1. Field of the Embodiments
The embodiments disclosed herein pertain in general to computer security and in particular to detecting and removing malware that infects a system during the boot process.
2. Description of the Related Art
When a computer is turned on, a boot process is initiated in order to load the computer's operating system. Typically, the first code run as part of the boot process is the basic input/output system (BIOS). The BIOS identifies a bootable device, such as a hard drive, and passes control of the computer to code stored at a specific location on the bootable device. The location of the code on the bootable device is often referred to as the master boot record (MBR). The code stored at the MBR loads one or more modules that load and start the operating system of the computer.
A type of malware, often referred to as a “MBR rootkit” or the “Mebroot Trojan,” infects the MBR and as a result executes during the boot process. This early execution allows the malware to bypass security measures and infect the operating system as it is being loaded. The malware infects the operating system in a way that allows it to hide its presence. One way that the malware hides and protects itself is by modifying read and write requests. For example, if a legitimate program executed by the operating system attempts to read the MBR or other location on a storage device where the malware is stored, the malware causes the operating system to return to the program an image of what the storage device would look like without the malware. Likewise, the malware prevents any writes to the MBR or other locations on the storage device that would affect the malware. Therefore, it is very difficult to detect and remove this type of malware.
One way of detecting and removing the malware is by loading a second operating system from a trusted boot device. For example, the second operating system may be loaded from a CD-ROM or a USB flash drive. However, this technique requires additional hardware (e.g., the flash drive) and the process may be too complex for a typical user.