US20070169191A1 - Method and system for detecting a keylogger that encrypts data captured on a computer - Google Patents

Method and system for detecting a keylogger that encrypts data captured on a computer Download PDF

Info

Publication number
US20070169191A1
US20070169191A1 US11/492,581 US49258106A US2007169191A1 US 20070169191 A1 US20070169191 A1 US 20070169191A1 US 49258106 A US49258106 A US 49258106A US 2007169191 A1 US2007169191 A1 US 2007169191A1
Authority
US
United States
Prior art keywords
patterns
sub
computer
memory
keylogger
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/492,581
Inventor
Michael Greene
Matt Parker
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Webroot Inc
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US11/492,581 priority Critical patent/US20070169191A1/en
Assigned to WEBROOT SOFTWARE, INC. reassignment WEBROOT SOFTWARE, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: PARKER, MATT, GREENE, MICHAEL P.
Publication of US20070169191A1 publication Critical patent/US20070169191A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/83Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/031Protect user input by software means
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Definitions

  • the present invention relates generally to the detection of pestware or malware on computers.
  • the present invention relates to methods and systems for detecting keyloggers.
  • malware can compromise a user's privacy by sending sensitive information about the user or the user's computer to a remote destination without the user's knowledge or permission.
  • malware is commonly referred to as “spyware.”
  • spyware a “keylogger,” secretly records a user's keystrokes as the user types on a keyboard and captures the resulting text in a data file, which is often encrypted.
  • the keylogger may also secretly send the captured data file to a remote destination by e-mail or some other communication protocol.
  • Such a keylogger can be used by a remote party to acquire information such as credit card numbers, social security numbers, and other sensitive information.
  • Some anti-pestware programs detect keyloggers by inputting a known, typically repeating, data pattern to the system in a manner that appears to the system to be keyboard input and searching process memory for the known data pattern. This method fails, however, when the keylogger encrypts the data it captures. In that case, the data captured by the keylogger appears to be completely different from the input “decoy” data pattern.
  • Some keyloggers also evade detection by writing their memory buffers to a disk file very shortly after capturing a group of keystrokes and flushing their memory buffers.
  • the present invention can provide a method and system for identifying a keylogger that encrypts data captured on a computer.
  • One illustrative embodiment is a method comprising acquiring a first sample of a portion of a memory of a computer, the portion of the memory being associated with a running process on the computer; inputting to the computer, in a manner that mimics keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; acquiring a second sample of the portion of the memory; comparing the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and flagging the running process as a potential keylogger when the at least one data segment contains a second data pattern matching the overall sub-pattern structure of the first data pattern despite the particular sub-patterns making up the first and second data patterns being different.
  • Another illustrative embodiment is a system comprising a data acquisition module configured to acquire first and second samples of a portion of a memory of a computer, the portion of the memory being associated with a running process on the computer; a data injection module configured to input to the computer, at a time between acquisition of the first and second samples and in a manner mimicking keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; and an analysis module configured to compare the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample and to flag the running process as a potential keylogger when the at least one data segment contains a second data pattern that matches the overall sub-pattern structure of the first data pattern despite the particular sub-patterns making up the first and second data patterns being different.
  • FIG. 1 is a functional block diagram of a computer equipped with a keylogger detection system in accordance with an illustrative embodiment of the invention
  • FIG. 2A is an illustration of an input data pattern made up of sub-patterns in accordance with an illustrative embodiment of the invention
  • FIG. 2B is an illustration of an encrypted data pattern corresponding to the data pattern shown in FIG. 2A in accordance with an illustrative embodiment of the invention.
  • FIG. 3 is a flowchart of a method for detecting a keylogger that encrypts data captured on a computer, in accordance with an illustrative embodiment of the invention.
  • a keylogger on a computer is detected by inputting to the computer, in a manner mimicking keyboard input, a data pattern that can be recognized in memory despite that data pattern being encrypted and searching the memory for the altered but still-recognizable data pattern.
  • “memory” can be any computer storage medium, including, without limitation, random access memory (RAM) and non-volatile storage such as a magnetic disk drive.
  • the input data pattern can be rendered recognizable in memory despite encryption by structuring it as a “pattern of repeating sub-patterns.” That is, the input data pattern consists of at least one occurrence of each of a set of distinct sub-patterns (e.g., sub-strings).
  • the “pattern of repeating sub-patterns” in the input data pattern can still be recognized within the encrypted data even though the sub-patterns in the input and encrypted data patterns are completely different.
  • the running process whose memory has been scanned can be flagged as a potential keylogger.
  • a user may be notified that the running process has been flagged as a potential keylogger.
  • the above process of injecting a structured data pattern and searching changed process memory for a recognizable encrypted data pattern can be performed multiple times for a given running process.
  • FIG. 1 it is a functional block diagram of a computer equipped with a keylogger detection system in accordance with an illustrative embodiment of the invention.
  • Computer 100 can be a desktop computer, workstation, laptop computer, notebook computer, handheld computer, or any other device that includes computing functionality.
  • processor 105 communicates over data bus 110 with input devices 115 , display 120 , storage device 125 , and memory 130 .
  • Input devices 115 may be, for example, a keyboard and a mouse or other pointing device.
  • storage device 125 is a magnetic-disk device such as a hard disk drive (HDD). In other embodiments, however, storage device 125 can be any type of computer storage device, including, without limitation, a magnetic-disk drive, an optical-disc drive, and a storage device employing flash-memory-based media such as secure digital (SD) cards or multi-media cards (MMCs).
  • Memory 130 may include random-access memory (RAM), read-only memory (ROM), or a combination thereof.
  • memory 130 contains keylogger detection system 135 and an arbitrary running process 140 .
  • Keylogger detection system 135 detects keyloggers on computer 100 and, when appropriate, removes them from computer 100 .
  • keylogger detection system 135 is an application program stored on a computer-readable storage medium of computer 100 (e.g., storage device 125 ) that can be loaded into memory 130 and executed by processor 105 .
  • the functionality of keylogger detection system 135 can be implemented in software, firmware, hardware, or any combination thereof.
  • keylogger detection system 135 has been divided into three functional modules: data acquisition module 145 , data injection module 150 , and analysis module 155 .
  • keylogger detection system 135 includes additional user-interface and keylogger-removal modules (not shown in FIG. 1 ) for interacting with a user and removing keyloggers from computer 100 , respectively.
  • the functionality of these functional modules may be combined or subdivided in a variety of ways.
  • analysis module 155 may be configured to include user-interface and keylogger-removal functionality.
  • Data acquisition module 145 is configured to read a portion of the memory of computer 100 associated with a running process 140 .
  • the memory read may be executable-program and data memory (e.g., a RAM portion of memory 130 ) associated with running process 140 or non-volatile memory associated with running process 140 such as a disk file on storage device 125 .
  • Data injection module 150 is configured to input to computer 100 , in a manner that mimics keyboard input, an input data pattern consisting of one or more occurrences of each of a set of distinct sub-patterns.
