Web Based Remote Malware Detection

1. A method for detecting if a user's terminal having a browser is infected by web page-modifying malware, comprising the steps of: a) providing a web server which hosts a plurality of original and uninfected web pages having a functional code being suitable to trigger said malware, and wherein said functional code is also configured to provide information to a malware scanning engine; b) serving to said browser, by said web server, at least one of said original web pages hosted by said web server and having said functional code for triggering said malware; c) following said browser displaying said at least one of said original webpages received from said web server, triggering, by said functional code, said malware to perform web page modification on said at least one of said original webpages to create a modified web page; d) sending said modified web page displayed by said browser to a remote server comprising said malware scanning engine; e) determining whether a modification exists in said at least one of said original webpages received by said browser from said web server, by detecting with said malware scanning engine a presence of changes in at least portions of said at least one of said original webpages received by said browser from said web server and after being displayed by said browser; and f) if a modification is found in said at least one of said original webpages received by said browser from said web server, determining that said malware is present in said user's terminal.

2. A method according to claim 1 , further comprising, responsive to determining that said malware is present in said user's terminal, generating one or more preventing tasks.

3. A method according to claim 1 , wherein said determining whether a modification exists comprises checking whether a submitted HTML form includes added form field parameters, and, comparing said added form field parameters with pre-determined malware parameters.

4. A method according to claim 3 , further comprising parsing the submitted HTML form to identify known malware behavior or a known malware indicator.

5. A method according to claim 4 , wherein the parsing comprising identifying one or more parameters as malware-related parameters.

6. A system for detecting if a user's terminal having a browser is infected by web page-modifying malware comprising: a web server hosting a plurality of original and uninfected web pages having a functional code being suitable to trigger said malware, and wherein said functional code is also configured to provide information to a malware scanning engine and a logic means; following said browser displaying at least one of said original webpages received from said web server, triggering, by said functional code, said malware to perform web page modification on said at least one of said original webpages to create a modified web page; and sending said modified web page displayed by said browser to a remote server comprising said malware scanning engine and logic means, said malware scanning engine and logic means configured to determine whether a modification exists in said at least one of said original webpages received by said browser from said web server, by detecting a presence of changes in portions of said at least one of said original webpages after being received by said browser from said web server and after being displayed by said browser, and if a modification is found in said at least one of said original webpages received by said browser from said web server, determine that said malware is present in said user's terminal; wherein said malware scanning engine and said logic means are implemented as software embedded in a hardware.

7. A system according to claim 6 , further comprising, software for generating one or more alerting or preventing tasks, responsive to determining that malware is present in said user's terminal.

8. A system according to claim 6 , in which the logic means comprises means for checking whether a submitted HTML form includes added form field parameters, and means for comparing said added form field parameters with pre-determined malware parameters.

9. A system according to claim 8 , further comprising software for parsing the submitted HTML form to identify known malware behavior or a known malware indicator.

10. A system according to claim 9 , wherein the parsing software comprises software for identifying one or more parameters as malware-related parameters.

11. A system according to claim 6 , wherein the plurality of original and uninfected web pages hosted by the web server includes a URL containing strings that triggers the malware to inject a malicious code into said at least one of said original webpages.

12. A system according to claim 6 , wherein the functional code contains strings that triggers the malware to inject a malicious code into said at least one of said original webpages.