U.S. KEY LOGGER PATENT (Good Info) (12) United States Patent (10) Patent No.: US 8,316,445 B2 Liske (45) Date of Patent: Nov. 20, 2012 (54) SYSTEM AND METHOD FOR PROTECTING 2008/0189790 A1 8/2008 Park AGAINST MALWARE UTILIZING KEY 2008/0263672 A1 10/2008 Chen et a1‘. LOGGERS 2009/ 0077383 A1 3/2009 de Monselgnat et al. (75) Inventor: Lloyd Liske, British Columbia (CA) OTHER PUBLICATIONS . _ . . Who invented the USB ?ash driveiJill Beissel Aug. 12, 2011.* (73) Asslgnee. Trusted Knight Corporation Annapolis MD (Us) 3 The difference between ActiveX and Plug-In, Sep. 29, 2010* 3 International Search Report for PCT/US10/01199 mailed Jun. 17, ( * ) Notice: Subject to any disclaimer, the term of this 2010 patent is extended or adjusted under 35 * Cited by examiner U.S.C. 154(b) by 565 days. (21) Appl NO‘: 12/427,833 Primary Examiner * Jung Kim (22) Filed. API._ 22, 2009 Assistant Examiner * Tri Tran (74) Attorney, Agent, or Firm * Stites & Harbison, PLLC; (65) Prior Publication Data Juan Carlos A_ Marquez, Esq US 2009/0271866 A1 Oct. 29, 2009 Related US. Application Data (57) ABSTRACT (60) Provisional application No. 61/125,178, ?led on Apr. A software, system and methodology for protecting against 23, 2008- malware key logger attacks that utiliZe, for example, form grabbing techniques. The application protects the browser (51) Int‘ Cl‘ from key logging malware attacks, and the loss of critical user H041‘ 29/06 (200601) con?dential information often entered into intemet forms for (52) US. Cl. ............ .. 726/23; 726/26; 726/27; 719/328; the purpose Ofbuying items Or logging into ?nancial institw _ _ _ 713/166 tions. An embodiment of a method for blocking form-grab (58) Field of Classi?cation Search .................. .. 726/23, hing attacks including the following steps_ Upon detecting a _ _ 726/24’ 25’ 26’ 27; 713/166 form submission event from the browser, and immediately See apphcanon ?le for Complete Search hlstory after allowing the data to be properly submitted, the form (56) References Cited input ?elds are cleared of data. The method prevents hook U.S. PATENT DOCUMENTS 2006/0253582 A1* 11/2006 Dixon et al. . . . . . . . . . .. 709/225 2007/0182714 A1* 8/2007 Pemmaraju .. .. 345/168 2007/0240212 A1* 10/2007 Matalytski 726/22 2008/0016339 A1* 1/2008 Shukla ........................ .. 713/164 based key loggers or form-grabbing key loggers from captur ing form input data, thereby protecting the user from theft of passwords or credentials. 23 Claims, 7 Drawing Sheets 200 Inslalls ev cuts handler so the uni key loggu is called ?rst 210 21 5 Chedmw con?rm ?rst current . . ‘ placement, |fnot,1t connects m afz??zéglge the BefureNavigate event to emure ilis always mlled ?rst 230 [mm submi mim triggaed by onSubmit even: 222 224 225 220 connectsm all “km .‘s “We” __ evmt handler idenli?ei nllweb fol/m) “FHMUI-q and clears all page forms submissions WPFWASS WORD pessvlordboxes events I. in p age 240 mm 2mm clears all designated 9mm‘? ?elds - - related In this renewing party chain -------------------------------------------- US 8,316,445 B2 1 SYSTEM AND METHOD FOR PROTECTING AGAINST MALWARE UTILIZING KEY LOGGERS This application claims the bene?t of US. Provisional PatentApplication Ser. No. 61/125,178 ?led onApr. 23, 2008, the entire disclosures of which are incorporated herein by reference. FIELD OF THE INVENTION AKL Anti-key logger API Stack Application Program Interface Stack BHO Browser Helper Object DLL Dynamic Link Library DDE Dynamic Data Exchange Form A user input area of a webpage Hook An application connecting to an API IRQ Interrupt Request Malefactors Persons designing and implementing malware The present invention relates to systems and methods for protection against the operation of malware commonly used in identify-theft and cyber-fraud. In particular, but not by way of limitation, the present invention relates to systems and methods for preventing key logger malware that utiliZes form grabbing techniques to steal ?nancial and identity informa tion from users’ browsers. RELATED ART Identity Theft and Criminal Malware Targeting Browsers Personal computers and business computers are widely infected with malicious software that intercepts and steals critical personal and ?nancial information as it is being called by the user’ s browser. Almost all online commerce and activ ity originates from a user electing to open an intemet browser to conduct business, either with his or her bank, brokerage, investment manager, or with numerous online stores. Because of the massive growth in online commerce, and the requirement and use of credit cards and personal data to facilitate that market, sophisticated criminal hackers have targeted this line of commerce with ever-evolving malware. Much of the sophisticated malware is not being caught by commercial anti-virus solutions. Thus, unwitting consumers, believing they are protected, often enter the stream of online commerce not recognizing that malware can, and is, stealing their critical information. This sophisticated theft is taking place due in large part to the rise of what is called key logging malware. Key logging malware is created, often by sophisti cated criminal online syndicates, to facilitate the capture of passwords, credit card data, and personal credentials, gener ally without the person’s knowledge. Key Logging Malware Avoids Detection Key logging is a method of capturing keyboard input to a computer or computing device. It is a common technique for obtaining passwords and sensitive information using unau thoriZed software. Software key loggers capture targeted personal data stored on the computers they infect. The software key loggers are utiliZed in conjunction with legitimate programs on the infected system. The malware relays the captured data to unauthoriZed recipients, who have planted the malware on the system by sending that data thru the internet using TCP/IP ports used by common user applications to bypass security. 