Patent application title: SYSTEM AND METHOD FOR PROTECTING AGAINST MALWARE UTILIZING KEY LOGGERS
Trusted Knight Corporation (Annapolis, MD, US)
Lloyd Liske (Courtenay, CA)
TRUSTED KNIGHT CORPORATION
IPC8 Class: AG06F2100FI
Class name: Information security monitoring or scanning of software or data including attack prevention intrusion detection
Publication date: 2013-03-07
Patent application number: 20130061323
A software, system and methodology for protecting against malware key
logger attacks that utilize, for example, form-grabbing techniques. The
application protects the browser from key logging malware attacks, and
the loss of critical user confidential information often entered into
internet forms for the purpose of buying items or logging into financial
institutions. An embodiment of a method for blocking form-grabbing
attacks includes the following steps. Upon detecting a form submission
event from the browser, and immediately after allowing the data to be
properly submitted, the form input fields are cleared of data. The method
prevents hook-based key loggers or form-grabbing key loggers from
capturing form input data, thereby protecting the user from theft of
passwords or credentials.
1. A method for preventing malicious memory table patching injection into
an Internet browser by comparing known browser memory table entry points
with altered table entry points in browser process chains and software
hooks, comprising the steps of: determining a 0 ring hook in an operating
system to be scanned; scanning active browser memory tables; comparing
memory entry points against known memory tables to establish if a
malicious patch has occurred; when the malicious patch occurs, restoring
an altered memory table address to a clean state to render the malicious
browser memory injection process null; and restoring the 0 ring hook.
2. A method for monitoring and restoring system memory tables of computer operating system processes executed when a malicious process has injected itself into a new system processes, comprising the steps of: determining a local system hook; scanning an entry point of an executable or dynamic link library file specified in a at least one of a Portable Executable header or a private hook procedure; comparing entry points against known malware memory table entry points in system processes or Internet browser memory tables; restoring injected memory tables to original memory entry points; and releasing a local system hook.
3. A method for monitoring and blocking maliciously created program mutexes from a database, comprising the steps of: determining a 0 ring hook or local system hook of established system processes; monitoring system API calls for new established or created mutexes; comparing mutexes with a database of known malicious mutex names; when a match is found, creating an exact null mutex with the same name; and verifying malicious mutex has terminated and restoring system hooks.
4. A method for determining system memory NTDLL protection of base addresses, comprising the steps of: determining a 0 ring hook or system level hook; monitoring access to base addresses CONTAINING_RECORD(NtCurrentTeb( )→Peb--Ldr→InInitializationOrderModuleList.Flink, LDR_MODULE or InInitializationOrderModuleList)→BaseAddress or system entry point API functions of NTDLL!NtQueryDirectoryFile, NTDLL!NtVdmControl, NTDLL!NtEnumerateValueKey, NTDLL!NtResumeThread, NTDLL!LdrLoadDll,user32.dll!TranslateMessage,wininet.dll!Internet CloseHandle,wininet.dll!HttpSendRequestA,wininet.dll!HttpSendRequestW,nsp- r4.dll!PR_Write (called by Firefox),ws2.sub.-- 32.dll!send,Advapi32.dll!CryptEncrypt; when a memory injection or table alteration is detected, restoring tables restoring the 0 ring hook or system hook.
5. A method for blocking malicious system buffer based API calls and system hooks by blocking malware anti-memory break point functions, comprising the steps of: establishing a 0 ring hook or local hook; scanning system calls in a loop for GetprocAddress based lookups; comparing 32 or 64 bit ROL-7-XOR hash lookup processes against known malicious GetProcAddress based lookups; restoring dynamically loaded images to null; and restore the system hooks.
6. A method for blocking malicious system API hooking through the use of standard detour hooks, comprising the steps of: determining a 0 ring hook in system API stack; monitoring system memory locations and attempts to relocate memory locations Jcc rel 8 or LOOPcc, JMP rel32, CALL rel 32 or rel8 instructions; inserting a nulled memory call with an INC EAX/DEC EAX [40h/48h] memory instruction to fool a malicious process into assuming the API function is hooked already; and restoring system hooks.
