Malware includes uninvited software which tries to hide. Examples of malware include rootkits, spyware, Trojans, backdoors, and other software which is designed to be surreptitiously installed and to then avoid detection by users and/or to avoid removal. Malware may also be designed to avoid detection and/or removal by network administrators and other experts. Such experts may be capable of using sophisticated tools and techniques to determine whether malware is present on a system, and if malware is present, to determine which particular malware is present.
Some malware uses filters to hide its components or other indications of its presence on a system. Hidden malware components may include files, registry entries, processes, port assignments, and other objects which are managed with operating system structures and/or other runtime environments. For example, a rootkit might intercept calls to APIs which are used by file system exploration utilities to list the content of file system directories. When a directory listing would otherwise identify files associated with the rootkit, the rootkit intercepts and modifies the listing to remove those entries, so that they are not seen by someone who is using the listing to check the system for malware.
It is known, in connection with a “Black Box, or Dynamic Program Analysis”, to create a dummy file for testing, with a file name that is placed by the tester in a data file used by the lrkIV rootkit to store the names of files and directories that are to be hidden. This is discussed in section 3.3 of John G. Levine, “A Methodology for Detecting and Classifying Rootkit Exploits”, Ph.D. Thesis, Georgia Institute of Technology, February 2004. The lrkIV rootkit filters from view the specified files, including the dummy file, when the listing command ls is called on the infected system.
Malware can sometimes be detected by searching for signatures of malware executables on disk or in memory, and/or by searching for signs of malware installation, such as kernel interrupt vectors that point outside the normal kernel address space.
It is known to actively infect a system by placing a particular fully functional malware program on the system, in order to test the ability of malware-detection software to detect the malware in question.
It is known to intentionally allow a system to be infected by arbitrary fully functional malware. This may be done, e.g., by connecting an unprotected system to the internet. One may then run malware-detection software to see what malware infections are found on the system.
It is known to create a “honeypot” system, namely, a system which appears to have vulnerabilities and which attracts malware installation and other unauthorized activities, while surreptitiously monitoring them and gathering data which may help identify the locations and/or persons responsible for those unauthorized activities.
The foregoing background was written in hindsight, with the present invention in mind. Thus, the particular cluster of ideas discussed in this background would not necessarily have been obvious to someone who did not have the benefit of familiarity with the invention.