5 20 25 30 35 40 45 50 55 60 65 2 Software Key loggers utiliZe a number of techniques includ ing hooking various operating system Application Program ming Interfaces (APIs) and system drivers, screen capture, and form grabbing and hook based keystroke logging. Another technique is hook-based key logging. Hook-based key loggers are programs that insert a system API hook into anAPI stack. This is done by placing a call object into the API stack, acting as a ?lter. When a user on his or her browser calls a website, the data are ?ltered thru this malware call. This allows an attacker to record all the data being passed by the system driver, such as keystrokes passing thru the operating system driver. For example, one type of hook-based key log ger will monitor and record each key press that generates an Interrupt Request (IRQ) to the system driver on the mother board. The key logger, as part of the malware, saves this data as a text ?le. The text ?le is subsequently sent to a remote location for retrieval by malefactors. Malefactors commonly deploy such malware key loggers via the intemet to the computers of thousands of unsuspecting users. The volume of data generated by such hook-based key loggers is great, and can amount to many Gigabytes of data within a short period. This mass of data is cumbersome to store and difficult to search for the purpose of extracting the very small percentage of data that represents credential and password information. As a result, malefactors have ?ne tuned their malware to meet these challenges and better reduce the large take of useless data stolen by their malware. The Rise of Form-Grabbing Key Loggers Form-grabbing key loggers insert a hook that captures the form data, and only form data inputs. The form information being stolen is, essentially, those forms used for online bank ing and other online commerce that require users to enter personal information, card data, passwords, reminder ques tions, and mother’s maiden names. This perfection of the malware allows more precise targeting of stolen credentials, and it greatly increases the odds that credentials stolen will be found and used. Previous methods often resulted in so much data being siphoned out by malware that credentials of inter est to ?nancial criminals and identity thieves were buried in the sea of stolen data. This is no longer the case with form grabbing key loggers. Form-grabbing key loggers have become a preferred type of key logger for sophisticated cyber criminals due to (1) their resistance to detection and lack of effective countermeasures, (2) their effect of substantially reducing the volume of cap tured data that must be searched to extract credentials, and (3) almost all credentials used for online transactions are entered at some point into a web form. Form-grabbing key loggers have become the ?rst choice for cyber criminals when target ing bank login data. Form grabbers sit in between the intemet browser and the called internet page. This allows an inserted browser helper object to inject or directly access the browser’s API call functions. This allows all data passed to the form to be recorded as it is passed by the browser to the server to which the criminals are sending the targeted data. This method of action defeats all known anti-key loggers as they do not protect the web form or the browser window API’s. As an example, when a user submits data to a legitimate banking website using web forms, a form-grabbing key logger that is monitoring the web browser can grab the submitted data by injecting a hook and hooking API functions within the browser. Because the API hook is being protected within the system driver this does not protect the data being passed from the browser. Form grabbers deal with the browser and the data --------------------------------------------------------------- US 8,316,445 B2 3 being passed over the internet. Hook-based key loggers record data as it is passed thru the API or system driver. Form-grabbing key loggers also succeed in recording and stealing automatic form ?ller data as Well as any data copied from another location such as data pasted from a clip board. Methods to Detect and Stop Key-Loggers Software is available to detect and remove many types of malWare. Attempts to combat all forms of key logger malWare have not been successful. Moreover, consumers falsely rely on commercial anti-virus products that are often not updated With the latest version, and even When fully updated or patched, are ineffective to address the root problem of form grabbing key loggers. Software is available to address some elements of softWare key loggers. A number of methods are available to detect and/or disable hook-based key loggers. All knoWn methods deal With accessing the API stack directly. One method used is the unhooking of API’s that insert themselves into the API stack. This method is represented by the KeyScrambler® product from QFX SoftWare Corporation (Ormand Beach, Fla.) Which employs an encryption-based method. According to this method, keystroke data is encrypted at the source (keyboard) and passed to a form in a decrypted format. Another variation of this method is used in the GuardID® product of StrikeForce Technologies Inc. of Edison, N]. that utiliZes similarAPI hooking and key-scrambling methods but does not protect the user if the malWare is inserting itself as a hook-based key logger at the ?rst instance in the stack. More over, this method does not effectively protect users against grabber threats. US 2007/0240212 attempts to counter the action of key logger malWare by creating a keyboard driver and hooking into various running WindoWs processes. In particular, it cre ates a keystroke unhook or bypass method. A program engine hooks WindoWs processes and performs a monitoring action in Which it looks for hooked calls. When a hooked call is detected, it injects a program and launches neW processes. This method creates a false entry state and a false exit state Whereby the keystroke data is passed