7. A method for blocking injection of a malicious memory image injection into a remote processProtect, SedebugPrivilege escallation or NtReadVirtualMemory to access memory calls of a target process, comprising the steps of: determining a local hook; monitoring for processProtect, SedebugPrivilege escallation or NtReadVirtualMemory memory calls; comparing to a known database of malicious calls; and restoring memory tables to null.
8. A method for blocking memory injection based keystroke logging, comprising the steps of: determining a 0 ring system API hook; monitoring for TranslateMessage, GetKeyboardState and ToUnicode(lpMsg wParam) hooks; and when at least one the TranslateMessage, GetKeyboardState and ToUnicode(lpMsg wParam) hooks is detected, unhooking an API call; and restoring system hooks.
9. A method for detecting malicious system named pipes by comparing created system mutexes against established database of known malware mutexes and malware named pipes, comprising the steps of: determining a 0 ring hook or local system hook; monitoring created mutexes or created system named pipe calls; scanning and comparing named pipes and created mutexes against an established database; when a match is found, terminating the named pipe call or mutex; and restoring system hooks.
10. A method for blocking malicious memory injection based screen recording or screen scraping attempts, comprising the steps of: determining 0 ring hook or local system hook; monitor import hook API calls to user32!TranslateMessage with calls to WM_LBUTTONDOWN with an accompanying call to HttpSendRequestA hook iii) block call to HttpSendRequestA iv) restore system hooks
11. A method for blocking malicious memory Browser injection, comprising the steps of: determining a 0 ring hook or local system hook; monitoring for at least one of the following wininet functions for memory based hooks: wininet.dll!HttpSendRequestW, wininet.dll!HttpSendRequestA,wininet.dll!HttpSendRequestExW,wininet.dll!H- ttpSendRequestExA,wininet.dll!InternetReadFile,wininet.dll!InternetReadFil- eExW,wininet.dll!InternetReadFileExA,wininet.dll!InternetQueryDataAvailabl- e,wininet.dll!InternetCloseHandle,wininet.dll!HttpQueryInfoA,wininet.dll!H- ttpQueryInfoW; detecting and nullifying attempted hooks; and restoring system hooks to a previous state.
12. A method for blocking ring 3 keystroke logging using a windows function call TranslateMessage, comprising the steps of: determining a 0 ring hook or local level hook; monitoring for TranslateMessage system calls; when a TranslateMessage call by wininet call is detected, unhooking the call; restore the system call to null; and restoring system hooks.
 This application is a Continuation of U.S. application Ser. No.
12/427,833 filed Jul. 13, 2010, which claims the benefit of U.S.
Provisional Patent Application Ser. No. 61/125,178 filed on Apr. 23,
2008. Priority is claimed based on U.S. application Ser. No. 12/427,833
filed Jul. 13, 2010, which claims the priority of U.S. Provisional Patent
Application Ser. No. 61/125,178 filed on Apr. 23, 2008, the content of
which is hereby incorporated by reference into this application.
FIELD OF THE INVENTION
 AKL Anti-key logger API Stack Application Program Interface Stack BHO Browser Helper Object DLL Dynamic Link Library DDE Dynamic Data Exchange Form A user input area of a webpage Hook An application connecting to an API IRQ Interrupt Reguest Malefactors Persons designing and implementing malware
 The present invention relates to systems and methods for protection against the operation of malware commonly used in identify-theft and cyber-fraud. In particular, but not by way of limitation, the present invention relates to systems and methods for preventing key logger malware that utilizes form grabbing techniques to steal financial and identity information from users' browsers.
Identity Theft and Criminal Malware Targeting Browsers
 Personal computers and business computers are widely infected with malicious software that intercepts and steals critical personal and financial information as it is being called by the user's browser. Almost all online commerce and activity originates from a user electing to open an internet browser to conduct business, either with his or her bank, brokerage, investment manager, or with numerous online stores. Because of the massive growth in online commerce, and the requirement and use of credit cards and personal data to facilitate that market, sophisticated criminal hackers have targeted this line of commerce with ever-evolving malware. Much of the sophisticated malware is not being caught by commercial anti-virus solutions. Thus, unwitting consumers, believing they are protected, often enter the stream of online commerce not recognizing that malware can, and is, stealing their critical information. This sophisticated theft is taking place due in large part to the rise of what is called key logging malware. Key logging malware is created, often by sophisticated criminal online syndicates, to facilitate the capture of passwords, credit card data, and personal credentials, generally without the person's knowledge.
