The present invention relates to computer security and, more particularly, to a method of defending a computer against malware.
Targeted malware uses sophisticated methods to evade detection by security software such as antivirus software that rely on operating system functionality to provide notification of suspicious events.
One such method targets the PsSetCreateProcessNotifyRoutine routine of Microsoft Windows™ operating systems. PsSetCreateProcessNotifyRoutine adds a driver-supplied callback routine to, or removes such a callback routine from, a list, in a memory region of a computer that uses a Microsoft Windows™ operating system, of routines that are to be called whenever a process is created or deleted. Malware is known that reads the PsSetCreateProcessNotifyRoutine code at runtime, finds a binary signature in the code that identifies the address of the memory region that PsSetCreateProcessNotifyRoutine uses to maintain its list of callback routines, and then reads the address of the memory region. Then, after antivirus software has called PsSetCreateProcessNotifyRoutine in order to be notified when processes, including malware processes, are created, the malware can remove the associated callback routine from the list, thereby disabling the antivirus software from recognizing when malware processes are created.
It would be highly advantageous to have a method of defending a computer from such malware.