thru these states, i.e., bypassing a keystroke logger hook, by using a separate Win doWs keyboard driver. This method may counter hook-based key loggers but is likely to cause system instability due to the fact it injects into running WindoW processes, a technique Which is knoWn to cause memory corruption and system failures. Moreover, a simple modi?cation by the authors of key logger malWare Would alloW such malWare to identify the anti-key logger driver ?le and hook this process instead, thus alloWing the key logger to capture the users keystrokes as they pass through that process. This method does not protect against the action of hook-based key loggers that are pro grammed to insert themselves prior to the anti-key logger (“AKL”) itself hooking Within the API stack, thus making it ineffective against the current generation of form grabbing key logger malWare. It is an object of the present invention to provide a solution to protect against key loggers that is not disruptive of the system and does not depend on user experience by, for example, asking the user to determine Whether ?agged pro cesses or programs shouldbe alloWed to operate. The solution of the present invention does not depend on detection of malWare at all. The solution of the present invention, instead, defeats the action of form-grabbing key loggers, and can likeWise defeat the action of hook-based key loggers that are capable of operating in the presence of scramblers. It is the further object of this invention to provide a solution that is compatible With all common Widely deployed broWs ers and Without requiring a change of broWsers by users. 20 25 30 35 40 45 50 55 60 65 4 SUMMARY OF THE INVENTION Exemplary embodiments of the present invention that are shoWn in the draWings are summarized beloW. These and other embodiments are more fully described in the Detailed Description section. It is to be understood, hoWever, that there is no intention to limit the invention to the forms described in this Summary of the Invention or in the Detailed Description. One skilled in the art can recogniZe that there are numerous modi?cations, equivalents and alternative constructions that fall Within the spirit and scope of the invention as expressed in the embodiments. In the folloWing description, for purposes of explanation, numerous speci?c details are set forth in order to provide a thorough understanding of the invention and embodiments thereof. It Will be apparent, hoWever, to one skilled in the art that the invention can be practiced Without these speci?c details. In other instances, structures and devices are shoWn in block diagram form in order to aid in understanding the embodiments of the invention. Reference in this speci?cation to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection With the embodiment is included in at least one embodiment of the invention. The appearances of the phrase “in one embodiment” in various places in the speci?cation are not necessarily all referring to the same embodiment, nor are separate or alternative embodi ments mutually exclusive of other embodiments. Moreover, various features are described Which may be exhibited by some embodiments and not by others. Similarly, various requirements are described Which may be requirements for some embodiments but not other embodiments. The present invention provides a system and method for managing malWare. In one embodiment, a form- grabbing key logger inserts a hook Dynamic Link Library ?le into the system-Wide hook chain, and all key mes sages are intercepted by the Hook DLL unless it is kicked off the chain by another program or deprived of receiving messages by its top hook DLL. In a preferred embodiment, the present invention includes an Anti-Key Logger (AKL) softWare program in the form of a broWser helper object and a DLL ?le. In this embodiment, these tWo ?les act in concert, the effect of Which is to act to prevent the action of this hook, thereby protecting data as it passes through its normal broWser API route. The present system acts under the assumption that the user com puter may already be compromised and that an undetected key logger may be in place. The present system detects attempts to place hooks, by techniques such as modi?cation of important tables or the insertion of inline hooks. Another embodiment of the invention, as an alternative to the DLL and BroWser Helper Object (BHO) combination, is to embody the embodiment in a broWser’s source code. In another embodiment of the invention, softWare contain ing anti-key logger functionality canbe distributed by a ?nan cial institution to thousands or millions of its customers Which have online access to their accounts. This softWare is doWnloaded to each individual accountholder PC upon ini tiation of an online access session With the ?nancial institu tion. The anti-key logger softWare operating on each indi vidual PC incorporates processes enabling it to communicate With a master server appliance or hierarchy of server appli ances Within the ?nancial institution in order to alloW tracking of accountholder PCs that have doWnloaded and installed this softWare. After installation, upon initiation of each subse quent online access session With the ?nancial institution the softWare veri?es its presence on the PC and identi?es itself. In the case of an accountholder that initiates an online access -------------------------------------------------------------- US 8,316,445 B2 5 session (account login) from a PC Which does not have the AKL installed, the ?nancial institution can choose to deny access or require a higher level of authentication. In addition, the ?nancial institution may recommend to the user that his or her passWord be changed based on the greater exposure to theft of credentials during use of a broWser running on a PC that is not protected by the AKL. Another aspect of the embodiment that uses AKL functions distributed to multiple online accountholders from a central server is the addition of