist, white list, or both blacklists and white lists to the AKL functions. Such signature lists can include known Phishing sites which target the financial institution's accountholders or, in the case of white lists, can include newly launched sites which are used to deliver services to the institution's customers. By focusing on blacklists of sites that target the host financial institution, as opposed to incorporating broad-based blacklists, the signature list updates can be provided in small size files which do not cause noticeable waits or otherwise degrade system performance. The addition of such lists complements the effectiveness of the AKL in preventing the ability for Crime ware to comprise the credentials of an online user.
Moreover, the server to PC
communications processes which verify the presence and identity of software in accordance with the present invention upon the initiation of each new online session can be used as an occasion to update such signature lists. This creates the opportunity to update signature lists in a more timely fashion.
Timely updating of newly identified malicious sites is a significant benefit given that the window of operation for many Phishing sites is five to twenty four hours which is shorter than the update cycle of most commercial anti-virus and anti-spyware products.
Another embodiment includes a toolbar interface that allows the user to be aware of its operation. The use of such toolbars is well known in the art as these programs are commonly used to provide awareness of the operation of security monitoring functions. When a method according to the invention is incorporated into a software program containing blacklist-driven, heuristic-based, or other anti-phishing functionality, the users will be provided with graphic alerts when the browser is directed to web sites which are considered to be risky.
In an alternative embodiment, software embodying the invention can be packaged as a stand alone component to allow the product to be delivered to the client in a manner requiring minimal interaction.
For example, one embodiment would utilize the component object model (COM) developed by Microsoft for Windows platforms. Software based on ActiveX technology is prevalent in the form of Internet Explorer plug-ins and, more commonly, in ActiveX controls.
In yet another embodiment of the invention, a portable device containing an installable embodiment of the invention can be used by an accountholder of a financial institution when accessing his or her account via a browser on a public use or other PC that is not known to be protected by the invention.
Examples of such PCs might be those available in airports, internet cafes, or hotel business centers.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG.1 is a diagram of the context of operation of embodiments of the present invention FIG. 2 is a diagram of the action of embodiments of the present invention is defeating the operation of key loggers using actions of the present Invention in defeating the operation of key loggers by using a static 0 ring API wrapper, the object creates a restorable virtualized API
shell which upon detection of a memory injection form grabbing event, the browser memory tables are restored using default memory tables.
FIG. 3 shows block diagrams of the API stacks with and without key loggers and with protection by embodiments of the present invention.
FIG. 4 portrays the configuration of a system wherein servers at a financial institution communicate with multiple accountholder PCs for the distribution, update and authentication of software incorporating AKL functionality and other processes.
FIG. 5 portrays examples of internet forms commonly protected used by consumers and targeted by form-grabbing key loggers.
Claims (33)
1. A software program embedded in a microprocessor-readable storage medium and executable by a microprocessor to prevent software key logging comprising:
A module for attaching and maintaining it process and initiating software processes at a zero-ring level in an application programming interface ("API") stack of a browser, said software processes including:
a process of protecting call event interception at the zero-ring level;
process of creating a static memory API shell which restores previous IRQ requests; and a process of restoring altered injected browser API memory tables,
A module for attaching and maintaining it process and initiating software processes at a zero-ring level in an application programming interface ("API") stack of a browser, said software processes including:
a process of protecting call event interception at the zero-ring level;
process of creating a static memory API shell which restores previous IRQ requests; and a process of restoring altered injected browser API memory tables,
2. The software program according to claim 1, wherein the browser is Internet Explorer, and the form submission initiation call event takes a form of an on Submit call or an Before Navigate call under Internet Explorer.
3. The software program according to claim 1, wherein the module for inserting takes a form of a global hook call, memory table (IAT), system local call.
4. The software program according to claim 1, wherein the predetermined software processes are integrated into a single browser-called code object.
5. The software program according to claim 1, wherein the predetermined software processes are contained in a form of a non-executable file.
6. The software program according to claim 1, wherein the predetermined software processes are integrated into the browser.
7. The software program according to claim 6, wherein the browser is Internet Explorer or Firefox.
8. The software program according to claim 1, wherein the module is embodied in an ActiveX object to operate within the Windows operating system.
9. The software program according to claim 1, wherein the module is embodied in a OCX, browser helper object, ActiveX object, Dynamic library link file, Eclipse®
Integrated Development Environment (IDE) for Blackberry, BlackBerryJDE, orjava jar to operate within the Mozilla Firefox browser or internet explorer.
Integrated Development Environment (IDE) for Blackberry, BlackBerryJDE, orjava jar to operate within the Mozilla Firefox browser or internet explorer.
