Native operating system services can prevent security software from installing arbitrary hooking within the kernel of operating systems. Security software is thus prevented from filtering all behaviors of an electronic device, including potentially malicious actions by malware. Malware may include, but is not limited to, spyware, rootkits, password stealers, spam, sources of phishing attacks, sources of denial-of-service-attacks, viruses, loggers, Trojans, adware, or any other digital content that produces malicious activity.
The filtering functionality provided by the operating system may be limited, and only available on timelines decided by the operating system vendor. Malware can operate and reside at the same level as security software, particularly in the operating system kernel and thus compromise both the operating system and the integrity of the security software itself.
Many forms of aggressive kernel mode malware tamper with user mode memory to accomplish malicious tasks such as injecting malicious code dynamically, modifying user mode code sections to alter execution paths and redirect into malicious code, and modify user mode data structures to defeat security software. Additionally, some malware may attack anti-malware applications and processes from the kernel by tampering with process memory code and data sections to deceive the detection logic.
Kernel mode rootkits and other malware employ various methods to hide their presence from user mode applications and kernel mode device drivers. The techniques used may vary depending upon where the infection takes place. For example, malware attacking the kernel active process list of an operating system to delist or unlink a rootkit or other malware process. Other malware may tamper with the code sections of process access and enumeration functions.
Often, malware will attempt to escape detection by changing binary components of itself so that it will no longer match previously determined digital signatures or hashes. Detection of such self-modifying malware is challenging, as typically malware must first be identified through other means, and a signature for the modified version must be generated and distributed to security agents. By the time a new signature is distributed, the malware may have modified itself again.
In addition, as mentioned, using traditional anti-malware security techniques, operating system functions are used by anti-malware security agents to erase or neutralize malware. However, sophisticated malware may be able to detect or track such techniques and thus, avoid erasure or neutralization. For example, malware may monitor operating system function calls employed to defeat the malware. If malware recognizes such attempts, it may disable anti-malware efforts, or simply copy offending code elsewhere in storage or memory of the electronic device. As a specific example, malware may hook a file system driver of an operating system and intercept any command to overwrite or erase malicious code. In addition, even where malicious code is discovered and overwritten or erased, such neutralized code may often spawn other threads, and traditional methods for malicious threads with other threads may be circumvented by malware, as such traditional methods may operate at a user- or kernel-mode level of an operating system and thus, may be circumvented by any malware executing with the same execution priority as an operating system.