Note: Descriptions are shown in the official language in which they were submitted.
CA 02691129 2010-01-26
FIELD OF THE INVENTION
The present invention relates to a software invention and methods for
protection against the operation
of Crime ware commonly used in identify-theft and cyber-fraud. In particular,
but not by way of
limitation, the present invention relates to software systems and methods for
preventing key logger
Crime ware that utilizes memory injection form grabbing, hook based and common
form grabbing
techniques to steal financial and identity information from users browsers.
The deployment of which is embodied in a Microsoft ActiveX object which
installed in the Internet
Explorer browser when a user visits a protected internet web page.
ActiveX is a framework for defining reusable software components (known as
controls) that perform a
particular function or a set of functions in Microsoft Windows in a way that
is independent of the
programming language used to implement them. A software application can then
be composed from
one or more of these components in order to provide its functionality.
It was introduced in 1996 by Microsoft as a development of its Component
Object Model (COM) and
Object Linking and Embedding (OLE) technologies and it is commonly used in its
Windows operating
system, although the technology itself is not tied to it.
Many Microsoft Windows applications - including many of those from Microsoft
itself, such as Internet
Explorer, Microsoft Office, Microsoft Visual Studio, and Windows Media Player -
use ActiveX controls
to build their feature-set and also encapsulate their own functionality as
ActiveX controls which can
then be embedded into other applications. Internet Explorer also allows
embedding ActiveX controls
onto web pages.
This delivery system becomes the foundation of the invention in delivering it
to the user's browser to
provide real time web based protection when a user visits a webpage invoking
the object.
CA 02691129 2010-01-26
BACKGROUND
Identity Theft and Criminal Crime ware Targeting Browsers
Personal computers and business computers are widely infected with malicious
software that intercepts
and steals critical personal account and financial information as it is being
submitted by the user's
browser during an internet session. Almost all online e-commerce and financial
activity originates from
a user electing to open an internet browser to conduct business, either with
his or her bank, brokerage,
investment manager, or online shopping e-commerce venue.
Because of the massive growth in online e-commerce, and the requirement and
use of credit cards and
personal data to facilitate that market, sophisticated criminal hackers have
targeted this line of e-
commerce with ever-evolving Crime ware. Much of this sophisticated Crime ware
is not being caught by
commercial anti-virus solutions due to encryption and obfuscation techniques
which render anti-virus
scanning heuristics ineffective. Thus, unwitting consumers, believing they are
protected, often enter the
stream of online commerce not recognizing that Crime ware can, and is,
stealing their critical financial
information. This sophisticated theft is taking place due in large part to the
rise of what is called
memory injection key logging Crime ware. Memory injection Key logging Crime
ware is created, often
by sophisticated criminal online syndicates, to facilitate the capture of
passwords, credit card data, and
personal credentials, generally without the person's knowledge. This new breed
of Crime ware injects
into the browsers memory alters memory tables and ultimately causes the
browser to execute malicious
commands and computer instructions. This causes the browser to turn on itself
and become an attack
vector.
Key Logging Crime ware
Key logging is a method of capturing keyboard input to a computer or computing
device. It is a common
technique for obtaining passwords and sensitive information using unauthorized
software placed on a
victim's personal computer without consent. Once a key logger is deployed,
traditional Antivirus is
relied upon to detect it's presence on a personal computer. The short coming
of this type of method of
detection is that it is signature based. This creates an ongoing problem as
users must wait for an
Antivirus file signature to be generated before detection and removal can
occur.
Software key loggers capture targeted personal data stored on the computers
they infect. These
software key loggers are utilized in conjunction with non-offending code on
the infected system. The
Crime ware relays the captured data to unauthorized recipients -- the people
who have planted the
CA 02691129 2010-01-26
Crime ware on the system -- by sending that data thru the internet using
TCP/IP ports used by common
user applications to bypass security. Software Key loggers utilize a number of
techniques including
hooking various operating system Application Programming Interfaces (APIs) and
system drivers, screen
capture, form grabbing, hook based keystroke logging and browser memory
injection.