  • data injection module 150 injects the input data pattern at a time between the acquisition of two separate samples of the memory associated with running process 140 by data acquisition module 145 .
  • the staggered-time process memory samples allow analysis module 155 to look for regions of change in the memory associated with a particular running process 140 , narrowing the search for a recognizable data pattern among the encrypted data captured by a keylogger.
  • data injection module 150 mimics keyboard input by generating the input data pattern using a driver-level process associated with keylogger detection system 135 and sending the input data pattern to a hidden window (e.g., a one-pixel window) on computer 100 .
  • a hidden window e.g., a one-pixel window
  • Analysis module 155 is configured to examine samples of memory associated with a given running process 140 that have been acquired by data acquisition module 145 to determine whether a later sample has changed relative to an earlier sample. Once one or more such regions of changed process memory have been identified, analysis module 155 examines those regions for an encrypted data pattern having the same structure (“pattern of repeating sub-patterns”) as the input data pattern. If such an encrypted data pattern is found, analysis module 155 flags running process 140 as a potential keylogger. Optionally, analysis module 155 also alerts a user that running process 140 is a potential keylogger. In other embodiments, keylogger detection system 135 may offer the user the option of removing the suspected keylogger from computer 100 .
  • FIG. 2A is an illustration of an input data pattern made up of sub-patterns in. accordance with an illustrative embodiment of the invention.
  • Input data pattern 200 may be American Standard Code for Information Interchange (ASCII) text, binary data, or data represented in some other format.
  • ASCII American Standard Code for Information Interchange
  • input data pattern 200 consists of two repeating sub-patterns, sub-pattern 205 (“ABC”) and sub-pattern 210 (“DEFG”). For clarity, spaces have been added between occurrences of sub-pattern 205 and sub-pattern 210 in FIG. 2A .
  • FIG. 2B is an illustration of an encrypted data pattern corresponding to input data pattern 200 shown in FIG. 2A in accordance with an illustrative embodiment of the invention.
  • a keylogger has used a block cipher to produce encrypted data pattern 215 , which consists of two repeating sub-patterns, sub-pattern 220 (“123”) and sub-pattern 225 (“4567”). For clarity, spaces have been added between sub-patterns 220 and 225 in FIG. 2B .
  • FIGS. 2A and 2B For simplicity, only two distinct sub-patterns are shown in FIGS. 2A and 2B . In other embodiments, more than two distinct sub-patterns are used, and input data pattern 200 is larger than the simplified example shown in FIG. 2A .
  • Analysis module 155 can recognize the correspondence between input data pattern 200 and encrypted data pattern 215 by identifying the repeating sub-patterns 220 and 225 in the memory associated with a running process 140 (a keylogger) and verifying that those repeating sub-patterns 220 and 225 satisfy certain further conditions for input data pattern 200 and encrypted data pattern 215 to have the same overall structure (“pattern of repeating sub-patterns”).
  • pattern of repeating sub-patterns One condition is that each sub-pattern in encrypted data pattern 215 occur the same number of times in encrypted data pattern 215 as a unique corresponding sub-pattern in input data pattern 200 occurs in input data pattern 200 .
  • Another condition is that the sub-patterns in encrypted data pattern 215 occur in the same order as the corresponding unique sub-patterns occur in input data pattern 200 .
  • sub-pattern 205 in input data pattern 200 and sub-pattern 220 in encrypted data pattern 215 both occur four times in their respective data patterns.
  • sub-pattern 210 in input data pattern 200 and sub-pattern 225 in encrypted data pattern 215 both occur twice. Therefore, the first condition above is satisfied.
  • the corresponding sub-patterns that occur with the same frequency in the respective data patterns also appear in the same order in both data patterns.
  • both input data pattern 200 and encrypted data pattern 215 have the same overall structure or “pattern of repeating sub-patterns”: “S 1 S 1 S 2 S 2 S 1 S 1 , ” where S 1 and S 2 are distinct sub-patterns. That the sub-patterns are completely different in the two data patterns does not matter because encrypted data pattern 215 can still be recognized, based on its structure of repeating sub-patterns, as being derived from input data pattern 200 .
  • FIGS. 2A and 2B The techniques described in connection with FIGS. 2A and 2B are suitable for any keylogger employing a block cipher for encryption.
  • One common type of block cipher is electronic-codebook (ECB) encryption.
  • EDB electronic-codebook
  • More complex types of encryption such as a chain-block cipher, which encodes a given input differently from occurrence to occurrence, are not frequently used by keyloggers.
  • Any suitable pattern-recognition techniques including techniques different from those discussed in connection with FIGS. 2A and 2B , may be used to identify encrypted data pattern 215 .
  • FIGS. 2A and 2B shows a one-to-one correspondence between the number of characters in an input sub-pattern and the number of characters in the corresponding encrypted sub-pattern, this is not a requirement. So long as the encryption scheme outputs the same symbol or group of symbols for a given input each time that input occurs, the number of input and corresponding output (encrypted) characters may be different. For example, the above techniques could be used with an encryption algorithm whose codebook causes every occurrence of “ABC” to be encrypted as “12345.” In such a case, the “pattern of repeating sub-patterns” can still be recognized using the same techniques explained above.
  • FIG. 3 is a flowchart of a method for detecting a keylogger that encrypts data captured on a computer 100 , in accordance with an illustrative embodiment of the invention.
  • data acquisition module 145 reads a first sample of a portion of the memory of computer 100 that is associated with a running process 140 .
  • data injection module 150 inputs to computer 100 , in a manner mimicking keyboard input, an input data pattern 200 made up of distinct, repeating sub-patterns as explained in connection with FIGS. 2A and 2B .
  • data acquisition module 145 reads a second, later sample of the portion of the memory of computer 100 associated with running process 140 .
  • analysis module 155 compares the first and second samples read by data acquisition module to identify one or more regions of the second sample that have changed relative to the first sample. If such regions are found at 325 , analysis module 155 analyzes those changed regions of process memory at 330 to determine whether an encrypted data pattern 215 having the same overall structure of sub-patterns—despite the sub-patterns themselves being different—is present. If a matching data pattern is found at 335 , analysis module 155 flags running process 140 as a potential keylogger. Optionally, analysis module 155 notifies a user of computer 100 that running process 140 is a potential keylogger. At 345 , the process terminates.
  • a user-interface function of keylogger detection system 135 can offer a user of computer 100 the option of removing the suspected keylogger from computer 100 .
  • keylogger detection system 135 then removes the suspected keylogger from computer 100 .
  • removal of a suspected keylogger 135 is performed automatically without the need for user input.
  • the present invention provides, among other things, method and system for identifying keyloggers that encrypt data captured on a computer.
  • Those skilled in the art can readily recognize that numerous variations and substitutions may be made in the invention, its use, and its configuration to achieve substantially the same results as achieved by the embodiments described herein. Accordingly, there is no intention to limit the invention to the disclosed illustrative forms. Many variations, modifications and alternative constructions fall within the scope and spirit of the disclosed invention as expressed in the claims.

Abstract

A method and system for detecting a keylogger that encrypts data captured on a computer. One illustrative embodiment acquires a first sample of a portion of a memory of a computer, the portion of the memory being associated with a running process on the computer; inputs to the computer, in a manner that mimics keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; acquires a second sample of the portion of the memory; compares the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and flags the running process as a potential keylogger when the at least one data segment contains a second data pattern matching the overall sub-pattern structure of the first data pattern despite the particular sub-patterns making up the first and second data patterns being different.