blacklist, Whitelist, or both blacklists and Whitelists to the AKL functions. Such signature lists can include knoWn Phi shing sites Which target the ?nancial insti tution’s accountholders or, in the case of White lists, can include neWly launched sites Which are used to deliver ser vices to the institution’ s customers. By focusing on blacklists of sites that target the host ?nancial institution, as opposed to incorporating broad-based blacklists, the signature list updates can be provided in small siZe ?les Which do not cause noticeable Waits or otherWise degrade system performance. The addition of such lists complements the effectiveness of the AKL in preventing the ability for malWare to comprise the credentials of an online user. Moreover, the server to PC communications processes Which verify the presence and identity of softWare in accordance With the present invention upon the initiation of each neW online session can be used as an occasion to update such signature lists. This creates the opportunity to update signature lists in a more timely fashion. A timelier updating of neWly identi?ed malicious sites is a signi?cant bene?t given that the WindoW of operation for many Phishing sites is ?ve to tWenty four hours Which is shorter than the update cycle of most commercial anti-virus and anti-spyWare products. Another embodiment includes a toolbar interface that alloWs the user to be aWare of its operation. The use of such toolbars is Well knoWn in the art as these programs are com monly used to provide aWareness of the operation of security monitoring functions. When a method according to the inven tion is incorporated into a softWare program containing blacklist-driven, heuristic-based, or other anti-phishing func tionality, the users Will be provided With graphic alerts When the broWser is directed to Web sites Which are considered to be risky. In an alternative embodiment, softWare embodying the invention can be packaged as a stand alone component to alloW the product to be delivered to the client in a manner requiring minimal interaction. For example, one embodiment Would utiliZe the component object model (COM) developed by Microsoft for WindoWs platforms. Software based on ActiveX technology is prevalent in the form of Internet Explorer plug-ins and, more commonly, in ActiveX controls. In yet another embodiment of the invention, a portable device contains an installable embodiment of the invention. In this form, the invention can be used by an accountholder of a ?nancial institution When accessing his or her account via a broWser on a public use or other PC that is not knoWn to be protected by the invention. Examples of such PCs might be those available in airports, intemet cafes, or hotel business centers. A softWare program according to one embodiment of the invention is embedded in a microprocessor-readable storage medium and executable by a microprocessor to prevent soft Ware key logging. The softWare program comprises a module for inserting and executing predetermined softWare processes at a Zero-ring level in an application programming interface (“API”) stack of a broWser. The softWare processes includes a process of detecting a broWser form submission initiation call event at the Zero-ring level; 20 25 30 35 40 45 50 55 60 65 6 a process of intercepting data inputs keyed in by a user at the Zero-ring level; and a process of (l) submitting the keyed in data to a designated entity through the API stack While (2) clearing con?dential data from intercepted data at the Zero ring level prior to a subsequent transmission, Which does not contain the con?dential data, in response to the softWare key logging through the API stack to an intemet communication port. The broWser may be Internet Explorer, and the form sub mission initiation call event takes a form of an onSubmit call or a BeforeNavigate call under Internet Explorer. The module for inserting may take a form of a global hook call. The predetermined softWare processes may be integrated into a single broWser-called code object. The predetermined softWare processes maybe contained in a form of a non executable ?le. The predetermined softWare processes may be integrated into the broWser, and the broWser may be Inter net Explorer. The module may be embodied in an ActiveX object to operate Within the WindoWs operating system, or embodied in a BroWser Helper Object ?le to operate Within the MoZilla Firefox broWser. Alternatively, the module is embodied in a platform-independent obj ect-oriented programming lan guage used for Writing applets doWnloaded from internet, and the cross platform programming language is Java. The module may be initiated and called by a Web site or a Web page, or the module is called locally in conjunction With a speci?c Web site or a Web page. Alternatively, the module is doWnloaded in response to a Web page after determining that the module is not present therein. The module for inserting and executing the predetermined software processes is dynamically installed in a computer, a mobile communication device or a mobile intemet device Which is different from the computer, the mobile communi cation device or the mobile internet device the user keyed in the data for the ?rst time, and automatically uninstalled there from the module after the user logs off the different computer, mobile communication device or mobile internet device. The softWare program further comprises a module for detecting malicious behaviors of a knoWn malWare, and a module for removing the malWare. The process of intercepting also encrypts the data inputs keyed in by the user at the Zero-ring level, and the module further includes a process of passing the encrypted data to a 3-ring level, and a process of decrypting data Which passed via the 3-ring level. A softWare program according to another embodiment of the invention is embedded in a microprocessor-readable stor age medium and executable by a microprocessor to prevent softWare key logging. The softWare