Not commonly known to the general public are the various classes of keystroke
logger methods. These
methods include
hook based keystroke logging where the malware records each individual
keystroke by hooking the
native operating
system keyboard API. The second common method is the interception of internet
explorer browser API
calls. This allows
malware to intercept form data submissions being passed thru the browser. The
third common method
used is called
Kernel keystroke logging. This is where a low level device driver does
hardware interrupt interceptions.
The forth and
newest form of keystroke logging is a little known technique of browser memory
injection. This is where
the attacking
malware injections malicious code into the browser memory table, alters it and
inserts illegal code
causing the browser
to key log itself and send out that data to an attacker.
Hook-based key loggers are programs that insert a system API hook into an API
stack. This is done by
placing a call object into the API stack, acting as a filter. When a user on
his or her browser calls a
website, the data are filtered thru this Crime ware call. This allows an
attacker to record all the data
being passed by the system driver such as keystrokes passing thru the
operating system driver. For
example, one type of hook-based key logger will monitor and record each key
press that generates an
Interrupt Request (IRQ) to the system driver on the motherboard. The key
logger, as part of the Crime
ware, sends this data to a text file. The text file is subsequently sent to a
remote location for retrieval by
malefactors.
Malefactors commonly deploy such Crime ware key loggers via the internet to
the computers of
thousands of unsuspecting users. The volume of data generated by such hook-
based key loggers is great,
and can amount to many Gigabytes of data within a short period. This mass of
data is cumbersome to
store and difficult to search for the purpose of extracting the very small
percentage of data that
CA 02691129 2010-01-26
represents credential and password information. As a result, malefactors have
fine-tuned their Crime
ware to meet these challenges and better reduce the large take of useless data
stolen by their Crime
ware.
Basic form grabbing techniques use API that hooks all Internet related
functions to get access to the
Internet Traffic,even though it might be encrypted with SSL or EV-SSL. Browser
processes hooked by
this method includes:
HttpOpenRequestA/W, HttpSendRequestA/W, InternetConnectW, InternetReadFile,
lnternetReadFileExA/W, InternetWriteFile CommitUrlCacheEntryA/W.
Along with these hooking techniques a new method called memory injection form
grabbing is used. This
is active in memory when the Internet Explorer starts, it setups up export
hooks, so that it gets access to
all transmitted internet traffic and all data passing to and from the browser
such as form submissions.
These hook core windows functions to compromise the system.
Form-Grabbing and Memory Injection Key Loggers
Form-grabbing and memory injection key loggers insert a hook that captures the
form data in live
internet browsing sessions, and only form data inputs. The form information
being stolen is, essentially,
those forms used for online banking and other online commerce that require
users to enter personal
information, card data, passwords, reminder questions, and mother's maiden
name. This perfection of
the Crime ware allows more precise targeting of stolen credentials, and it
greatly increases the odds that
credentials stolen will be found and used. Previous methods often resulted in
so much data being
siphoned out by Crime ware that credentials of interest to financial criminals
and identity thieves were
lost in the sea of stolen data. This is no longer the case with form-grabbing
and memory injection key
loggers.
Form-grabbing and memory injection key loggers have become a preferred type of
key logger for
sophisticated cyber criminals due to their resistance to detection and lack of
effective countermeasures,
their effect of substantially reducing the volume of captured data that must
be searched to extract
credentials, and because almost all credentials used for online transactions
are entered at some point
into a web form. Form-grabbing and memory injection key loggers have become
the method of first
choice for cyber criminals when targeting bank login data.
CA 02691129 2010-01-26
Form grabbers sit in between the internet browser and the called internet
page. This allows an inserted
browser helper object to inject or directly access the browser's API call
functions. This allows all data
passed to the form to be recorded as it is passed by the browser to the server
to which the criminals are
sending the targeted data. This method of action defeats all known anti-key
loggers as they do not
protect the web form or the browser window API's. As an example, when a user
submits data to a
legitimate banking website using web forms, a form-grabbing key logger that is
monitoring the web
browser can grab the submitted data by injecting and hooking API functions
within the browser.
Because the API hook is being protected within the system driver this does not
protect the data being
passed from the browser. Form grabbers deal with the browser and the data
being passed over the
internet. Hook-based key logger's record data as it is passed thru the API or
system driver.