Key Logging Malware Avoids Detection
 Key logging is a method of capturing keyboard input to a computer or computing device. It is a common technique for obtaining passwords and sensitive information using unauthorized software.
 Software key loggers capture targeted personal data stored on the computers they infect. The software key loggers are utilized in conjunction with legitimate programs on the infected system. The malware relays the captured data to unauthorized recipients, who have planted the malware on the system by sending that data thru the internet using TCP/IP ports used by common user applications to bypass security. Software Key loggers utilize a number of techniques including hooking various operating system Application Programming Interfaces (APIs) and system drivers, screen capture, and form grabbing and hook based keystroke logging.
 Another technique is hook-based key logging. Hook-based key loggers are programs that insert a system API hook into an API stack. This is done by placing a call object into the API stack, acting as a filter. When a user on his or her browser calls a website, the data are filtered thru this malware call. This allows an attacker to record all the data being passed by the system driver, such as keystrokes passing thru the operating system driver. For example, one type of hook-based key logger will monitor and record each key press that generates an Interrupt Request (IRQ) to the system driver on the motherboard. The key logger, as part of the malware, saves this data as a text file. The text file is subsequently sent to a remote location for retrieval by malefactors. Malefactors commonly deploy such malware key loggers via the internet to the computers of thousands of unsuspecting users. The volume of data generated by such hook-based key loggers is great, and can amount to many Gigabytes of data within a short period. This mass of data is cumbersome to store and difficult to search for the purpose of extracting the very small percentage of data that represents credential and password information. As a result, malefactors have fine-tuned their malware to meet these challenges and better reduce the large take of useless data stolen by their malware.
The Rise of Form-Grabbing Key Loggers
 Form-grabbing key loggers insert a hook that captures the form data, and only form data inputs. The form information being stolen is, essentially, those forms used for online banking and other online commerce that require users to enter personal information, card data, passwords, reminder questions, and mother's maiden names. This perfection of the malware allows more precise targeting of stolen credentials, and it greatly increases the odds that credentials stolen will be found and used. Previous methods often resulted in so much data being siphoned out by malware that credentials of interest to financial criminals and identity thieves were buried in the sea of stolen data. This is no longer the case with form-grabbing key loggers.
 Form-grabbing key loggers have become a preferred type of key logger for sophisticated cyber criminals due to (1) their resistance to detection and lack of effective countermeasures, (2) their effect of substantially reducing the volume of captured data that must be searched to extract credentials, and (3) almost all credentials used for online transactions are entered at some point into a web form. Form-grabbing key loggers have become the first choice for cyber criminals when targeting bank login data.
 Form grabbers sit in between the internet browser and the called interne page. This allows an inserted browser helper object to inject or directly access the browser's API call functions. This allows all data passed to the form to be recorded as it is passed by the browser to the server to which the criminals are sending the targeted data. This method of action defeats all known anti-key loggers as they do not protect the web form or the browser window API's. As an example, when a user submits data to a legitimate banking website using web forms, a form-grabbing key logger that is monitoring the web browser can grab the submitted data by injecting a hook and hooking API functions within the browser.
 Because the API hook is being protected within the system driver this does not protect the data being passed from the browser. Form grabbers deal with the browser and the data being passed over the internet. Hook-based key loggers record data as it is passed thru the API or system driver.
 Form-grabbing key loggers also succeed in recording and stealing automatic form filler data as well as any data copied from another location such as data pasted from a clip board.
Methods to Detect and Stop Key-Loggers
 Software is available to detect and remove many types of malware. Attempts to combat all forms of key logger malware have not been successful. Moreover, consumers falsely rely on commercial anti-virus products that are often not updated with the latest version, and even when fully updated or patched, are ineffective to address the root problem of form-grabbing key loggers.