program comprises: a module for inserting and executing predetermined softWare processes at a Zero-ring level in an application programming interface (“API”) stack of a broWser. The softWare processes includes: a process of inserting an initial hook Which Works Within the O-Ring level and prevents any other hooks from inserting at the O-Ring level; a process of detecting a broWser form submission initiation call event at the Zero-ring level; a process of intercepting and encrypting data inputs keyed in by a user at the Zero -ring level; a process of passing the encrypted data to a 3-ring level Where a hook inserted by a hook-based key logger; a process of decrypting data Which passed via the 3-ring level; and a process of submitting the decrypted data to a designated entity through the API stack to an intemet com munication port. A method for preventing softWare key logging executable by a microprocessor according to yet another embodiment of the invention, comprises: a step of inserting and executing by ---------------------------------------------- US 8,316,445 B2 7 the microprocessor predetermined software processes at a Zero-ring level in an application programming interface (“API”) stack of a broWser. The software processes includes: a process of detecting a broWser form submission initiation call event at the Zero-ring level; a process of intercepting data inputs keyed in by a user at the Zero-ring level; and a process of (l) submitting the keyed-in data to a designated entity through the API stack While (2) clearing con?dential data from intercepted data at the Zero-ring level prior to a subse quent transmission, Which does not contain the con?dential data, in response to the software key logging through the API stack to an intemet communication port. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram of the context of operation of embodi ments of the present invention. FIG. 2 is a diagram of the action of the embodiments of the present invention in defeating the operation of form grabbing key loggers. FIG. 2A is a diagram of the actions of the embodiments of the present invention in defeating the action of hook-based key loggers. FIG. 3 shoWs block diagrams of the API stacks With and Without keyloggers and With protection by the embodiments of the present invention. FIG. 4 portrays the con?guration of a system Wherein servers at a ?nancial institution communicate With multiple accountholder PCs for the distribution, update and authenti cation of softWare incorporating AKL functionality and other processes. FIG. 5 portrays examples of internet forms commonly used by consumers and targeted by form-grabbing key loggers. FIG. 6 is a diagram that illustrates the manner in Which the invention functions to maintain its position in an API stack. DETAILED DESCRIPTION OF INVENTION This invention protects against malicious form-grabbing softWare and stops it from capturing passWords and other data. Initially, softWare in accordance With the present inven tion installs itself at the 0 ring level for all broWser events Within a stack. This ensures all instances of the Web broWser are protected. The softWare in accordance With the present invention installs itself to the stack last, to ensure it is called ?rst to prevent any key logger logic from circumventing the protection. The softWare in accordance With the present invention is placement aWare and renegotiates its location in the API stack to ensure there are no other hooks that circum vent the protection at any time. FIG. 1 is an overvieW of the environment in Which embodi ments of the invention operate, and the generaliZed location of other components. At the Keyboard driver level (100) input is provided by a user, the AKL (105) functions at this level to protect the inputted keyboard data. The virtual keyboard (110) is the next step in the How of inputted keyboard data, and is a common location for a key logger (115) to be present to intercept the inputted data. The operating system (120) receives the inputted keyboard data and passes the data to the application (130) being utiliZed by the user, Which is a loca tion keyloggers (135) also intercept inputted keyboard data. Finally, the application passes the inputted keyboard data to the internet Web server (140) per the user request. As illustrated in FIG. 2 softWare in accordance With the invention inserts itself in the API stack last, causing this softWare to be called ?rst (S200). When a BeforeNavigate event is identi?ed (S210), the softWare con?rms its placement 20 25 30 35 40 45 50 55 60 65 8 in the API stack (S215). When a form submission onSubmit event occurs (S230), the software identi?es all forms on the called Web page (S220). If forms are present, the softWare connects to each form submission event (S222), the invention clears all form inputs marked With INPUT or PASSWORD (S224), and then the event handler clears all passWords (S226). The softWare provides the user inputted data through the OnSubmit event in due course to the designated receiving party, such as a bank (S240). The software also ensures all passWord forms ?elds are cleared from the API chain (S235) and thus are unavailable to capture by form grabbing key loggers. This embodiment of the invention affects the current BeforeNavigate event handler upon each IE event or the equivalent event handler in other types of broWsers. The soft Ware then identi?es all forms on the Web page and in each form then clears the elements With the tag:“INPUT” and type:“PASSWORD” (S224). The passWord in each form is cleared per event by the softWare (S226). Within the Microsoft IE family of broWsers, the form ele ment IHTMLFormElement has an OnSubmit event Which is also called the BeforeNavigate event. When an IE document is completed, the softWare identi?es all form submissions on the IE page (S220) and connects to their events (S222). When in the OnSubmit event all the form’ s data is already in Internet Explorer’s Post or Get format (S230). The