Form-grabbing and memory injection key loggers also succeed in recording and
stealing automatic form
filler data as well as any data copied from another location such as data
pasted from a clip board.
Memory injection Key loggers such as Zeus alter browser memory tables to
achieve the logging
functions.
Methods to Detect and Stop Key-Loggers
Software is available to detect and remove many types of Crime ware. Attempts
to combat all forms of
key logger Crime ware have not been successful. Moreover, consumers falsely
rely on commercial anti-
virus products that are often not updated with the latest version, and even
when fully updated or
patched, are ineffective to address the root problem of form-grabbing key
loggers.
Software is available to address some elements of software key loggers. A
number of methods are
available to detect and/or disable hook-based key loggers. All known methods
deal with accessing the
API stack directly. One method used is the unhooking of API's that insert
themselves into the API stack.
This method is represented by the Key Scrambler product from QFX Software
Corporation (Ormand
Beach, FL) which employs an encryption based method wherein keystroke data is
encrypted at the
source (keyboard) and passed to the form in a decrypted format. Another
variation on this method is
used in the GuardlD product of StrikeForce Technologies Inc. of Edison, New
Jersey that utilizes similar
API hooking and key-scrambling methods but does not protect the user if the
Crime ware is inserting
CA 02691129 2010-01-26
itself as a hook based key logger at the first instance in the stack.
Moreover, this technology does not
effectively protect users against form grabber threats.
These methods do not protect against the action of hook based key loggers that
are programmed to
insert themselves prior to the anti-key logger ("AKL") itself within the API
stack. Accordingly, prior to the
present invention, there is no effective method to protect against the action
of form-grabbing key
loggers.
It is an object of the present invention to provide a solution to protect
against key loggers that is not
disruptive of the system and does not depend on user experience. This solution
does not depend on
detection of Crime ware at all. The solution, instead, defeats the action of
form-grabbing key loggers,
and can likewise defeat the action of hook based key loggers that are capable
of operating in the
presence of scramblers.
TECHNICAL SUMMARY OF THE INVENTION
Exemplary embodiments of the present invention that are shown in the drawings
are summarized
below. These and other embodiments are more fully described in the Detailed
Description section. It is
to be understood, however, that there is no intention to limit the invention
to the forms described in
this Summary of the Invention or in the Detailed Description. One skilled in
the art can recognize that
there are numerous modifications, equivalents and alternative constructions
that fall within the spirit
and scope of the invention as expressed in the embodiments.
The main indented embodiment and deployment mechanism will be the ActiveX
framework developed
by Microsoft. This framework serves as both the delivery and deployment method
for this invention.
In the following description, for purposes of explanation, numerous specific
details are set forth in order
to provide a thorough understanding of the invention and embodiments thereof.
It will be apparent,
however, to one skilled in the art that the invention can be practiced without
these specific details. In
other instances, structures and devices are shown in block diagram form in
order to aid in
understanding the embodiments of the invention.
CA 02691129 2010-01-26
Reference in this specification to one embodiment" or "an embodiment" means
that a particular
feature, structure, or characteristic described in connection with the
embodiment is included in at least
one embodiment of the invention. The appearances of the phrase "in one
embodiment" in various
places in the specification are not necessarily all referring to the same
embodiment, nor are separate or
alternative embodiments mutually exclusive of other embodiments.
Moreover, various features are described which may be exhibited by some
embodiments and not by
others. Similarly, various requirements are described which may be
requirements for some
embodiments but not other embodiments.
The present invention provides a system and method for managing Crime ware. In
one embodiment, a
form-grabbing key logger inserts a hook Dynamic Link Library file into the
system-wide hook chain, and
all key messages are intercepted by the Hook DLL unless it is kicked off the
chain by another program or
deprived of receiving messages by its top hook DLL. In a preferred embodiment,
the present invention
includes an Anti-Key Logger (AKL) software program in the form of a browser
helper object and a DLL
file. In this embodiment, these two files act in concert, the effect of which
is to act to prevent the action
of this hook, thereby protecting data as it passes through its normal browser
API route. The present
system acts under the assumption that the user computer may already be
compromised and that an
undetected key logger may be in place.
