As the Internet continues to expand in terms of both connectivity and number of users, the amount of malicious software (“malware”) existing across the Internet continues to increase at a significant rate. Malware, in the form of, for example, viruses, Trojan horses, spyware, backdoor viruses, and worms, is essentially software code written to infiltrate and/or damage a computer system. In general, such malware spreads across computer systems via e-mail and file downloads over the Internet. In some worst case scenarios, malware can destroy important data, render a computer system virtually useless, and/or bring down a network of hundreds or thousands of computer systems. Recovering a computer system or network from a successful malware attack often requires considerable resources. Further, malware, while typically attacking computer systems connected to the Internet, can also spread from one computer system to the other by, for example, a non-Internet based file transfer between computer systems.
In another worst case scenario not listed above, malware can be used to surreptitiously gather information about a user in an effort to subsequently misappropriate such information to the user's detriment (e.g., stealing bank account information). These types of malware are used to facilitate “identity theft,” which typically occurs over the Internet (“on-line identity theft”). For example, “phishing”-type malware is used to trick an individual into providing confidential information (e.g., username, password, social security number, birth date, bank account number, credit card number) in response to an e-mail solicitation (or other forms of solicitation) appearing to be associated with a legitimate or official entity or purpose.
While identity theft malware commonly operates by gathering information over the Internet, a particular class of identity theft malware resides locally on a user's machine. One type of such malware are “keyloggers,” which record every key press (and in some cases, every action) a user makes when using his/her computer system. The recorded data is then, without knowledge of the user, sent over the Internet (or some other network) to a third party seeking to gain information for identity theft purposes. Another type of locally resident identity theft malware captures screenshots of user sessions and then secretly passes the captured screenshots to some unknown third party, who can then review the screenshots to obtain confidential information.
In addition to keyloggers and screen capture malware, there exists malware that overlays a locally hosted, phony window with input fields over one or more input fields of a legitimate web page. The goal of such malware, commonly referred to as “overlay-type” identity stealers, is to dupe a user into entering legitimate credentials into fraudulently placed input fields. The fake overlay windows themselves are not Internet web pages or parts thereof; rather, they are application windows instantiated by one or more processes locally running on the computer system. Overlay-type identity stealers are primarily used in connection with user accesses to “transactional” web pages, which are those provided to facilitate some sort of transaction between the user and a host or content provider of the transactional web page. For example, web sites of financial institutions (e.g., banks) commonly include web pages that customers can use to gain access to their accounts upon the user being authenticated. The authentication process generally involves the user providing some set of requested login credentials (e.g., username, password, account number, personal identification number (PIN), social security number, response to a challenge question).
One approach to guard against the deleterious effects associated with overlay-type identity stealers relies on the use of malware “signatures.” As well known in the art, a “signature” of a particular type of malware is the binary pattern of the malware. Various anti-malware programs rely on signatures to detect, identify, and remediate specific malware. Such use of signatures for malware detection is reactive in nature in that signatures are determined and used for malware detection after the malware has already been distributed and the effects thereof reported and documented. In the case of overlay-type identify stealers, the use of malware signatures is not very effective because as this type of malware does not have to achieve high proliferation in order to be successful, such malware is oftentimes not picked up by large anti-malware providers on the lookout for widely distributed and openly damaging forms of malware. Further, overlay-type identity stealers can adapt to the particular web page at hand, and thus, may be thought of as being unhelpfully amorphous in the context of signature-based malware detection.