 Software is available to address some elements of software key loggers. A number of methods are available to detect and/or disable hook-based key loggers. All known methods deal with accessing the API stack directly. One method used is the unhooking of API's that insert themselves into the API stack. This method is represented by the KeyScrambler® product from QFX Software Corporation (Ormand Beach, Fla.) which employs an encryption-based method. According to this method, keystroke data is encrypted at the source (keyboard) and passed to a form in a decrypted format. Another variation of this method is used in the GuardID® product of StrikeForce Technologies Inc. of Edison, N.J. that utilizes similar API hooking and key-scrambling methods but does not protect the user if the malware is inserting itself as a hook-based key logger at the first instance in the stack. Moreover, this method does not effectively protect users against grabber threats.
 US 2007/0240212 attempts to counter the action of key logger malware by creating a keyboard driver and hooking into various running windows processes. In particular, it creates a keystroke unhook or bypass method. A program engine hooks windows processes and performs a monitoring action in which it looks for hooked calls. When a hooked call is detected, it injects a program and launches new processes. This method creates a false entry state and a false exit state whereby the keystroke data is passed thru these states, i.e., bypassing a keystroke logger hook, by using a separate windows keyboard driver. This method may counter hook-based key loggers but is likely to cause system instability due to the fact it injects into running window processes, a technique which is known to cause memory corruption and system failures. Moreover, a simple modification by the authors of key logger malware would allow such malware to identify the anti-key logger driver file and hook this process instead, thus allowing the key logger to capture the users keystrokes as they pass through that process. This method does not protect against the action of hook-based key loggers that are programmed to insert themselves prior to the anti-key logger ("AKL") itself hooking within the API stack, thus making it ineffective against the current generation of form grabbing key logger malware.
 It is an object of the present invention to provide a solution to protect against key loggers that is not disruptive of the system and does not depend on user experience by, for example, asking the user to determine whether flagged processes or programs should be allowed to operate. The solution of the present invention does not depend on detection of malware at all. The solution of the present invention, instead, defeats the action of form-grabbing key loggers, and can likewise defeat the action of hook-based key loggers that are capable of operating in the presence of scramblers.
 It is the further object of this invention to provide a solution that is compatible with all common widely deployed browsers and without requiring a change of browsers by users.
SUMMARY OF THE INVENTION
 Exemplary embodiments of the present invention that are shown in the drawings are summarized below. These and other embodiments are more fully described in the Detailed Description section. It is to be understood, however, that there is no intention to limit the invention to the forms described in this Summary of the Invention or in the Detailed Description. One skilled in the art can recognize that there are numerous modifications, equivalents and alternative constructions that fall within the spirit and scope of the invention as expressed in the embodiments.
 In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the invention and embodiments thereof. It will be apparent, however, to one skilled in the art that the invention can be practiced without these specific details. In other instances, structures and devices are shown in block diagram form in order to aid in understanding the embodiments of the invention.
 Reference in this specification to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Moreover, various features are described which may be exhibited by some embodiments and not by others. Similarly, various requirements are described which may be requirements for some embodiments but not other embodiments.
 The present invention provides a system and method for managing malware. In one embodiment, a form-grabbing key logger inserts a hook Dynamic Link Library file into the system-wide hook chain, and all key messages are intercepted by the Hook DLL unless it is kicked off the chain by another program or deprived of receiving messages by its top hook DLL. In a preferred embodiment, the present invention includes an Anti-Key Logger (AKL) software program in the form of a browser helper object and a DLL file. In this embodiment, these two files act in concert, the effect of which is to act to prevent the action of this hook, thereby protecting data as it passes through its normal browser API route. The present system acts under the assumption that the user computer may already be compromised and that an undetected key logger may be in place. The present system detects attempts to place hooks, by techniques such as modification of important tables or the insertion of inline hooks.
 Another embodiment of the invention, as an alternative to the DLL and Browser Helper Object (BHO) combination, is to embody the embodiment in a browser's source code. In another embodiment of the invention, software containing anti-key logger functionality can be distributed by a financial institution to thousands or millions of its customers which have online access to their accounts. This software is downloaded to each individual accountholder PC upon initiation of an online access session with the financial institution. The anti-key logger software operating on each individual PC incorporates processes enabling it to communicate with a master server appliance or hierarchy of server appliances within the financial institution in order to allow tracking of accountholder PCs that have downloaded and installed this software. After installation, upon initiation of each subsequent online access session with the financial institution the software verifies its presence on the PC and identifies itself. In the case of an accountholder that initiates an online access session (account login) from a PC which does not have the AKL installed, the financial institution can choose to deny access or require a higher level of authentication. In addition, the financial institution may recommend to the user that his or her password be changed based on the greater exposure to theft of credentials during use of a browser running on a PC that is not protected by the AKL.