Another embodiment of the invention, as an alternative to the DLL and Browser
Helper Object (BHO)
combination, is to embody the embodiment in a browser's source code.
In another embodiment of the invention, software containing anti-key logger
functionality can be
distributed by a financial institution to thousands or millions of its
customers which have online access
to their accounts. This software is downloaded to each individual
accountholder PC upon initiation of an
online access session with the financial institution. The anti-key logger
software operating on each
individual PC incorporates processes enabling it to communicate with a master
server appliance or
hierarchy of server appliances within the financial institution in order to
allow tracking of accountholder
PCs that have downloaded and installed this software. After installation, upon
initiation of each
subsequent online access session with the financial institution the software
verifies its presence on the
PC and identifies itself.
CA 02691129 2010-01-26
In the case of an accountholder that initiates an online access session
(account login) from a PC which
does not have the AKL installed, the financial institution can choose to deny
access or require a higher
level of authentication. In addition, the financial institution may recommend
to the user that his or her
password be changed based on the greater exposure to theft of credentials
during use of a browser
running on a PC that is not protected by the AKL.
Another aspect of the embodiment that uses AKL functions distributed to
multiple online
accountholders from a central server is the addition of blacklist, white list,
or both blacklists and white
lists to the AKL functions. Such signature lists can include known Phishing
sites which target the financial
institution's accountholders or, in the case of white lists, can include newly
launched sites which are
used to deliver services to the institution's customers. By focusing on
blacklists of sites that target the
host financial institution, as opposed to incorporating broad-based
blacklists, the signature list updates
can be provided in small size files which do not cause noticeable waits or
otherwise degrade system
performance. The addition of such lists complements the effectiveness of the
AKL in preventing the
ability for Crime ware to comprise the credentials of an online user.
Moreover, the server to PC
communications processes which verify the presence and identity of software in
accordance with the
present invention upon the initiation of each new online session can be used
as an occasion to update
such signature lists. This creates the opportunity to update signature lists
in a more timely fashion.
Timely updating of newly identified malicious sites is a significant benefit
given that the window of
operation for many Phishing sites is five to twenty four hours which is
shorter than the update cycle of
most commercial anti-virus and anti-spyware products.
Another embodiment includes a toolbar interface that allows the user to be
aware of its operation. The
use of such toolbars is well known in the art as these programs are commonly
used to provide
awareness of the operation of security monitoring functions. When a method
according to the invention
is incorporated into a software program containing blacklist-driven, heuristic-
based, or other anti-
phishing functionality, the users will be provided with graphic alerts when
the browser is directed to
web sites which are considered to be risky.
In an alternative embodiment, software embodying the invention can be packaged
as a stand alone
component to allow the product to be delivered to the client in a manner
requiring minimal interaction.
For example, one embodiment would utilize the component object model (COM)
developed by
CA 02691129 2010-01-26
Microsoft for Windows platforms. Software based on ActiveX technology is
prevalent in the form of
Internet Explorer plug-ins and, more commonly, in ActiveX controls.
In yet another embodiment of the invention, a portable device containing an
installable embodiment of
the invention can be used by an accountholder of a financial institution when
accessing his or her
account via a browser on a public use or other PC that is not known to be
protected by the invention.
Examples of such PCs might be those available in airports, internet cafes, or
hotel business centers.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG.1 is a diagram of the context of operation of embodiments of the present
invention
FIG. 2 is a diagram of the action of embodiments of the present invention is
defeating the operation of
key loggers using actions of the present Invention in defeating the operation
of key loggers by using a
static 0 ring API wrapper, the object creates a restorable virtualized API
shell which upon detection of a
memory injection form grabbing event, the browser memory tables are restored
using default memory
tables.
FIG. 3 shows block diagrams of the API stacks with and without key loggers and
with protection by
embodiments of the present invention.
FIG. 4 portrays the configuration of a system wherein servers at a financial
institution communicate with
multiple accountholder PCs for the distribution, update and authentication of
software incorporating
AKL functionality and other processes.
FIG. 5 portrays examples of internet forms commonly protected used by
consumers and targeted by
form-grabbing key loggers.