10. The software program according to claim 1, wherein the module is embodied in a platform-independent object-oriented programming language used for writing applets downloaded from internet.
11. The software program according to claim 10, wherein the cross platform programming language is Java or high level C# and Delphi.
12. The software program according to claim 1, wherein the module is implemented within a computer, a mobile communication device or a mobile internet device.
13. The software program according to claim 12, wherein the mobile communication device is a cellular phone, a radio phone, a satellite phone, or a smart phone.
14. The software program according to claim 12, wherein the mobile internet device is a PDA, a handheld computer, a tablet computer, a laptop computer, or a notebook computer.
15. The software program according to claim 12, wherein the module is deployed from a portable storage device when the portable storage device is connected to the computer, the mobile communication device or the mobile internet device.
16. The software program according to claim 15, wherein the portable storage device has a key-fob form.
17. The software program according to claim 16, wherein the portable storage device is a USB drive.
18. The software program according to claim 1, wherein the module is initiated and called by a web site or a web page.
19. The software program according to claim 18, wherein the module is called locally in conjunction with a specific web site or a web page.
20. The software program according to claim 18, wherein the module is downloaded in response to a web page after determining that the module is not present therein.
21. The software program according to claim 1, wherein the module for inserting and executing the predetermined software processes is dynamically installed in a computer, a mobile communication device or a mobile internet device which is different from the computer, the mobile communication device or the mobile internet device the user keyed in the data for the first time, and automatically uninstalled there from the module after the user logs off the different computer, mobile communication device or mobile internet device.
22. The software program according to claim 1, further comprising a module for detecting malicious behaviors of a known malware, and a module for removing said malware.
23. The software program according to claim 1, wherein the process of intercepting also encrypts the data inputs keyed in by the user at the zero-ring level, and the module further includes a process of passing the encrypted data to a 3-ring level, and a process of decrypting data which passed via the 3-ring level.
24. A software program embedded in a microprocessor-readable storage medium and executable by a microprocessor to prevent software key logging comprising : a module for inserting and executing predetermined software processes at a zero-ring level in an application programming interface ("API") stack of a browser, said software processes including: a process of inserting an initial hook which works within the 0-Ring level and prevents any other hooks from inserting at the 0-Ring level; a process of detecting a browser form submission initiation call event at the zero-ring level; a process of intercepting and encrypting data inputs keyed in by a user at the zero-ring level; a process of passing the encrypted data to a 3-ring level where a hook inserted by a hook-based key logger; a process of decrypting data which passed via the 3-ring level; and a process of submitting the decrypted data to a designated entity through the API stack to an internet communication port.
25. A method for preventing software key logging executable by a microprocessor, comprising : a step of inserting and executing by the microprocessor predetermined software processes at a zero-ring level in an application programming interface ("API") stack of a browser, said software processes including : a process of detecting a browser form submission initiation call event at the zero-ring level ; a process of intercepting data inputs keyed in by a user at the zero-ring level; and a process of (1) submitting the keyed-in data to a designated entity through the API stack while (2) clearing confidential data from intercepted data at the zero-ring level prior to a subsequent transmission, which does not contain said confidential data, in response to the software key logging through the API
stack to an internet communication port.
stack to an internet communication port.
26. A method for preventing memory injection keystroke loggers by restoring browser memory tables to a pre altered state. This is done by resetting the import Address Table (IAT) and DHTML Table Row Object to 00000 on event execution.
27. A method for preventing memory injection form grabbing attacks comprises the following: Using a static 0 ring API wrapper, the object creates a restorable virtualized API
shell which upon detection of a memory injection form grabbing event, the browser memory tables are restored using default memory tables. Using VT-x (Intel IA32) and SVM/Pacifica (AMD64) virtualization and applying it system wide by wrapping system drivers and creating a repetitive restore memory shell in resident memory the software provides protection against hook based, form grabbers and memory injection (Zeus Trojan) key stroke loggers.
shell which upon detection of a memory injection form grabbing event, the browser memory tables are restored using default memory tables. Using VT-x (Intel IA32) and SVM/Pacifica (AMD64) virtualization and applying it system wide by wrapping system drivers and creating a repetitive restore memory shell in resident memory the software provides protection against hook based, form grabbers and memory injection (Zeus Trojan) key stroke loggers.
28. A method to prevent injection of arbitrary HTML code into a website browser by creating a restorable virtualized API shell around browser Import Address Tables (IAT) by virtual restoration.