Description

    RELATED APPLICATIONS
  • The present application is related to commonly owned and assigned U.S. application Ser. No. 11/334,318, Attorney Docket No. WEBR-033/00US, entitled “Method and System for Detecting a Keylogger on a Computer,” which is incorporated herein by reference.
    • FIELD OF THE INVENTION
  • The present invention relates generally to the detection of pestware or malware on computers. In particular, but without limitation, the present invention relates to methods and systems for detecting keyloggers.
    • BACKGROUND OF THE INVENTION
  • Protecting personal computers from a never-ending onslaught of pestware or malware has become increasingly important and challenging. Some types of pestware or malware can compromise a user's privacy by sending sensitive information about the user or the user's computer to a remote destination without the user's knowledge or permission. Such malware is commonly referred to as “spyware.” One particular type of spyware, a “keylogger,” secretly records a user's keystrokes as the user types on a keyboard and captures the resulting text in a data file, which is often encrypted. The keylogger may also secretly send the captured data file to a remote destination by e-mail or some other communication protocol. Such a keylogger can be used by a remote party to acquire information such as credit card numbers, social security numbers, and other sensitive information.
  • Clearly, computer users have a strong motivation to detect and remove unwanted keyloggers from their systems. Many computer users rely on anti-pestware programs to detect and remove such threats. Some anti-pestware programs detect keyloggers by inputting a known, typically repeating, data pattern to the system in a manner that appears to the system to be keyboard input and searching process memory for the known data pattern. This method fails, however, when the keylogger encrypts the data it captures. In that case, the data captured by the keylogger appears to be completely different from the input “decoy” data pattern. Some keyloggers also evade detection by writing their memory buffers to a disk file very shortly after capturing a group of keystrokes and flushing their memory buffers.
  • It is thus apparent that there is a need in the art for an improved method and system for detecting keyloggers that encrypt data captured on a computer.
    • SUMMARY OF THE INVENTION
  • Illustrative embodiments of the present invention that are shown in the drawings are summarized below. These and other embodiments are more fully described in the Detailed Description section. It is to be understood, however, that there is no intention to limit the invention to the forms described in this Summary of the Invention or in the Detailed Description. One skilled in the art can recognize that there are numerous modifications, equivalents, and alternative constructions that fall within the spirit and scope of the invention as expressed in the claims.
  • The present invention can provide a method and system for identifying a keylogger that encrypts data captured on a computer. One illustrative embodiment is a method comprising acquiring a first sample of a portion of a memory of a computer, the portion of the memory being associated with a running process on the computer; inputting to the computer, in a manner that mimics keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; acquiring a second sample of the portion of the memory; comparing the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and flagging the running process as a potential keylogger when the at least one data segment contains a second data pattern matching the overall sub-pattern structure of the first data pattern despite the particular sub-patterns making up the first and second data patterns being different.
  • Another illustrative embodiment is a system comprising a data acquisition module configured to acquire first and second samples of a portion of a memory of a computer, the portion of the memory being associated with a running process on the computer; a data injection module configured to input to the computer, at a time between acquisition of the first and second samples and in a manner mimicking keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; and an analysis module configured to compare the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample and to flag the running process as a potential keylogger when the at least one data segment contains a second data pattern that matches the overall sub-pattern structure of the first data pattern despite the particular sub-patterns making up the first and second data patterns being different.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • Various objects and advantages and a more complete understanding of the present invention are apparent and more readily appreciated by reference to the following Detailed Description and to the appended claims when taken in conjunction with the accompanying Drawings, wherein:
  • FIG. 1 is a functional block diagram of a computer equipped with a keylogger detection system in accordance with an illustrative embodiment of the invention;
  • FIG. 2A is an illustration of an input data pattern made up of sub-patterns in accordance with an illustrative embodiment of the invention;
  • FIG. 2B is an illustration of an encrypted data pattern corresponding to the data pattern shown in FIG. 2A in accordance with an illustrative embodiment of the invention; and
  • FIG. 3 is a flowchart of a method for detecting a keylogger that encrypts data captured on a computer, in accordance with an illustrative embodiment of the invention.
    • DETAILED DESCRIPTION
  • In one illustrative embodiment of the invention, a keylogger on a computer is detected by inputting to the computer, in a manner mimicking keyboard input, a data pattern that can be recognized in memory despite that data pattern being encrypted and searching the memory for the altered but still-recognizable data pattern. In this embodiment, “memory” can be any computer storage medium, including, without limitation, random access memory (RAM) and non-volatile storage such as a magnetic disk drive.
  • The input data pattern can be rendered recognizable in memory despite encryption by structuring it as a “pattern of repeating sub-patterns.” That is, the input data pattern consists of at least one occurrence of each of a set of distinct sub-patterns (e.g., sub-strings). When a keylogger employs an encryption algorithm that produces a consistent output each time a given input occurs, the “pattern of repeating sub-patterns” in the input data pattern can still be recognized within the encrypted data even though the sub-patterns in the input and encrypted data patterns are completely different. When the overall structure of the input data pattern is recognized among the encrypted data, the running process whose memory has been scanned can be flagged as a potential keylogger. Optionally, a user may be notified that the running process has been flagged as a potential keylogger.
  • To improve the reliability of keylogger detection, the above process of injecting a structured data pattern and searching changed process memory for a recognizable encrypted data pattern can be performed multiple times for a given running process.
  • Referring now to the drawings, where like or similar elements are designated with identical reference numerals throughout the several views, and referring in particular to FIG. 1, it is a functional block diagram of a computer equipped with a keylogger detection system in accordance with an illustrative embodiment of the invention. Computer 100 can be a desktop computer, workstation, laptop computer, notebook computer, handheld computer, or any other device that includes computing functionality. In FIG. 1, processor 105 communicates over data bus 110 with input devices 115, display 120, storage device 125, and memory 130.
  • Input devices 115 may be, for example, a keyboard and a mouse or other pointing device. In an illustrative embodiment, storage device 125 is a magnetic-disk device such as a hard disk drive (HDD). In other embodiments, however, storage device 125 can be any type of computer storage device, including, without limitation, a magnetic-disk drive, an optical-disc drive, and a storage device employing flash-memory-based media such as secure digital (SD) cards or multi-media cards (MMCs). Memory 130 may include random-access memory (RAM), read-only memory (ROM), or a combination thereof.
  • In this illustrative embodiment, memory 130 contains keylogger detection system 135 and an arbitrary running process 140. Keylogger detection system 135 detects keyloggers on computer 100 and, when appropriate, removes them from computer 100. In the illustrative embodiment of FIG. 1, keylogger detection system 135 is an application program stored on a computer-readable storage medium of computer 100 (e.g., storage device 125) that can be loaded into memory 130 and executed by processor 105. In other embodiments, the functionality of keylogger detection system 135 can be implemented in software, firmware, hardware, or any combination thereof.
  • For convenience in this Detailed Description, the functionality of keylogger detection system 135 has been divided into three functional modules: data acquisition module 145, data injection module 150, and analysis module 155. In some embodiments, keylogger detection system 135 includes additional user-interface and keylogger-removal modules (not shown in FIG. 1) for interacting with a user and removing keyloggers from computer 100, respectively. In various embodiments of the invention, the functionality of these functional modules may be combined or subdivided in a variety of ways. For example, in some embodiments, analysis module 155 may be configured to include user-interface and keylogger-removal functionality.