 Another aspect of the embodiment that uses AKL functions distributed to multiple online accountholders from a central server is the addition of blacklist, whitelist, or both blacklists and whitelists to the AKL functions. Such signature lists can include known Phishing sites which target the financial institution's accountholders or, in the case of white lists, can include newly launched sites which are used to deliver services to the institution's customers. By focusing on blacklists of sites that target the host financial institution, as opposed to incorporating broad-based blacklists, the signature list updates can be provided in small size files which do not cause noticeable waits or otherwise degrade system performance. The addition of such lists complements the effectiveness of the AKL in preventing the ability for malware to comprise the credentials of an online user. Moreover, the server to PC communications processes which verify the presence and identity of software in accordance with the present invention upon the initiation of each new online session can be used as an occasion to update such signature lists. This creates the opportunity to update signature lists in a more timely fashion. A timelier updating of newly identified malicious sites is a significant benefit given that the window of operation for many Phishing sites is five to twenty four hours which is shorter than the update cycle of most commercial anti-virus and anti-spyware products.
 Another embodiment includes a toolbar interface that allows the user to be aware of its operation. The use of such toolbars is well known in the art as these programs are commonly used to provide awareness of the operation of security monitoring functions. When a method according to the invention is incorporated into a software program containing blacklist-driven, heuristic-based, or other anti-phishing functionality, the users will be provided with graphic alerts when the browser is directed to web sites which are considered to be risky.
 In an alternative embodiment, software embodying the invention can be packaged as a stand alone component to allow the product to be delivered to the client in a manner requiring minimal interaction. For example, one embodiment would utilize the component object model (COM) developed by Microsoft for Windows platforms. Software based on ActiveX technology is prevalent in the form of Internet Explorer plug-ins and, more commonly, in ActiveX controls.
 In yet another embodiment of the invention, a portable device contains an installable embodiment of the invention. In this form, the invention can be used by an accountholder of a financial institution when accessing his or her account via a browser on a public use or other PC that is not known to be protected by the invention. Examples of such PCs might be those available in airports, internet cafes, or hotel business centers.
 A software program according to one embodiment of the invention is embedded in a microprocessor-readable storage medium and executable by a microprocessor to prevent software key logging. The software program comprises a module for inserting and executing predetermined software processes at a zero-ring level in an application programming interface ("API") stack of a browser. The software processes includes a process of detecting a browser form submission initiation call event at the zero-ring level;
a process of intercepting data inputs keyed in by a user at the zero-ring level; and a process of (1) submitting the keyed-in data to a designated entity through the API stack while (2) clearing confidential data from intercepted data at the zero-ring level prior to a subsequent transmission, which does not contain the confidential data, in response to the software key logging through the API stack to an internet communication port. The browser may be Internet Explorer, and the form submission initiation call event takes a form of an on Submit call or a BeforeNavigate call under Internet Explorer. The module for inserting may take a form of a global hook call.
 The predetermined software processes may be integrated into a single browser-called code object. The predetermined software processes maybe contained in a form of a non-executable file. The predetermined software processes may be integrated into the browser, and the browser may be Internet Explorer.
 The module may be embodied in an ActiveX object to operate within the Windows operating system, or embodied in a Browser Helper Object file to operate within the Mozilla Firefox browser. Alternatively, the module is embodied in a platform-independent object-oriented programming language used for writing applets downloaded from internet, and the cross platform programming language is Java.
 The module may be initiated and called by a web site or a web page, or the module is called locally in conjunction with a specific web site or a web page. Alternatively, the module is downloaded in response to a web page after determining that the module is not present therein.
 The module for inserting and executing the predetermined software processes is dynamically installed in a computer, a mobile communication device or a mobile internet device which is different from the computer, the mobile communication device or the mobile internet device the user keyed in the data for the first time, and automatically uninstalled therefrom the module after the user logs off the different computer, mobile communication device or mobile internet device.
 The software program further comprises a module for detecting malicious behaviors of a known malware, and a module for removing the malware.
