Native operating system services can prevent security software from installing arbitrary hooking within the kernel of operating systems. Security software is thus prevented from filtering all behaviors of an electronic device, including potentially malicious actions by malware. Malware may include, but is not limited to, spyware, rootkits, password stealers, spam, sources of phishing attacks, sources of denial-of-service-attacks, viruses, loggers, Trojans, adware, or any other digital content that produces malicious activity.
The filtering functionality provided by the operating system may be limited, and only available on timelines decided by the operating system vendor. Malware can operate and reside at the same level as security software, particularly in the operating system kernel and thus compromise both the operating system and the integrity of the security software itself.
Many forms of aggressive kernel mode malware tamper with user mode memory to accomplish malicious tasks such as injecting malicious code dynamically, modifying user mode code sections to alter execution paths and redirect into malicious code, and modify user mode data structures to defeat security software. Additionally, some malware may attack anti-malware applications and processes from the kernel by tampering with process memory code and data sections to deceive the detection logic.
Malware may also attack key sectors of a disk, such as the Master Boot Record (“MBR”), operating system kernel files, or files associated with security software. Although the operating system and/or security software may provide functionality for protecting key disk sectors, malware operating at the same level of such software may circumvent the safeguards employed by the security software. Malware attacking the MBR may replace some or all of the MBR with rootkit code, ensuring that the rootkit will boot first when a system is initialized, and the malware may also replace the operating system initialization code with an inline hook. The malware may store the rootkit persisted data that is required to survive a reboot in physical sectors of a disk instead of in files and may filter the disk I/O to protect the disk sectors that are used to store the malware.
Kernel mode rootkits and other malware employ various methods to hide their presence from user mode applications and kernel mode device drivers. The techniques used may vary depending upon where the infection takes place. For example, malware may attack the kernel active process list of an operating system to delist or unlink a Rootkit or other malware process. Other malware may tamper with the code sections of process access and enumeration functions.