  • Data acquisition module 145 is configured to read a portion of the memory of computer 100 associated with a running process 140. The memory read may be executable-program and data memory (e.g., a RAM portion of memory 130) associated with running process 140 or non-volatile memory associated with running process 140 such as a disk file on storage device 125.
  • Data injection module 150 is configured to input to computer 100, in a manner that mimics keyboard input, an input data pattern consisting of one or more occurrences of each of a set of distinct sub-patterns. In this illustrative embodiment, data injection module 150 injects the input data pattern at a time between the acquisition of two separate samples of the memory associated with running process 140 by data acquisition module 145. The staggered-time process memory samples allow analysis module 155 to look for regions of change in the memory associated with a particular running process 140, narrowing the search for a recognizable data pattern among the encrypted data captured by a keylogger.
  • In one embodiment, data injection module 150 mimics keyboard input by generating the input data pattern using a driver-level process associated with keylogger detection system 135 and sending the input data pattern to a hidden window (e.g., a one-pixel window) on computer 100. Techniques for employing such a driver and hidden window in the detection of keyloggers are explained more fully in commonly owned and assigned U.S. application Ser. No. 11/334,318, Attorney Docket No. WEBR-033/00US, entitled “Method and System for Detecting a Keylogger on a Computer,” which is incorporated herein by reference.
  • Analysis module 155 is configured to examine samples of memory associated with a given running process 140 that have been acquired by data acquisition module 145 to determine whether a later sample has changed relative to an earlier sample. Once one or more such regions of changed process memory have been identified, analysis module 155 examines those regions for an encrypted data pattern having the same structure (“pattern of repeating sub-patterns”) as the input data pattern. If such an encrypted data pattern is found, analysis module 155 flags running process 140 as a potential keylogger. Optionally, analysis module 155 also alerts a user that running process 140 is a potential keylogger. In other embodiments, keylogger detection system 135 may offer the user the option of removing the suspected keylogger from computer 100.
  • FIG. 2A is an illustration of an input data pattern made up of sub-patterns in. accordance with an illustrative embodiment of the invention. Input data pattern 200 may be American Standard Code for Information Interchange (ASCII) text, binary data, or data represented in some other format. In this simplified example, input data pattern 200 consists of two repeating sub-patterns, sub-pattern 205 (“ABC”) and sub-pattern 210 (“DEFG”). For clarity, spaces have been added between occurrences of sub-pattern 205 and sub-pattern 210 in FIG. 2A.
  • FIG. 2B is an illustration of an encrypted data pattern corresponding to input data pattern 200 shown in FIG. 2A in accordance with an illustrative embodiment of the invention. In this example, a keylogger has used a block cipher to produce encrypted data pattern 215, which consists of two repeating sub-patterns, sub-pattern 220 (“123”) and sub-pattern 225 (“4567”). For clarity, spaces have been added between sub-patterns 220 and 225 in FIG. 2B.
  • For simplicity, only two distinct sub-patterns are shown in FIGS. 2A and 2B. In other embodiments, more than two distinct sub-patterns are used, and input data pattern 200 is larger than the simplified example shown in FIG. 2A.
  • Analysis module 155 can recognize the correspondence between input data pattern 200 and encrypted data pattern 215 by identifying the repeating sub-patterns 220 and 225 in the memory associated with a running process 140 (a keylogger) and verifying that those repeating sub-patterns 220 and 225 satisfy certain further conditions for input data pattern 200 and encrypted data pattern 215 to have the same overall structure (“pattern of repeating sub-patterns”). One condition is that each sub-pattern in encrypted data pattern 215 occur the same number of times in encrypted data pattern 215 as a unique corresponding sub-pattern in input data pattern 200 occurs in input data pattern 200. Another condition is that the sub-patterns in encrypted data pattern 215 occur in the same order as the corresponding unique sub-patterns occur in input data pattern 200.
  • In the example of FIGS. 2A and 2B, sub-pattern 205 in input data pattern 200 and sub-pattern 220 in encrypted data pattern 215 both occur four times in their respective data patterns. Likewise, sub-pattern 210 in input data pattern 200 and sub-pattern 225 in encrypted data pattern 215 both occur twice. Therefore, the first condition above is satisfied. Further, the corresponding sub-patterns that occur with the same frequency in the respective data patterns also appear in the same order in both data patterns. Thus, both input data pattern 200 and encrypted data pattern 215 have the same overall structure or “pattern of repeating sub-patterns”: “S1 S1 S2 S2 S1 S1, ” where S1 and S2 are distinct sub-patterns. That the sub-patterns are completely different in the two data patterns does not matter because encrypted data pattern 215 can still be recognized, based on its structure of repeating sub-patterns, as being derived from input data pattern 200.
  • The techniques described in connection with FIGS. 2A and 2B are suitable for any keylogger employing a block cipher for encryption. One common type of block cipher is electronic-codebook (ECB) encryption. More complex types of encryption such as a chain-block cipher, which encodes a given input differently from occurrence to occurrence, are not frequently used by keyloggers. Those skilled in the art will recognize that any suitable pattern-recognition techniques, including techniques different from those discussed in connection with FIGS. 2A and 2B, may be used to identify encrypted data pattern 215.
  • Those skilled in the art will recognize that even though the example of FIGS. 2A and 2B shows a one-to-one correspondence between the number of characters in an input sub-pattern and the number of characters in the corresponding encrypted sub-pattern, this is not a requirement. So long as the encryption scheme outputs the same symbol or group of symbols for a given input each time that input occurs, the number of input and corresponding output (encrypted) characters may be different. For example, the above techniques could be used with an encryption algorithm whose codebook causes every occurrence of “ABC” to be encrypted as “12345.” In such a case, the “pattern of repeating sub-patterns” can still be recognized using the same techniques explained above.
  • FIG. 3 is a flowchart of a method for detecting a keylogger that encrypts data captured on a computer 100, in accordance with an illustrative embodiment of the invention. At 305, data acquisition module 145 reads a first sample of a portion of the memory of computer 100 that is associated with a running process 140. At 310, data injection module 150 inputs to computer 100, in a manner mimicking keyboard input, an input data pattern 200 made up of distinct, repeating sub-patterns as explained in connection with FIGS. 2A and 2B. At 315, data acquisition module 145 reads a second, later sample of the portion of the memory of computer 100 associated with running process 140. At 320, analysis module 155 compares the first and second samples read by data acquisition module to identify one or more regions of the second sample that have changed relative to the first sample. If such regions are found at 325, analysis module 155 analyzes those changed regions of process memory at 330 to determine whether an encrypted data pattern 215 having the same overall structure of sub-patterns—despite the sub-patterns themselves being different—is present. If a matching data pattern is found at 335, analysis module 155 flags running process 140 as a potential keylogger. Optionally, analysis module 155 notifies a user of computer 100 that running process 140 is a potential keylogger. At 345, the process terminates.
  • Many variations of the method diagramed in FIG. 3 are possible. For example, all of the actions shown in FIG. 3 can be repeated multiple times for a given running process 140 to increase the reliability of keylogger detection system 135. Also, if no changed process-memory data is found at 325, the process can return to Block 305 for another attempt. Once analysis module 155 has identified a potential keylogger, a user-interface function of keylogger detection system 135 can offer a user of computer 100 the option of removing the suspected keylogger from computer 100. In response to input from the user, keylogger detection system 135 then removes the suspected keylogger from computer 100. In other embodiments, removal of a suspected keylogger 135 is performed automatically without the need for user input.
  • In conclusion, the present invention provides, among other things, method and system for identifying keyloggers that encrypt data captured on a computer. Those skilled in the art can readily recognize that numerous variations and substitutions may be made in the invention, its use, and its configuration to achieve substantially the same results as achieved by the embodiments described herein. Accordingly, there is no intention to limit the invention to the disclosed illustrative forms. Many variations, modifications and alternative constructions fall within the scope and spirit of the disclosed invention as expressed in the claims.