 The process of intercepting also encrypts the data inputs keyed in by the user at the zero-ring level, and the module further includes a process of passing the encrypted data to a 3-ring level, and a process of decrypting data which passed via the 3-ring level. A software program according to another embodiment of the invention is embedded in a microprocessor-readable storage medium and executable by a microprocessor to prevent software key logging. The software program comprises: a module for inserting and executing predetermined software processes at a zero-ring level in an application programming interface ("API") stack of a browser. The software processes includes: a process of inserting an initial hook which works within the 0-ring level and prevents any other hooks from inserting at the 0-ring level; a process of detecting a browser form submission initiation call event at the zero-ring level; a process of intercepting and encrypting data inputs keyed in by a user at the zero-ring level; a process of passing the encrypted data to a 3-ring level where a hook inserted by a hook-based key logger; a process of decrypting data which passed via the 3-ring level; and a process of submitting the decrypted data to a designated entity through the API stack to an internet communication port.
 A method for preventing software key logging executable by a microprocessor according to yet another embodiment of the invention, comprises: a step of inserting and executing by the microprocessor predetermined software processes at a zero-ring level in an application programming interface ("API") stack of a browser. The software processes includes: a process of detecting a browser form submission initiation call event at the zero-ring level; a process of intercepting data inputs keyed in by a user at the zero-ring level; and a process of (1) submitting the keyed-in data to a designated entity through the API stack while (2) clearing confidential data from intercepted data at the zero-ring level prior to a subsequent transmission, which does not contain the confidential data, in response to the software key logging through the API stack to an internet communication port.
BRIEF DESCRIPTION OF THE DRAWINGS
 FIG. 1 is a diagram of the context of operation of embodiments of the present invention.
 FIG. 2 is a diagram of the action of the embodiments of the present invention in defeating the operation of form grabbing key loggers.
 FIG. 2A is a diagram of the actions of the embodiments of the present invention in defeating the action of hook-based key loggers.
 FIG. 3 shows block diagrams of the API stacks with and without keyloggers and with protection by the embodiments of the present invention.
 FIG. 4 portrays the configuration of a system wherein servers at a financial institution communicate with multiple accountholder PCs for the distribution, update and authentication of software incorporating AKL functionality and other processes.
 FIG. 5 portrays examples of internet forms commonly used by consumers and targeted by form-grabbing key loggers.
 FIG. 6 is a diagram that illustrates the manner in which the invention functions to maintain its position in an API stack.
DETAILED DESCRIPTION OF INVENTION
 This invention protects against malicious form-grabbing software and stops it from capturing passwords and other data. Initially, software in accordance with the present invention installs itself at the 0 ring level for all browser events within a stack. This ensures all instances of the web browser are protected. The software in accordance with the present invention installs itself to the stack last, to ensure it is called first to prevent any key logger logic from circumventing the protection. The software in accordance with the present invention is placement aware and renegotiates its location in the API stack to ensure there are no other hooks that circumvent the protection at any time.
 FIG. 1 is an overview of the environment in which embodiments of the invention operate, and the generalized location of other components. At the Keyboard driver level (100) input is provided by a user, the AKL (105) functions at this level to protect the inputted keyboard data. The virtual keyboard (110) is the next step in the flow of inputted keyboard data, and is a corm-non location for a key logger (115) to be present to intercept the inputted data. The operating system (120) receives the inputted keyboard data and passes the data to the application (130) being utilized by the user, which is a location keyloggers (135) also intercept inputted keyboard data. Finally, the application passes the inputted keyboard data to the internet web server (140) per the user request.
 As illustrated in FIG. 2 software in accordance with the invention inserts itself in the API stack last, causing this software to be called first (S200). When a BeforeNavigate event is identified (S210), the software confirms its placement in the API stack (S215). When a form submission on Submit event occurs (S230), the software identifies all forms on the called web page (S220). If forms are present, the software connects to each form submission event (S222), the invention clears all form inputs marked with INPUT or PASSWORD (S224), and then the event handler clears all passwords (S226). The software provides the user inputted data through the OnSubmit event in due course to the designated receiving party, such as a bank (S240). The software also ensures all password forms fields are cleared from the API chain (S235) and thus are unavailable to capture by form grabbing key loggers.