softWare clears all passWord ?elds related in the chain of passing this data from the broWser to the target server (S235). The softWare clears the data commonly left in the OnSubmit event thereby pre venting form grabbing key loggers from harvesting this data. There are tWo types of hooks: thread-speci?c hooks and system-Wide hooks. A thread speci?c hook is associated only With a particular thread, including any thread oWned by the calling process. To associate the anti-key logger hook With other processes and threads, the present invention employs a system-Wide hook. Each hook is associated With a hook pro cedure. This procedure is alWays called When a particular event occurs. For example, When there is an event associated With the mouse, this hook procedure is called. In WindoWs®, The hook is set by calling the function SetWindoWsHookEx( ). The hook is later removed by calling UnhookWindoW sHookEx( ). The invention protects itself at the O-ring level by creating a Wrapper by evoking SetWindoWsHookEx(WH_KEY BOARD_LL, KeyboardProc, hInst, 0) thereby initiating and maintaining the loW global level system hook in the API stack. By continuously refreshing and monitoring this state We can thereby protect and identify any hook attempts from ring 3 and on protecting the 0 ring level. Any attempts to intercept the hook are then rejected and passed doWn the API chain. Typical hook-based key loggers catch each character as it is pressed, While a form grabber connects to IE and broWser events and in the BeforeNavigate event, When passWord ?elds are already ?lled, searches the passWord box on page and retrieves its text, including the full credential set. As illustrated in FIG. 2A, the initial hook placed by the present invention Works Within the O-Ring level and the anti form grabber code in the same instance (S260). Whereby the protection is called and placed (S262). If an unauthoriZed call is detected in ring 0, the call is discarded from the API stack (S270). The protection call continues by hooking its protec tion around the kernel keyboard driver (S274) Where it inter cepts keystroke interrupt requests andbegins its encryption of the keystroke data (S276) received from the keyboard (S272). This data is then passed into the Ring 3 level, the Operating System (S280) then onto the intended application, typically a ---------------------------------------------------------- US 8,316,445 B2 web browser (S282) whereby the keystrokes are decrypted by the Browser helper object (S284) or other browser plug-in and presented to the web form for submission as normal via the Internet (S290) to the designated receiving entity (S292). Accordingly, the present invention prevents the action of hook-based software key loggers as well as form grabbing key loggers. Referring to FIG. 3, the ?rst API stack, titled Typical Web Browser API Stack, shows the Zero ring hardware driver (300) interacting with the web browser (305) as the two sole objects in the API stack. The second API stack, labeled Web Browser API Stack with Keylogger, shows both the Zero ring (300) and the web browser (305, with the keylogger (310) running between both objects in the API stack intercepting all key board input destined to the browser. The third API stack represents all the previous objects in the API stack, Zero ring (300), keylogger (310), and web browser (305). Included in stack, in proper order, is the inclusion of the software which counters any keylogger in the API stack. Referring to FIG. 4, in a preferred embodiment of the invention, the software containing anti-key logger function ality (420) is distributed by a ?nancial institution (400) to thousands or millions of its customers which have online access to their accounts through browsers based on individual PCs or other computing devices (410). FIG. 5 is an example of a typical form used with a browser. Sensitive customer credentials and information are submitted through such forms to web sites of ?nancial institutions in order to gain access to customer accounts. Such forms are also used to verify the identity of a customer and convey credit card or other payment data during an online purchase. Similar forms are used to gain access to web sites that may not involve ?nancial accounts but which may contain con?dential infor mation including personally identi?able information, gov ernment records, health records, or other information that is private, proprietary or commercially sensitive. FIG. 6 illustrates the manner in which the invention func tions to maintain its position in theAPI stack by illustration of its relation to kernel ring calls. The Ring 0 API is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory (650). This is also known as the kernel level. Under the present invention, protection is inserted at this level (660) whereby the protec tion can determine if an unauthorized 0 ring call is being made (670) at which time it is bounced from the API chain. If no attempt is detected the calls are passed to Ring 3 (Software level) (680) at which time calls are passed to the browser (682). The browser handles requests or HTML post/ get com mands and credentials are passed to the beforeNavi gate event (684) then on to the onSubmit event (686) whereby user credentials are sent over the internet (688) to the intended receiving entity (690). While the foregoing description utiliZes Internet Explorer® as an example, the invention is not limited to this browser but can be utiliZed with any internet browser, includ ing but not limited to Firefox®, Safari® or Opera®. In summary, the following are the steps in the operation of a preferred embodiment of the present invention: Set a hook at 0 ring in the API stack Pass data to DLL Detect any form submission event Allow form data submission Clear form data The invention protects against at least the following threats: Window title enumeration using FindWindow( ) BHO or Firefox Browser Extension hooks 10 20 25 30 35 40 45 50 55 60 65 10 LSP (Layered Service