Claims (17)

1. A method for detecting a keylogger that encrypts data captured on a computer, the method comprising:
acquiring a first sample of a portion of a memory of the computer, the portion of the memory being associated with a running process on the computer;
inputting to the computer, in a manner that mimics keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns;
acquiring a second sample of the portion of the memory;
comparing the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and
flagging the running process as a potential keylogger when:
the at least one data segment contains a second data pattern consisting of at least one occurrence of each of a second set of distinct sub-patterns,
each sub-pattern in the second set of distinct sub-patterns occurs the same number of times in the second data pattern as a corresponding unique sub-pattern in the first set of distinct sub-patterns occurs in the first data pattern, and
the sub-patterns in the second data pattern occur in the same order as the corresponding unique sub-patterns occur in the first data pattern.
2. The method of claim 1, wherein the method is performed a plurality of times for a particular running process.
3. The method of claim 1, further comprising:
notifying a user that the running process is a potential keylogger when the running process has been flagged as a potential keylogger.
4. The method of claim 1, further comprising:
automatically removing the running process from the computer when the running process has been flagged as a potential keylogger.
5. The method of claim 1, further comprising:
removing the running process from the computer in response to user input when the running process has been flagged as a potential keylogger.
6. The method of claim 1, wherein the memory is random-access memory.
7. The method of claim 1, wherein the memory is a non-volatile memory.
8. The method of claim 1, wherein the first and second sets of distinct sub-patterns are disjoint.
9. A system for detecting a keylogger that encrypts data captured on a computer, the system comprising:
a data acquisition module configured to acquire first and second samples of a portion of a memory of the computer, the portion of the memory being associated with a running process on the computer;
a data injection module configured to input to the computer, at a time between acquisition of the first and second samples and in a manner mimicking keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; and
an analysis module configured to:
compare the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and
flag the running process as a potential keylogger when:
the at least one data segment contains a second data pattern consisting of at least one occurrence of each of a second set of distinct sub-patterns,
each sub-pattern in the second set of distinct sub-patterns occurs the same number of times in the second data pattern as a corresponding unique sub-pattern in the first set of distinct sub-patterns occurs in the first data pattern, and
the sub-patterns in the second data pattern occur in the same order as the corresponding unique sub-patterns occur in the first data pattern.
10. The system of claim 9, wherein the analysis module is further configured to notify a user that the running process is a potential keylogger when the analysis module has flagged the running process as a potential a keylogger.
11. The system of claim 9, wherein the analysis module is further configured to remove the running process from the computer automatically when the analysis module has flagged the running process as a potential keylogger.
12. The system of claim 9, wherein the analysis module is further configured to remove the running process from the computer in response to user input when the analysis module has flagged the running process as a potential keylogger.
13. The system of claim 9, wherein the memory is random access memory.
14. The system of claim 9, wherein the memory is a non-volatile memory.
15. The system of claim 9, wherein the first and second sets of distinct sub-patterns are disjoint.
16. A system for detecting a keylogger that encrypts data captured on a computer, the system comprising:
means for acquiring first and second samples of a portion of a memory of the computer, the portion of the memory being associated with a running process on the computer;
means for inputting to the computer, at a time between acquisition of the first and second samples and in a manner mimicking keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns;
means for comparing the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and
means for flagging the running process as a potential keylogger when:
the at least one data segment contains a second data pattern consisting of at least one occurrence of each of a second set of distinct sub-patterns,
each sub-pattern in the second set of distinct sub-patterns occurs the same number of times in the second data pattern as a corresponding unique sub-pattern in the first set of distinct sub-patterns occurs in the first data pattern, and
the sub-patterns in the second data pattern occur in the same order as the corresponding unique sub-patterns occur in the first data pattern.
17. A computer-readable storage medium containing program instructions executable by a processor to detect a keylogger that encrypts data captured on a computer, the program instructions comprising:
a first instruction segment configured to acquire first and second samples of a portion of a memory of the computer, the portion of the memory being associated with a running process on the computer;
a second instruction segment configured to input to the computer, at a time between acquisition of the first and second samples and in a manner mimicking keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; and
a third instruction segment configured to:
compare the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and
flag the running process as a potential keylogger when:
the at least one data segment contains a second data pattern consisting of at least one occurrence of each of a second set of distinct sub-patterns,
each sub-pattern in the second set of distinct sub-patterns occurs the same number of times in the second data pattern as a corresponding unique sub-pattern in the first set of distinct sub-patterns occurs in the first data pattern, and
the sub-patterns in the second data pattern occur in the same order as the corresponding unique sub-patterns occur in the first data pattern.
US11/492,581 2006-01-18 2006-07-25 Method and system for detecting a keylogger that encrypts data captured on a computer Abandoned US20070169191A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/492,581 US20070169191A1 (en) 2006-01-18 2006-07-25 Method and system for detecting a keylogger that encrypts data captured on a computer

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/334,318 US7721333B2 (en) 2006-01-18 2006-01-18 Method and system for detecting a keylogger on a computer
US11/492,581 US20070169191A1 (en) 2006-01-18 2006-07-25 Method and system for detecting a keylogger that encrypts data captured on a computer

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US11/334,318 Continuation US7721333B2 (en) 2006-01-18 2006-01-18 Method and system for detecting a keylogger on a computer

Publications (1)

Publication Number Publication Date
US20070169191A1 true US20070169191A1 (en) 2007-07-19

Family

ID=38264948

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/334,318 Active 2029-03-20 US7721333B2 (en) 2006-01-18 2006-01-18 Method and system for detecting a keylogger on a computer
US11/492,581 Abandoned US20070169191A1 (en) 2006-01-18 2006-07-25 Method and system for detecting a keylogger that encrypts data captured on a computer

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US11/334,318 Active 2029-03-20 US7721333B2 (en) 2006-01-18 2006-01-18 Method and system for detecting a keylogger on a computer

Country Status (3)

Country Link
US (2) US7721333B2 (en)
EP (1) EP1989628A2 (en)
WO (1) WO2007106609A2 (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060277182A1 (en) * 2005-06-06 2006-12-07 Tony Nichols System and method for analyzing locked files
US20080216174A1 (en) * 2007-03-02 2008-09-04 403 Labs, Llc Sensitive Data Scanner
US20090007256A1 (en) * 2007-06-28 2009-01-01 Microsoft Corporation Using a trusted entity to drive security decisions
US20090241196A1 (en) * 2008-03-19 2009-09-24 Websense, Inc. Method and system for protection against information stealing software
WO2009117445A3 (en) * 2008-03-19 2009-11-12 Websense, Inc. Method and system for protection against information stealing software
WO2010041257A1 (en) * 2008-10-10 2010-04-15 Safend Ltd. System and method for incapacitating a hardware keylogger
US20110072262A1 (en) * 2009-09-23 2011-03-24 Idan Amir System and Method for Identifying Security Breach Attempts of a Website
US8381296B2 (en) 2006-07-07 2013-02-19 Webroot Inc. Method and system for detecting and removing hidden pestware files
US8707437B1 (en) * 2011-04-18 2014-04-22 Trend Micro Incorporated Techniques for detecting keyloggers in computer systems
WO2014185770A1 (en) * 2013-05-17 2014-11-20 Mimos Berhad Method and system for detecting keylogger
US9245118B2 (en) 2012-07-18 2016-01-26 Infosys Limited Methods for identifying key logging activities with a portable device and devices thereof
US9262639B2 (en) 2013-01-09 2016-02-16 Cisco Technology Inc. Plaintext injection attack protection
US9455981B2 (en) 2008-03-19 2016-09-27 Forcepoint, LLC Method and system for protection against information stealing software
US9679141B2 (en) * 2015-03-31 2017-06-13 Juniper Networks, Inc. Detecting keylogging
US9754102B2 (en) 2006-08-07 2017-09-05 Webroot Inc. Malware management through kernel detection during a boot sequence
US10791119B1 (en) 2017-03-14 2020-09-29 F5 Networks, Inc. Methods for temporal password injection and devices thereof
US10931662B1 (en) 2017-04-10 2021-02-23 F5 Networks, Inc. Methods for ephemeral authentication screening and devices thereof
US11489857B2 (en) 2009-04-21 2022-11-01 Webroot Inc. System and method for developing a risk profile for an internet resource
US11496438B1 (en) 2017-02-07 2022-11-08 F5, Inc. Methods for improved network security using asymmetric traffic delivery and devices thereof
US11658995B1 (en) 2018-03-20 2023-05-23 F5, Inc. Methods for dynamically mitigating network attacks and devices thereof

