Attacks upon computer systems are increasingly becoming more sophisticated and targeted. One particular type of threat is that of malware armed with hidden anti-access technology. The anti-access technology prevents the malicious code of the malware from being detected.
A Rootkit is an example of a stealthy type of malware. A Rootkit is designed to hide the existence of certain programs from normal methods of detection. Rootkit detection is very difficult precisely because of a Rootkit's ability to hide from antivirus programs. The Rootkit injects itself between the computer's hardware and OS, subtly altering data sent back and forth to mask its presence and take over the system. In particular, the Rootkit subverts the Master Boot Record (MBR). The MBR is a region of the hard drive that tells the BIOS (Basic Input Output System) where to find the OS (Operating System).
Traditional methods used in the scanning and detection processes of antivirus products face difficulties with a Rootkit because in many cases the methods used by the antivirus products can be easily avoided and hijacked by advanced malware. Additionally, even if a conventional antivirus product can handle a Rootkit, it typically requires interrupting user activity and initiating a forced Operating System (OS) reboot.
Traditional methods for performing a memory and file scan have problems dealing with advanced malware that includes anti-access technology. One prior art method is using a kernel driver. In this approach, the scan engine of a traditional antivirus product implements its memory and file scan in kernel mode in the form of a kernel driver. It utilizes the current OS native API no matter whether in File System level or port driver/mini-port driver for storage device level (such as Small Computer System Interface (SCSI), Attachment Packet Interface (Atapi), and so forth). However, advanced malware can also gain control in kernel mode and hijack the execution path of native code. As a consequence, the antivirus scan engine can be fooled by this type of advanced malware. For example, the TDL4 Rootkit (TDL-4 is a fourth generation botnet) will infect the MBR or third-party driver to gain a ring0privilege in order to hijack the Atapi port driver major function and return faked information for a normal file read. Additionally, the scan engine could be at the wrong level to deal with the malware. For example, the scan engine could be mixed with malware at the same level. Even worse, the scan engine often cannot be implemented at a low a level within the OS due to a capability and robustness considerations. However, malware can do this and be optimized for a specific target. In this way, the scan engine can be fought by the malware.
Another traditional method for memory and file scan is to use a second OS mechanism to detect malware, such as to detect malware infecting the boot component of the Host OS. An advantage is that the scan engine cannot be interrupted by any malicious code, permitting a thorough detection. However, a problem with this approach is that the current activity on the Host OS must be interrupted and stopped to reboot to the second OS. For example, the second OS is typically implemented using an additional USB stick as part of the fix. This requires the end user to insert and use a Universal Serial Bus (USB) fix, which include components for implementing a second OS on a USB stick. Additionally, the USB fix requires an interrupt and reboot that is annoying and unacceptable for most end users.
Accordingly, new techniques are desirable that can detect malware with anti-access technology in a manner that is transparent to the host OS.