1. Field of the Invention
This invention pertains in general to computer security and in particular to remediating malware that uses process thread injection to avoid detection.
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Malware can, for example, surreptitiously capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, the malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
Modern malware is often targeted and delivered to only a relative handful of computers. For example, a Trojan horse program can be designed to target computers in a particular department of a particular enterprise. Moreover, mass-distributed malware can contain polymorphisms that cause the malware to vary over time. Such malware is difficult for security software to detect because there are few instances of the same malware, and the security software might not be configured to recognize the particular instance that has infected a given computer.
Malware can also use additional techniques to evade detection. Once such technique is called “remote thread injection.” Here, the malware injects the malicious code into the address space of a legitimate (i.e., non-malicious) process. Even if the security software detects the injected malicious code, it is difficult for the security software to identify the file that caused the injection. As a result, the security software cannot fully remediate the malware.