1. Field of the Invention
This invention relates to computer security. More particularly, the invention relates to a system and method for detecting that a window of a legitimate software program has been replaced by a window of a malicious software program.
2. Description of the Related Art
Users commonly use client software programs such as web browsers to access web sites or other resources on computer networks. When accessing sensitive resources, users are often required to input authentication information, such as a username and password. For example, a user may access a bank account or other financial account by navigating to a web site provided by the user's financial institution and inputting the authentication information. The authentication information is intended to be known only to the user so that unauthorized persons cannot access the user's account.
Unfortunately, users are vulnerable to a wide variety of attacks by malicious programs designed to capture a user's authentication information for malicious purposes. A malicious program may infect a user's computer system, for example, when the user executes a program infected with a virus or performs other actions such as opening an email designed to exploit security vulnerabilities on the user's computer system that allow the malicious program to be unknowingly installed. Once installed, the malicious program may execute on the user's computer system and attempt to capture authentication information or various other types of sensitive information, e.g., in order to transmit the information to a remote computer system where it may be retrieved by another person and used for malicious purposes.
In one type of attack, a malicious program replaces a legitimate web browser program window with a “fake” window of its own. For example, when the user accesses a web page of a particular financial institution to log into a financial account, the malicious program can cause the web browser window to be closed and display in its place another window that looks identical to or very similar to the web page of the financial institution. Unaware that the real web browser window has been replaced, the user may then enter authentication information (or other sensitive information) into input fields in the window displayed by the malicious program, thus enabling the malicious program to capture the information for malicious purposes.