1. Field of the Invention
The present invention is related to anti-malware technology, and more particularly, to curing computers of viruses and other types of malware that are designed to be cure-resistant.
2. Description of the Related Art
Today there are many different types of malware that present a serious threat to computers and computer networks. By infecting a computer and spreading through various mechanisms, such as e-mails, Internet relay chat, instant messenger, etc., the malware can thereby rapidly infect other computers as well. Such malware can range in their behavior from mildly benign, e.g., occasional displays of annoying messages to the user, to malicious and catastrophic, e.g., a complete corruption of the hard disk drive and the data stored on the drive, leading to a loss of data and a possible need to a complete restore of the operating system and application data from backup.
To detect and cure a computer of malware, a number of conventional mechanisms have been developed, for example, CN1310393, CN1525333, U.S. 2005/0091538, U.S. 2005/0120238, U.S. Pat. No. 5,613,002, WO 2004/090733 and others. These mechanisms primarily use malware signature identification and removal of the malware code from random access memory, as well as deletion of the viruses' executable files from the hard disk drive, which is usually sufficient for many purposes.
A fairly recent phenomenon of malware writing is the growing professionalization of malware writers. In the early days of networked computers and up until the early 2000s, many malicious programs were written by teenagers and college students, often as pranks. Others were written by adult hackers, who nonetheless rarely pursued commercial objectives. In recent years, this situation has dramatically changed. Although many examples of malicious code are still created by amateurs, or as pranks, a new category of malware writer has now entered the picture: highly qualified and skilled programmers, who exploit vulnerabilities in operating systems and network protocols for money. This has resulted in use of malware mechanisms for distribution of other malicious types of malware, for example, to zombify computers to act as spam sources, use of malware techniques for identity theft, phishing, and the like.
Professional malware writers subscribe to antivirus databases and services, which in essence accelerates an arms race between anti-virus vendors and malware writers. When a new version of a virus is distributed, it can take from several minutes to several hours for the databases of most major antivirus vendors to be updated and distributed to their users. In turn, the virus writers monitor this process, and as soon as they notice that their virus has been detected, a new version is immediately sent out.
Another recent phenomenon related to the professionalization of the malware-writing business is attempts by malware writers to write code that is exceedingly difficult to cure. In the early days of networked computers, malware creators cared little for this quality, since what mattered most for many amateur malware writers was to distribute the malware at the maximum speed to the greatest possible number of computers, which served as a test of manhood in the hacker community. With the commercialization of malware writing, this has also changed and professional malware writers often go to great lengths to ensure that the malware they write cannot be easily cured and removed.
Thus, there is a category of malware today that is intentionally designed to be cure-resistant. Typically such malware makes multiple copies of itself on the same computer and runs multiple copies of itself simultaneously using different threads. Thus, in such a scheme, a malicious program can have a copy of its code that has infected an Internet browser and running in one thread, and another copy of itself having infected an e-mail client running in a different thread and loaded into a different portion of the random access memory of the computer. When an anti-virus program detects one of the copies of the malicious program, for example, the copy that has infected the Internet browser, the anti-virus program deletes that copy from memory and deletes a copy of the executable file that contains the code of the malware.
In case of cure-resistant malware, the other copy of the malicious program (the copy that infected the e-mail client) detects that the first copy has been deleted and immediately copies itself back to the Internet browser's portion of random access memory, re-infecting the Internet browser and restarting the thread of its first copy. When the anti-virus software encounters the second copy of the malicious program (which infected the e-mail client), the anti-virus software deletes the malicious code from the e-mail client and deletes its copy of the executable file. However, the thread that executes the copy of the malicious program in the Internet browser will immediately detect this and re-infect the e-mail client. This phenomenon is familiar to those who have recently been victims of such cure-resistant malware, as well as to ordinary users, when the effect is that no matter how many times the user tries to “kill” the malicious program, some time later, it appears again.
For example, consider the situation where a computer is infected by a malicious program, its code is loaded into random access memory from a file, and the registry includes an appropriate key for the file. The situation is illustrated in FIG. 1. Shown in FIG. 1 are two malicious processes, such as viruses designated as MP1 and MP2. When the anti-virus software terminates Malicious Process 2, Malicious Process 1 restores the file from its own reserve copy, or from memory. Malicious Process 1 is then restarted. The anti-virus software then finds a registry key that identifies the virus file corresponding to Malicious Process 1 and removes this registry key. However, the virus again restores the registry key from its reserve copy or from memory. Then, the anti-virus software finds Malicious Process 2 and terminates it. However, Malicious Process 1 immediately restarts Malicious Process 2. The anti-virus then finds Malicious Process 1 and terminates it, but Malicious Process 2 then restarts Malicious Process 1.
As a result, the anti-virus software completes scanning the system being confident that the virus has been removed, however, as is clear from FIG. 1, the virus remains active by defeating the anti-virus software in this manner. Accordingly, there is a need in the art for a system and method for treating computers of cure-resistant malware.