Provider) DDE (Dynamic Data Exchange) using WWW_GetWin dowInfo topic OLE (Object Linking and Embedding) using IWeb Browser2 Hooking (e.g. WinInet HttpSendRequest, SetWindow sHookEx+WH_GETMESSAGE/WH_KEYBOARD) Form grabber key loggers gathering browser location (cur rent URL) by disabling the hook DdeConnect( ) with topic “WWW_GetWindowInfo”. The software modules or processes of the present invention can all be called in a single ?le object. The present invention can be integrated into the browser itself. Alternatively, the present invention can be invoked/downloaded by an indi vidual web page or website. If a registered user try to initial the present invention form a different computer, the present invention will uninstall itself after operation in the different computer. The present inven tion can be a part of an enterprise implementation with a master server. System and Method Implementation The present invention can be applied to existing or evolv ing software operating systems and development tools such as Javascript, Ajax, Flash and RIA, for cross platform use or mobile applications. Each platform has a different operating system therefore has different call structures and API meth ods. The invention can be applied to different OS’s by manipulating different calls as they apply to the different OS and those related calls. The foregoing description portrays various embodiments of the present invention along with examples of how the present invention may be implemented. These examples and embodiments should not be considered the only possible embodiments or implementations of the present invention. Further embodiments of present invention may involve the operation of a portable or wireless device, including imple mentation of the invention or portions of the invention in software operating on such a device, or ?rmware embedded in such a device or transmitted to the device from a remote system. Portions of the present invention may be applied to general purpose or a specialiZed digital device, computer system, server, computer or microprocessor programmed according to the teachings of the present disclosure, as will be apparent to those skilled in the art of communication, computer and e-commerce. The microprocessor can be embedded in a com puter, a mobile communication device or a mobile internet device. The mobile communication device may be a cellular phone, a radio phone, a satellite phone, or a smartphone. The mobile internet device may be a PDA, a handheld computer, a tablet computer, a laptop computer, or a notebook computer. Appropriate software coding can readily be prepared by skilled programmers based on the teachings of the present disclosure, as will be apparent to those skilled in the software art. The invention may also be implemented by the prepara tion of application speci?c integrated circuits or by intercon necting an appropriate network of conventional component circuits, as will be readily apparent to those skilled in the art. The present invention includes a computer program prod uct which is embedded in a storage/recording medium (me dia) having instructions stored thereon/ in which can be used to control, or cause, a microprocessor or a computer to per form any of the processes of the present invention. The stor age medium can include, but is not limited to, any type of disk including ?oppy disks, mini disks (MD’s), optical discs, DVD, CD-ROMS, micro-drive, and magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, DRAMs, VRAMs, ------------------------------------------------------ US 8,316,445 B2 11 ?ash memory devices (including ?ash cards, USP drivers), magnetic or optical cards, nanosystems (including molecular memory ICs), RAID devices, remote data storage/archive/ warehousing, or any type of media or device suitable for storing instructions and/ or data. Stored on any one of the computer readable medium (me dia), the present invention includes software for controlling both the hardware of the general purpose/specialized com puter or microprocessor, and for enabling the computer or microprocessor to interact with a human user or other mecha nism utiliZing the results of the present invention. Such soft ware may include, but is not limited to, device drivers, oper ating systems, and user applications. Ultimately, such computer readable media further includes software for per forming the present invention, as described above. Included in the programming (software) of the general/specialized computer or microprocessor are software modules for imple menting the teachings of the present invention. In conclusion, the present invention provides, among other things, a system and method for protecting against form grabbing and other key loggers. Those skilled in the art can readily recogniZe that numerous variations and substitutions may be made in the invention, its use and its con?guration to achieve substantially the same results as achieved by the embodiments described herein. Accordingly, there is no intention to limit the invention to the disclosed exemplary forms. Many variations, modi?cations and alternative con structions fall within the scope and spirit of the disclosed invention as expressed in the embodiments. What is claimed is: 1. A software program embedded in a non-transitory microprocessor-readable storage medium and executable by a microprocessor to prevent software key logging compris ing: a software module that inserts and executes predetermined software processes at a Zero-ring level in an application programming interface (“API”) stack of a browser, said software processes including: a process of detecting a browser form submission initia tion call event at the Zero-ring level, wherein the form submission initiation call event takes a form of an on Submit call or a BeforeNavigate call; a process of intercepting data inputs keyed in by a user at the Zero-ring level; and a process of (1) submitting the keyed-in data to a desig nated entity through the API stack while (2) clearing con?dential data from intercepted data at the Zero ring level prior to a subsequent transmission, which does not contain said con?dential data, in response to the software key logging through the API stack to an internet communication port. 2. The software program according to claim 1, wherein the module for inserting takes a form of a global hook call. 3. The software program according to claim 1, wherein the predetermined software processes are integrated into a single browser-called code object. 