1. Field of the Invention
This invention relates to computer software. More particularly, the invention relates to a method and system for blocking malicious program behaviors, such as keystroke logging or screen capture.
2. Description of the Related Art
Computer users face a wide variety of security threats. Many kinds of security threats involve the surreptitious collection of information by malicious code executing on a user's computer system. For example, a malicious program may execute on the computer system to collect sensitive information such as personal information (e.g., the user's name, address, phone number, social security number, etc.) or financial information (e.g., the user's credit card details, bank account information, etc.). As another example, a malicious program may also collect online account information (e.g., a username, password, etc.) that can be used to access the user's online financial accounts or other online accounts. The malicious program often sends the information it collects to a remote computer system via a network, such as the Internet. The information may then be used for malicious or unauthorized purposes, such as online theft or identity fraud.
Malicious programs may exhibit several types of malicious program behaviors that enable the surreptitious collection of information such as described above. As one example, a malicious program may perform keystroke logging. Keystroke logging refers to logging information indicating the characters that a user enters via an input device, e.g., logging information indicating the keys the user presses on a keyboard. For example, a malicious program may monitor the user's keystrokes and store information indicating the user's keystrokes. Thus, when the user enters sensitive information via the keyboard, the sensitive information may be stored. As described above, the sensitive information may subsequently be used for malicious purposes.
As another example of malicious program behavior, a malicious program may perform screen capturing. Screen capturing refers to storing images that are displayed on the computer system's display. When a user interacts with an application, the application typically displays a graphical user interface on the display. The graphical user interface for some types of applications may display sensitive information. For example, if the user interacts with a financial application or conducts an online financial transaction, the graphical user interface may display sensitive financial information. A malicious program may perform screen capture behavior to store an image of the graphical user interface which displays the financial information or other sensitive information. As described above, the sensitive information may subsequently be used for malicious purposes.
A malicious program that exhibits malicious program behaviors such as described above may be implemented in various ways, e.g., as an independent program, a plug-in software component, a library, a thread, a routine or subroutine, an operating system component, etc. One example of a malicious program is a keystroke logger program, e.g., a program that executes to perform keystroke logging. Another example of a malicious program is a screen capture program, e.g., a program that executes to perform screen capturing. Other examples of malicious programs that may perform keystroke logging and/or screen capture include spyware, viruses, worms, trojans, etc.
Many types of programs that perform keystroke logging and/or screen capture have no legitimate purpose. Some programs that perform keystroke logging and/or screen capture may have legitimate purposes. For example, some types of monitoring software are designed to enable a person to obtain a record of operations that children, a spouse, friends, coworkers and other users perform on a computer system. The monitoring software is often (but not always) purchased from a software vendor and purposefully installed by a user of the computer system to achieve an extra layer of surveillance over the computer system. As another example, advertising supported software, e.g., “adware” or “spyware” may have legitimate purposes.
However, since the information may that is surreptitiously collected by these types of “legitimate” programs may still be used for malicious purposes and since the programs may be installed without the knowledge of a user of the computer system, the keystroke logging and/or screen capture operations that they perform may still be viewed as malicious or potentially malicious behavior.