29. A method to protect windows Internet Explorer functions HttpSendRequestA, HttpSendRequestW,InternetQueryDataAvailable,InternetReadFile,InternetReadFileEx A by wrapping system functions in a restorable virtualized API shell.
30. A method to protect the Firefox browser by creating a restorable virtualized API shell around browser Import Address Tables (IAT) by virtual restoration.
31. A method that enables form highlighting in browser form fields for visual instruction and notification of protection by injection into memory tables.
32. A method that injects a non protection graphic and protection graphic into the webpage allowing the user to interact and observe protection notification by injection into browser memory tables.
33. A Method of website protection from keystroke loggers deployed using the ActiveX Microsoft Framework comprising of virtualized API shell browser Import Address Tables (IAT) by virtual restoration protection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA 2691129 CA2691129A1 (en) | 2010-01-26 | 2010-01-26 | Activex object method and computer program system for protecting against crimeware key stroke loggers |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA 2691129 CA2691129A1 (en) | 2010-01-26 | 2010-01-26 | Activex object method and computer program system for protecting against crimeware key stroke loggers |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2691129A1 true CA2691129A1 (en) | 2011-07-26 |
Family
ID=44318261
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA 2691129 Abandoned CA2691129A1 (en) | 2010-01-26 | 2010-01-26 | Activex object method and computer program system for protecting against crimeware key stroke loggers |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2691129A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8856542B2 (en) | 2012-12-25 | 2014-10-07 | Kaspersky Lab Zao | System and method for detecting malware that interferes with the user interface |
| CN111539010A (en) * | 2020-06-16 | 2020-08-14 | 北京明朝万达科技股份有限公司 | Clipboard control method and device, electronic equipment and computer-readable storage medium |
| CN116668202A (en) * | 2023-08-02 | 2023-08-29 | 杭州默安科技有限公司 | Method and system for detecting memory horses in container environment |
-
2010
- 2010-01-26 CA CA 2691129 patent/CA2691129A1/en not_active Abandoned
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8856542B2 (en) | 2012-12-25 | 2014-10-07 | Kaspersky Lab Zao | System and method for detecting malware that interferes with the user interface |
| CN111539010A (en) * | 2020-06-16 | 2020-08-14 | 北京明朝万达科技股份有限公司 | Clipboard control method and device, electronic equipment and computer-readable storage medium |
| CN111539010B (en) * | 2020-06-16 | 2023-09-01 | 北京明朝万达科技股份有限公司 | Clipboard control method, device, electronic equipment and computer readable storage medium |
| CN116668202A (en) * | 2023-08-02 | 2023-08-29 | 杭州默安科技有限公司 | Method and system for detecting memory horses in container environment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9798879B2 (en) | Apparatus, system, and method for protecting against keylogging malware | |
| US8316445B2 (en) | System and method for protecting against malware utilizing key loggers | |
| Lu et al. | Blade: an attack-agnostic approach for preventing drive-by malware infections | |
| US7779062B2 (en) | System for preventing keystroke logging software from accessing or identifying keystrokes | |
| US10795707B2 (en) | Systems and methods for ensuring computer system security via a virtualized layer of application abstraction | |
| US20140337918A1 (en) | Context based switching to a secure operating system environment | |
| US10706171B2 (en) | Method for providing a secure mode for mobile device applications | |
| WO2004072777A2 (en) | Method, system and computer program product for security in a global computer network transaction | |
| Bhardwaj | Ransomware: A rising threat of new age digital extortion | |
| Vijayalakshmi et al. | Study on emerging trends in malware variants | |
| Ahmed et al. | Survey of Keylogger technologies | |
| Peddoju et al. | File integrity monitoring tools: Issues, challenges, and solutions | |
| Alzahrani et al. | Ransomware in windows and android platforms | |
| CN101753545A (en) | Box cleaning technology | |
| Utakrit | Review of browser extensions, a man-in-the-browser phishing techniques targeting bank customers | |
| CA2691129A1 (en) | Activex object method and computer program system for protecting against crimeware key stroke loggers | |
| Lobo et al. | Windows rootkits: Attacks and countermeasures | |
| Arora et al. | Cyber crime combating using KeyLog Detector tool | |
| Srinivasan | Protecting anti-virus software under viral attacks | |
| Guan et al. | A novel security scheme for online banking based on virtual machine | |
| Yuan et al. | Survey of Recent Hacking Events | |
| Datta | Key Logger and | |
| Alsmadi et al. | The ontology of malwares | |
| Rijah et al. | Security Issues and Challenges in Windows OS Level | |
| Duc | Offensive Security Lab |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Dead |
Effective date: 20150127 |