4. The software program according to claim 1, wherein the predetermined software processes are contained in a form of a non-executable ?le. 5. The software program according to claim 1, wherein the predetermined software processes are integrated into the browser. 6. The software program according to claim 1, wherein the module is embodied in an ActiveX object to operate within a Windows operating system. 20 25 30 35 40 45 50 55 60 65 12 7. The software program according to claim 1, wherein the module is embodied in a Browser Helper Object ?le to oper ate within a MoZilla Firefox browser. 8. The software program according to claim 1, wherein the module is embodied in a platform-independent object-ori ented programming language used for writing applets down loaded from internet. 9. The software program according to claim 8, wherein the cross platform programming language is Java. 10. The software program according to claim 1, wherein the module is implemented within a computer, a mobile com munication device or a mobile internet device. 11. The software program according to claim 10, wherein the mobile communication device is a cellular phone, a radio phone, a satellite phone, or a smartphone. 12. The software program according to claim 10, wherein the mobile internet device is one of a PDA, a handheld com puter, a tablet computer, a laptop computer, or a notebook computer. 13. The software program according to claim 10, wherein the module is deployed from a portable storage device when the portable storage device is connected to the computer, the mobile communication device or the mobile internet device. 14. The software program according to claim 13, wherein the portable storage device has a key-fob form. 15. The software program according to claim 14, wherein the portable storage device is a USB drive. 16. The software program according to claim 1, wherein the module is initiated and called by a web site or a web page. 17. The software program according to claim 16, wherein the module is called locally in conjunction with a speci?c web site or a web page. 18. The software program according to claim 16, wherein the module is downloaded in response to a web page after determining that the module is not present therein. 19. The software program according to claim 1, wherein the software module for inserting and executing the predeter mined software processes is dynamically installed in a com puter, a mobile communication device or a mobile internet device which is different from the computer, the mobile com munication device or the mobile internet device the user keyed in the data for the ?rst time, and automatically unin stalled therefrom the software module after the user logs off the different computer, mobile communication device or mobile internet device. 20. The software program according to claim 1, further comprising: a software module that detects malicious behaviors of a known malware; and a software module that removes said malware. 21. The software program according to claim 1, wherein the process of intercepting further encrypts the data inputs keyed in by the user at the Zero-ring level, and the software module further includes a process of passing the encrypted data to a 3-ring level, and a process of decrypting data which passed via the 3-ring level. 22. A software program embedded in a non-transitory microprocessor-readable storage medium and executable by a microprocessor to prevent software key logging compris ing: a software module that inserts and executes predetermined software processes at a Zero-ring level in an application programming interface (“API”) stack of a browser, said software processes including: a process of inserting an initial hook which works within the O-Ring level and prevents any other hooks from inserting at the O-Ring level; ------------------------------------------------------- US 8,316,445 B2 13 a process of detecting a browser form submission initia tion call event at the Zero-ring level, Wherein the form submission initiation call event takes a form of an onSubmit call or a BeforeNavigate call; a process of intercepting and encrypting data inputs keyed in by a user at the Zero-ring level; a process of passing the encrypted data to a 3-ring level Where a hook inserted by a hook-based key logger; a process of decrypting data Which passed via the 3-ring level; and a process of submitting the decrypted data to a desig nated entity through the API stack to an intemet com munication port. 23. A method for preventing softWare key logging execut able by a microprocessor, comprising: a step of inserting and executing by the microprocessor predetermined softWare processes at a Zero-ring level in 14 an application programming interface (“API”) stack of a broWser, said softWare processes including: detecting a broWser form submission initiation call event at the Zero-ring level, Wherein the form submission initiation call event takes a form of an onSubmit call or a BeforeNavigate call; intercepting data inputs keyed in by a user at the Zero ring level; and (l) submitting the keyed-in data to a designated entity through the API stack While (2) clearing con?dential data from intercepted data at the Zero-ring level prior to a subsequent transmission, Which does not contain said con?dential data, in response to the softWare key logging through the API stack to an internet commu nication port.
Posted on: Thu, 17 Oct 2013 00:41:32 +0000
Trending Topics
Recently Viewed Topics
© 2015