 This embodiment of the invention affects the current BeforeNavigate event handler upon each IE event or the equivalent event handler in other types of browsers. The software then identifies all forms on the web page and in each form then clears the elements with the tag="INPUT" and type="PASSWORD" (S224). The password in each form is cleared per event by the software (S226). Within the Microsoft IE family of browsers, the form element IHTMLFormElement has an OnSubmit event which is also called the BeforeNavigate event. When an 1E document is completed, the software identifies all form submissions on the IE page (S220) and connects to their events (S222). When in the OnSubmit event all the form's data is already in Internet Explorer's Post or Get format (S230). The software clears all password fields related in the chain of passing this data from the browser to the target server (S235). The software clears the data commonly left in the OnSubmit event thereby preventing form grabbing key loggers from harvesting this data.
 There are two types of hooks: thread-specific hooks and system-wide hooks. A thread specific hook is associated only with a particular thread, including any thread owned by the calling process. To associate the anti-key logger hook with other processes and threads, the present invention employs a system-wide hook. Each hook is associated with a hook procedure. This procedure is always called when a particular event occurs. For example, when there is an event associated with the mouse, this hook procedure is called. In Windows®, The hook is set by calling the function SetWindowsHookEx( ). The hook is later removed by calling UnhookWindowsHookEx( ). The invention protects itself at the 0-ring level by creating a wrapper by evoking SetWindowsHookEx(WH_KEYBOARD LL, KeyboardProc, hInst, 0) thereby initiating and maintaining the low global level system hook in the API stack. By continuously refreshing and monitoring this state we can thereby protect and identify any hook attempts from ring 3 and on protecting the 0 ring level. Any attempts to intercept the hook are then rejected and passed down the API chain.
 Typical hook-based key loggers catch each character as it is pressed, while a form grabber connects to IE and browser events and in the BeforeNavigate event, when password fields are already filled, searches the password box on page and retrieves its text, including the full credential set.
 As illustrated in FIG. 2A, the initial hook placed by the present invention works within the 0-ring level and the anti-form grabber code in the same instance (S260). Whereby the protection is called and placed (S262). If an unauthorized call is detected in ring 0, the call is discarded from the API stack (S270). The protection call continues by hooking its protection around the kernel keyboard driver (S274) where it intercepts keystroke interrupt requests and begins its encryption of the keystroke data (S276) received from the keyboard (S272). This data is then passed into the Ring 3 level, the Operating System (S280) then onto the intended application, typically a web browser (S282) whereby the keystrokes are decrypted by the Browser helper object (S284) or other browser plug-in and presented to the web form for submission as normal via the Internet (S290) to the designated receiving entity (S292). Accordingly, the present invention prevents the action of hook-based software key loggers as well as form grabbing key loggers.
 Referring to FIG. 3, the first API stack, titled Typical Web Browser API Stack, shows the zero ring hardware driver (300) interacting with the web browser (305) as the two sole objects in the API stack. The second API stack, labeled Web Browser API Stack with Keylogger, shows both the zero ring (300) and the web browser (305, with the keylogger (310) running between both objects in the API stack intercepting all keyboard input destined to the browser.
 The third API stack represents all the previous objects in the API stack, zero ring (300), keylogger (310), and web browser (305). Included in stack, in proper order, is the inclusion of the software which counters any keylogger in the API stack. Referring to FIG. 4, in a preferred embodiment of the invention, the software containing anti-key logger functionality (420) is distributed by a financial institution (400) to thousands or millions of its customers which have online access to their accounts through browsers based on individual PCs or other computing devices (410).
 FIG. 5 is an example of a typical form used with a browser. Sensitive customer credentials and information are submitted through such forms to web sites of financial institutions in order to gain access to customer accounts. Such forms are also used to verify the identity of a customer and convey credit card or other payment data during an online purchase. Similar forms are used to gain access to web sites that may not involve financial accounts but which may contain confidential information including personally identifiable information, government records, health records, or other information that is private, proprietary or commercially sensitive.
