1. Field of the Invention
This invention pertains in general to protecting a computer from malicious software (malware) and in particular to techniques for removing rootkits and other malware that attempts to hide its presence.
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Certain classes of malware use “stealth” or “rootkit” techniques to hide themselves so that malware scanners, such as anti-virus and anti-spyware, cannot detect them and therefore cannot eradicate them. In some cases, the attacker uses a persistent storage area such as a registry or file system to help launch malware at boot time without user intervention. Such malware (or rootkit) infections that survive reboots are particularly difficult to remediate because they are not only evasive but also persistent.
Malware using rootkits install themselves on the operating system (OS) at boot time as drivers. The malware replaces vectors in all OS-based detection techniques to filter out data that describe the rootkit. For example, the malware manipulates the results of Windows file access API calls, such as FindFirstFile and FindNextFile, to remove all file entries corresponding to the rootkit. Thus, software that uses standard Windows APIs to traverse the file system is unable to enumerate malware-related files. Similarly, the malware typically hooks registry access and process-enumerating APIs in order to hide its presence. As a result, security software can have a difficult time detecting and remediating malware infections that use rootkit techniques to evade detection.
Accordingly, there is a need in the art for a way to detect and remediate malware infections that does not suffer from the drawbacks described above.