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100734145B1 (en) * 2005-10-12 2007-07-03 주식회사 안철수연구소 Method of protecting hacking of a key input by using authorization of keyboard data
CN101622849B (en) 2007-02-02 2014-06-11 网圣公司 System and method for adding context to prevent data leakage over a computer network
US20080263672A1 (en) * 2007-04-18 2008-10-23 Hewlett-Packard Development Company L.P. Protecting sensitive data intended for a remote application
US8407784B2 (en) 2008-03-19 2013-03-26 Websense, Inc. Method and system for protection against information stealing software
US20100058479A1 (en) * 2008-09-03 2010-03-04 Alcatel-Lucent Method and system for combating malware with keystroke logging functionality
US8438386B2 (en) * 2009-04-21 2013-05-07 Webroot Inc. System and method for developing a risk profile for an internet service
US9130972B2 (en) 2009-05-26 2015-09-08 Websense, Inc. Systems and methods for efficient detection of fingerprinted data and information
US8015284B1 (en) * 2009-07-28 2011-09-06 Symantec Corporation Discerning use of signatures by third party vendors
EP2438511B1 (en) 2010-03-22 2019-07-03 LRDC Systems, LLC A method of identifying and protecting the integrity of a set of source data
US8914879B2 (en) 2010-06-11 2014-12-16 Trustwave Holdings, Inc. System and method for improving coverage for web code
US9241259B2 (en) 2012-11-30 2016-01-19 Websense, Inc. Method and apparatus for managing the transfer of sensitive information to mobile devices
IN2013CH05877A (en) * 2013-12-17 2015-06-19 Infosys Ltd
US10262134B2 (en) 2016-10-07 2019-04-16 International Business Machines Corporation Detection of key logging activity
US11366903B1 (en) * 2019-12-20 2022-06-21 NortonLifeLock Inc. Systems and methods to mitigate stalkerware by rendering it useless

Citations (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5623600A (en) * 1995-09-26 1997-04-22 Trend Micro, Incorporated Virus detection and removal apparatus for computer networks
US5920696A (en) * 1997-02-25 1999-07-06 International Business Machines Corporation Dynamic windowing system in a transaction base network for a client to request transactions of transient programs at a server
US5951698A (en) * 1996-10-02 1999-09-14 Trend Micro, Incorporated System, apparatus and method for the detection and removal of viruses in macros
US6073241A (en) * 1996-08-29 2000-06-06 C/Net, Inc. Apparatus and method for tracking world wide web browser requests across distinct domains using persistent client-side state
US6092194A (en) * 1996-11-08 2000-07-18 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6154844A (en) * 1996-11-08 2000-11-28 Finjan Software, Ltd. System and method for attaching a downloadable security profile to a downloadable
US6310630B1 (en) * 1997-12-12 2001-10-30 International Business Machines Corporation Data processing system and method for internet browser history generation
US6397264B1 (en) * 1999-11-01 2002-05-28 Rstar Corporation Multi-browser client architecture for managing multiple applications having a history list
US6405316B1 (en) * 1997-01-29 2002-06-11 Network Commerce, Inc. Method and system for injecting new code into existing application code
US6442607B1 (en) * 1998-08-06 2002-08-27 Intel Corporation Controlling data transmissions from a computer
US6460060B1 (en) * 1999-01-26 2002-10-01 International Business Machines Corporation Method and system for searching web browser history
US20020162015A1 (en) * 2001-04-29 2002-10-31 Zhaomiao Tang Method and system for scanning and cleaning known and unknown computer viruses, recording medium and transmission medium therefor
US20020166063A1 (en) * 2001-03-01 2002-11-07 Cyber Operations, Llc System and method for anti-network terrorism
US6535931B1 (en) * 1999-12-13 2003-03-18 International Business Machines Corp. Extended keyboard support in a run time environment for keys not recognizable on standard or non-standard keyboards
US20030065943A1 (en) * 2001-09-28 2003-04-03 Christoph Geis Method and apparatus for recognizing and reacting to denial of service attacks on a computerized network
US20030074581A1 (en) * 2001-10-15 2003-04-17 Hursey Neil John Updating malware definition data for mobile data processing devices
US20030101381A1 (en) * 2001-11-29 2003-05-29 Nikolay Mateev System and method for virus checking software
US20030159070A1 (en) * 2001-05-28 2003-08-21 Yaron Mayer System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US6611878B2 (en) * 1996-11-08 2003-08-26 International Business Machines Corporation Method and apparatus for software technology injection for operating systems which assign separate process address spaces
US6633835B1 (en) * 2002-01-10 2003-10-14 Networks Associates Technology, Inc. Prioritized data capture, classification and filtering in a network monitoring environment
US20030217287A1 (en) * 2002-05-16 2003-11-20 Ilya Kruglenko Secure desktop environment for unsophisticated computer users
US6667751B1 (en) * 2000-07-13 2003-12-23 International Business Machines Corporation Linear web browser history viewer
US20040030914A1 (en) * 2002-08-09 2004-02-12 Kelley Edward Emile Password protection
US20040034794A1 (en) * 2000-05-28 2004-02-19 Yaron Mayer System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US6701441B1 (en) * 1998-12-08 2004-03-02 Networks Associates Technology, Inc. System and method for interactive web services
US20040064736A1 (en) * 2002-08-30 2004-04-01 Wholesecurity, Inc. Method and apparatus for detecting malicious code in an information handling system
US20040080529A1 (en) * 2002-10-24 2004-04-29 Wojcik Paul Kazimierz Method and system for securing text-entry in a web form over a computer network
US20040143763A1 (en) * 1999-02-03 2004-07-22 Radatti Peter V. Apparatus and methods for intercepting, examining and controlling code, data and files and their transfer in instant messaging and peer-to-peer applications
US6772345B1 (en) * 2002-02-08 2004-08-03 Networks Associates Technology, Inc. Protocol-level malware scanner
US6785732B1 (en) * 2000-09-11 2004-08-31 International Business Machines Corporation Web server apparatus and method for virus checking
US20040187023A1 (en) * 2002-08-30 2004-09-23 Wholesecurity, Inc. Method, system and computer program product for security in a global computer network transaction
US6813711B1 (en) * 1999-01-05 2004-11-02 Samsung Electronics Co., Ltd. Downloading files from approved web site
US20040225877A1 (en) * 2003-05-09 2004-11-11 Zezhen Huang Method and system for protecting computer system from malicious software operation
US6829654B1 (en) * 2000-06-23 2004-12-07 Cloudshield Technologies, Inc. Apparatus and method for virtual edge placement of web sites
US20050038697A1 (en) * 2003-06-30 2005-02-17 Aaron Jeffrey A. Automatically facilitated marketing and provision of electronic services
US6910134B1 (en) * 2000-08-29 2005-06-21 Netrake Corporation Method and device for innoculating email infected with a virus
US20050138433A1 (en) * 2003-12-23 2005-06-23 Zone Labs, Inc. Security System with Methodology for Defending Against Security Breaches of Peripheral Devices
US20050154885A1 (en) * 2000-05-15 2005-07-14 Interfuse Technology, Inc. Electronic data security system and method
US6965968B1 (en) * 2003-02-27 2005-11-15 Finjan Software Ltd. Policy-based caching
US7058822B2 (en) * 2000-03-30 2006-06-06 Finjan Software, Ltd. Malicious mobile code runtime monitoring system and methods
US7107617B2 (en) * 2001-10-15 2006-09-12 Mcafee, Inc. Malware scanning of compressed computer files

