Browse Prior Art Database

A method to detect and block browser-"overlay" malware Disclosure Number: IPCOM000242012D
Publication Date: 2015-Jun-14
Document File: 1 page(s) / 75K

Publishing Venue

The Prior Art Database


A method for detecting and blocking browser-"overlay" malware is disclosed.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 69% of the total text.

Page 01 of 1

A method to detect and block browser-"overlay" malware

Disclosed is a method for detecting and blocking browser-"overlay" malware.

The disclosed method prevents a specific type of attack against online banking carried by malware. The attack, sometimes named "overlay window", occurs when a malicious

window is placed on top of open browser during online banking session. This window is used by attacker to control the session, leading to financial loss. Traditional solutions use a signature based blacklisting approach which has a major drawback: only previously seen malware can be detected. The disclosed method addresses the act of overlaying itself, leveraging window related information to differentiate malware from benign applications. The advantage is a generic approach against yet unseen overlay malware.

In an embodiment of the disclosed method, changes in windows' hierarchy and creation of new windows related to the browser are monitored. For each operation, its context (e.g. process, window's class/children/parent) is examined in order to detect malicious behavior. In the event of malicious detection different protection actions could be applied, e.g., hide window / terminate its process.

In a Windows environment, WinEvents is used to receive asynchronous notifications about windows changes. SetWinEventHook interface may be used to register for EVENT_OBJECT_PARENTCHANGE and EVENT_OBJECT_CREATE events. For each event, the parent and child windows are examined....