There is a class of malware that injects extra fields over real web pages that contain forms requesting the entry of personal information, such as financial institution login screens. Typically, these new maliciously injected fields prompt the user to enter sensitive information, such as a credit card number, social security number, PIN, etc. When the user visits the page containing the web form (for example, the user tries to login into his or her actual bank account), these extra fields appear seamlessly on the otherwise legitimate website. However, even though the website itself is legitimate and familiar to the user, the added fields are actually fraudulent, and if the user fills them out, the entered information is transmitted to a remote server under the control of a malicious party. The malicious party can then leverage the user's personal information to financially defraud or otherwise exploit the user. Trojans generated by the infamous SpyEye botnot work this way.
Conventional techniques for detecting and removing malware can be very effective in many cases, but can fail to detect some malware. For example, scanning files for known signatures associated with malware can detect infection by previously identified threats and variations thereof that still contain a sufficiently similar signature. However, such signature based scanning can fail to identify new or sufficiently morphed malware. Likewise, heuristic based analysis of a program's behavior or other factors can detect malware that sufficiently confirms with known historically identified patterns, but can fail to identify new or modified threats that fall outside of these parameters.
It would be desirable to address these issues as they apply to malware that inserts malicious fields into legitimate forms.