 FIG. 6 illustrates the manner in which the invention functions to maintain its position in the API stack by illustration of its relation to kernel ring calls. The Ring 0 API is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory (650). This is also known as the kernel level. Under the present invention, protection is inserted at this level (660) whereby the protection can determine if an unauthorized 0 ring call is being made (670) at which time it is bounced from the API chain. If no attempt is detected the calls are passed to Ring 3 (Software level) (680) at which time calls are passed to the browser (682). The browser handles requests or HTML post/get commands and credentials are passed to the beforeNavigate event (684) then on to the on Submit event (686) whereby user credentials are sent over the internet (688) to the intended receiving entity (690).
 While the foregoing description utilizes Internet Explorer® as an example, the invention is not limited to this browser but can be utilized with any internet browser, including but not limited to Firefox®, Safari® or Opera®. In summary, the following are the steps in the operation of a preferred embodiment of the present invention:
 Set a hook at 0 ring in the API stack
 Pass data to DLL
 Detect any form submission event
 Allow form data submission
 Clear form data
 The invention protects against at least the following threats:
 Window title enumeration using FindWindow( )
 BHO or Firefox Browser Extension hooks
 LSP (Layered Service Provider)
 DDE (Dynamic Data Exchange) using WWW_GetWindowInfo topic
 OLE (Object Linking and Embedding) using IWebBrowser2
 Hooking (e.g. Winlnet HttpSendRequest, SetWindowsHookEx+WH GET_MESSAGE/WH_KEYBOARD)
 Form grabber key loggers gathering browser location (current URL) by disabling the hook DdeConnect( ) with topic "WWW_GetWindowInfo".
 The software modules or processes of the present invention can all be called in a single file object. The present invention can be integrated into the browser itself Alternatively, the present invention can be invoked/downloaded by an individual web page or website.
 If a registered user try to initial the present invention form a different computer, the present invention will uninstall itself after operation in the different computer. The present invention can be a part of an enterprise implementation with a master server.
System and Method Implementation
 Portions of the present invention may be applied to general purpose or a specialized digital device, computer system, server, computer or microprocessor programmed according to the teachings of the present disclosure, as will be apparent to those skilled in the art of communication, computer and e-commerce. The microprocessor can be embedded in a computer, a mobile communication device or a mobile internet device. The mobile communication device may be a cellular phone, a radio phone, a satellite phone, or a smartphone.
 The mobile internet device may be a PDA, a handheld computer, a tablet computer, a laptop computer, or a notebook computer.
 Appropriate software coding can readily be prepared by skilled programmers based on the teachings of the present disclosure, as will be apparent to those skilled in the software art. The invention may also be implemented by the preparation of application specific integrated circuits or by interconnecting an appropriate network of conventional component circuits, as will be readily apparent to those skilled in the art.
 The present invention includes a computer program product which is embedded in a storage/recording medium (media) having instructions stored thereon/in which can be used to control, or cause, a microprocessor or a computer to perform any of the processes of the present invention. The storage medium can include, but is not limited to, any type of disk including floppy disks, mini disks (MD's), optical discs, DVD, CD-ROMS, micro-drive, and magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, DRAMs, VRAMs, flash memory devices (including flash cards, USP drivers), magnetic or optical cards, nanosystems (including molecular memory ICs), RAID devices, remote data storage/archive/warehousing, or any type of media or device suitable for storing instructions and/or data. Stored on any one of the computer readable medium (media), the present invention includes software for controlling both the hardware of the general purpose/specialized computer or microprocessor, and for enabling the computer or microprocessor to interact with a human user or other mechanism utilizing the results of the present invention. Such software may include, but is not limited to, device drivers, operating systems, and user ateValueKey, NTDLL!NtResu, such computer readable media further includes software for performing the present invention, as described above. Included in the programming (software) of the general/specialized computer or microprocessor are software modules for implementing the teachings of the present invention.
 In conclusion, the present invention provides, among other things, a system and method for protecting against form-grabbing and other key loggers. Those skilled in the art can readily recognize that numerous variations and substitutions may be made in the invention, its use and its configuration to achieve substantially the same results as achieved by the embodiments described herein. Accordingly, there is no intention to limit the invention to the disclosed exemplary forms. Many variations, modifications and alternative constructions fall within the scope and spirit of the disclosed invention as expressed in the embodiments.
Patent applications by Lloyd Liske, Courtenay CA
Patent applications in class Intrusion detection
Patent applications in all subclasses Intrusion detection