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5721850A (en) * 1993-01-15 1998-02-24 Quotron Systems, Inc. Method and means for navigating user interfaces which support a plurality of executing applications
US5596714A (en) * 1994-07-11 1997-01-21 Pure Atria Corporation Method for simultaneously testing multiple graphic user interface programs
US7328457B1 (en) * 1999-06-30 2008-02-05 Entrust Limited Method and apparatus for preventing interception of input data to a software application
US6782527B1 (en) * 2000-01-28 2004-08-24 Networks Associates, Inc. System and method for efficient distribution of application services to a plurality of computing appliances organized as subnets
US7007025B1 (en) * 2001-06-08 2006-02-28 Xsides Corporation Method and system for maintaining secure data input and output
US20030115479A1 (en) * 2001-12-14 2003-06-19 Jonathan Edwards Method and system for detecting computer malwares by scan of process memory after process initialization
US20050273858A1 (en) * 2004-06-07 2005-12-08 Erez Zadok Stackable file systems and methods thereof
US7636943B2 (en) * 2005-06-13 2009-12-22 Aladdin Knowledge Systems Ltd. Method and system for detecting blocking and removing spyware
US8546579B2 (en) 2006-03-16 2013-10-01 Evotec (Us) Inc. Bicycloheteroaryl compounds as P2X7 modulators and uses thereof
US20070261117A1 (en) 2006-04-20 2007-11-08 Boney Matthew L Method and system for detecting a compressed pestware executable object

Patent Citations (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5623600A (en) * 1995-09-26 1997-04-22 Trend Micro, Incorporated Virus detection and removal apparatus for computer networks
US6073241A (en) * 1996-08-29 2000-06-06 C/Net, Inc. Apparatus and method for tracking world wide web browser requests across distinct domains using persistent client-side state
US5951698A (en) * 1996-10-02 1999-09-14 Trend Micro, Incorporated System, apparatus and method for the detection and removal of viruses in macros
US6167520A (en) * 1996-11-08 2000-12-26 Finjan Software, Inc. System and method for protecting a client during runtime from hostile downloadables
US6092194A (en) * 1996-11-08 2000-07-18 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6154844A (en) * 1996-11-08 2000-11-28 Finjan Software, Ltd. System and method for attaching a downloadable security profile to a downloadable
US6611878B2 (en) * 1996-11-08 2003-08-26 International Business Machines Corporation Method and apparatus for software technology injection for operating systems which assign separate process address spaces
US6804780B1 (en) * 1996-11-08 2004-10-12 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6480962B1 (en) * 1996-11-08 2002-11-12 Finjan Software, Ltd. System and method for protecting a client during runtime from hostile downloadables
US6405316B1 (en) * 1997-01-29 2002-06-11 Network Commerce, Inc. Method and system for injecting new code into existing application code
US5920696A (en) * 1997-02-25 1999-07-06 International Business Machines Corporation Dynamic windowing system in a transaction base network for a client to request transactions of transient programs at a server
US6310630B1 (en) * 1997-12-12 2001-10-30 International Business Machines Corporation Data processing system and method for internet browser history generation
US6442607B1 (en) * 1998-08-06 2002-08-27 Intel Corporation Controlling data transmissions from a computer
US6701441B1 (en) * 1998-12-08 2004-03-02 Networks Associates Technology, Inc. System and method for interactive web services
US6813711B1 (en) * 1999-01-05 2004-11-02 Samsung Electronics Co., Ltd. Downloading files from approved web site
US6460060B1 (en) * 1999-01-26 2002-10-01 International Business Machines Corporation Method and system for searching web browser history
US20040143763A1 (en) * 1999-02-03 2004-07-22 Radatti Peter V. Apparatus and methods for intercepting, examining and controlling code, data and files and their transfer in instant messaging and peer-to-peer applications
US6397264B1 (en) * 1999-11-01 2002-05-28 Rstar Corporation Multi-browser client architecture for managing multiple applications having a history list
US6535931B1 (en) * 1999-12-13 2003-03-18 International Business Machines Corp. Extended keyboard support in a run time environment for keys not recognizable on standard or non-standard keyboards
US7058822B2 (en) * 2000-03-30 2006-06-06 Finjan Software, Ltd. Malicious mobile code runtime monitoring system and methods
US20050154885A1 (en) * 2000-05-15 2005-07-14 Interfuse Technology, Inc. Electronic data security system and method
US20040034794A1 (en) * 2000-05-28 2004-02-19 Yaron Mayer System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US6829654B1 (en) * 2000-06-23 2004-12-07 Cloudshield Technologies, Inc. Apparatus and method for virtual edge placement of web sites
US6667751B1 (en) * 2000-07-13 2003-12-23 International Business Machines Corporation Linear web browser history viewer
US6910134B1 (en) * 2000-08-29 2005-06-21 Netrake Corporation Method and device for innoculating email infected with a virus
US6785732B1 (en) * 2000-09-11 2004-08-31 International Business Machines Corporation Web server apparatus and method for virus checking
US20020166063A1 (en) * 2001-03-01 2002-11-07 Cyber Operations, Llc System and method for anti-network terrorism
US20020162015A1 (en) * 2001-04-29 2002-10-31 Zhaomiao Tang Method and system for scanning and cleaning known and unknown computer viruses, recording medium and transmission medium therefor
US20030159070A1 (en) * 2001-05-28 2003-08-21 Yaron Mayer System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US20030065943A1 (en) * 2001-09-28 2003-04-03 Christoph Geis Method and apparatus for recognizing and reacting to denial of service attacks on a computerized network
US20030074581A1 (en) * 2001-10-15 2003-04-17 Hursey Neil John Updating malware definition data for mobile data processing devices
US7107617B2 (en) * 2001-10-15 2006-09-12 Mcafee, Inc. Malware scanning of compressed computer files
US20030101381A1 (en) * 2001-11-29 2003-05-29 Nikolay Mateev System and method for virus checking software
US6633835B1 (en) * 2002-01-10 2003-10-14 Networks Associates Technology, Inc. Prioritized data capture, classification and filtering in a network monitoring environment
US6772345B1 (en) * 2002-02-08 2004-08-03 Networks Associates Technology, Inc. Protocol-level malware scanner
US20030217287A1 (en) * 2002-05-16 2003-11-20 Ilya Kruglenko Secure desktop environment for unsophisticated computer users
US20040030914A1 (en) * 2002-08-09 2004-02-12 Kelley Edward Emile Password protection
US20040187023A1 (en) * 2002-08-30 2004-09-23 Wholesecurity, Inc. Method, system and computer program product for security in a global computer network transaction
US20040064736A1 (en) * 2002-08-30 2004-04-01 Wholesecurity, Inc. Method and apparatus for detecting malicious code in an information handling system
US20040080529A1 (en) * 2002-10-24 2004-04-29 Wojcik Paul Kazimierz Method and system for securing text-entry in a web form over a computer network
US6965968B1 (en) * 2003-02-27 2005-11-15 Finjan Software Ltd. Policy-based caching
US20040225877A1 (en) * 2003-05-09 2004-11-11 Zezhen Huang Method and system for protecting computer system from malicious software operation
US20050038697A1 (en) * 2003-06-30 2005-02-17 Aaron Jeffrey A. Automatically facilitated marketing and provision of electronic services
US20050138433A1 (en) * 2003-12-23 2005-06-23 Zone Labs, Inc. Security System with Methodology for Defending Against Security Breaches of Peripheral Devices

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060277182A1 (en) * 2005-06-06 2006-12-07 Tony Nichols System and method for analyzing locked files
US8452744B2 (en) * 2005-06-06 2013-05-28 Webroot Inc. System and method for analyzing locked files
US8381296B2 (en) 2006-07-07 2013-02-19 Webroot Inc. Method and system for detecting and removing hidden pestware files
US8387147B2 (en) 2006-07-07 2013-02-26 Webroot Inc. Method and system for detecting and removing hidden pestware files
US9754102B2 (en) 2006-08-07 2017-09-05 Webroot Inc. Malware management through kernel detection during a boot sequence
US20080216174A1 (en) * 2007-03-02 2008-09-04 403 Labs, Llc Sensitive Data Scanner
US8635691B2 (en) * 2007-03-02 2014-01-21 403 Labs, Llc Sensitive data scanner
US20090007256A1 (en) * 2007-06-28 2009-01-01 Microsoft Corporation Using a trusted entity to drive security decisions
US9015842B2 (en) 2008-03-19 2015-04-21 Websense, Inc. Method and system for protection against information stealing software
US9495539B2 (en) 2008-03-19 2016-11-15 Websense, Llc Method and system for protection against information stealing software
US20090241196A1 (en) * 2008-03-19 2009-09-24 Websense, Inc. Method and system for protection against information stealing software
US9455981B2 (en) 2008-03-19 2016-09-27 Forcepoint, LLC Method and system for protection against information stealing software
WO2009117445A3 (en) * 2008-03-19 2009-11-12 Websense, Inc. Method and system for protection against information stealing software
US9032536B2 (en) * 2008-10-10 2015-05-12 Safend Ltd. System and method for incapacitating a hardware keylogger
WO2010041257A1 (en) * 2008-10-10 2010-04-15 Safend Ltd. System and method for incapacitating a hardware keylogger
US20110219457A1 (en) * 2008-10-10 2011-09-08 Ido Keshet System and method for incapacitating a hardware keylogger
US11489857B2 (en) 2009-04-21 2022-11-01 Webroot Inc. System and method for developing a risk profile for an internet resource
US20110072262A1 (en) * 2009-09-23 2011-03-24 Idan Amir System and Method for Identifying Security Breach Attempts of a Website
US10157280B2 (en) * 2009-09-23 2018-12-18 F5 Networks, Inc. System and method for identifying security breach attempts of a website
US8707437B1 (en) * 2011-04-18 2014-04-22 Trend Micro Incorporated Techniques for detecting keyloggers in computer systems
US9245118B2 (en) 2012-07-18 2016-01-26 Infosys Limited Methods for identifying key logging activities with a portable device and devices thereof
US9262639B2 (en) 2013-01-09 2016-02-16 Cisco Technology Inc. Plaintext injection attack protection
WO2014185770A1 (en) * 2013-05-17 2014-11-20 Mimos Berhad Method and system for detecting keylogger
US10089468B2 (en) 2015-03-31 2018-10-02 Juniper Networks, Inc. Detecting keylogging
US9679141B2 (en) * 2015-03-31 2017-06-13 Juniper Networks, Inc. Detecting keylogging
US11496438B1 (en) 2017-02-07 2022-11-08 F5, Inc. Methods for improved network security using asymmetric traffic delivery and devices thereof
US10791119B1 (en) 2017-03-14 2020-09-29 F5 Networks, Inc. Methods for temporal password injection and devices thereof
US10931662B1 (en) 2017-04-10 2021-02-23 F5 Networks, Inc. Methods for ephemeral authentication screening and devices thereof
US11658995B1 (en) 2018-03-20 2023-05-23 F5, Inc. Methods for dynamically mitigating network attacks and devices thereof

Also Published As

Publication number Publication date
WO2007106609A3 (en) 2009-04-16
US7721333B2 (en) 2010-05-18
EP1989628A2 (en) 2008-11-12
US20070180520A1 (en) 2007-08-02
WO2007106609A2 (en) 2007-09-20

Similar Documents

Publication Publication Date Title
US20070169191A1 (en) Method and system for detecting a keylogger that encrypts data captured on a computer
Gopinath et al. A comprehensive survey on deep learning based malware detection techniques
Cheng et al. Enterprise data breach: causes, challenges, prevention, and future directions
Maiorca et al. A pattern recognition system for malicious pdf files detection
Cohen et al. SFEM: Structural feature extraction methodology for the detection of malicious office documents using machine learning methods
Sung et al. Static analyzer of vicious executables (save)
US9317701B2 (en) Security methods and systems
Shankarapani et al. Malware detection using assembly and API call sequences
Sathyanarayan et al. Signature generation and detection of malware families
Stolfo et al. Towards stealthy malware detection
US8127360B1 (en) Method and apparatus for detecting leakage of sensitive information
Maiorca et al. Digital investigation of pdf files: Unveiling traces of embedded malware
Sagiroglu et al. Keyloggers: Increasing threats to computer security and privacy
Stolfo et al. Fileprint analysis for malware detection
Kwon et al. Bingraph: Discovering mutant malware using hierarchical semantic signatures
US20210165904A1 (en) Data loss prevention
Tyagi et al. Malware Detection in PE files using Machine Learning
Tuscano et al. Types of keyloggers technologies–survey
RU2770570C2 (en) System and method for determining process associated with malware encrypting computer system files
Balakrishnan et al. An analysis on Keylogger Attack and Detection based on Machine Learning
Ferdous et al. Malware resistant data protection in hyper-connected networks: A survey
Bayoglu et al. Polymorphic worm detection using token-pair signatures
Yusoff et al. A framework for optimizing malware classification by using genetic algorithm
Abu-Zaideh et al. Smart boosted model for behavior-based malware analysis and detection
Habtor et al. Machine-learning classifiers for malware detection using data features

Legal Events

Date Code Title Description
AS Assignment

Owner name: WEBROOT SOFTWARE, INC., COLORADO

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GREENE, MICHAEL P.;PARKER, MATT;REEL/FRAME:018675/0609;SIGNING DATES FROM 20061206 TO 20061219

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION