Malware, short for malicious software, is a term used to define malicious software that can be unwittingly installed on computers and computer systems. Malware can be used by an attacker, for example, to disrupt the normal computer operation, to take control of a computer, or to collect confidential user information such as bank login details. In order to defend against malware attacks, a computer user may install an anti-virus application. Such applications employ a number of techniques to detect malware including searching for fingerprints of known viruses, and analyzing device and/or software behavior (including using rules or “heuristics” to identify suspicious behavior).
Malware has become more and more efficient against detection and removal by anti-virus engines. Malware may utilize kernel-level protection techniques by patching system drivers and integrating malicious code directly into low-level disk systems. Malware can also infect the contents of the master boot record (MBR) stored on the device. The MBR is the 512-byte boot sector, which is the first sector (“LBA Sector 0”) of a partitioned data storage device. In a computer's hard disk drive, the MBR is the sector that the BIOS (stored in RAM memory) looks first for instructions what to do, when the computer is booted.
By installing malicious code into the MBR of a device, which is started ahead of the operating system (OS), an attacker may be able to install malware into the computer itself. An example of such malware is Rootkit MBR.TDSS.B. This malware is able to create its own file system that is located near to the end of the hard disk. The launch point of the malware may reside at the MBR of the disk and the malware is started together with an OS kernel. After the file system becomes available for the computer system, the malware patches a system driver and hooks access to the infected MBR. Thus, it is possible that an attempt to read the infected sector from a scanner driver or process is filtered by the malware. The malware may respond with an original, pre-infected, copy of the MBR as the result of the read attempt, thus fooling the scanner and remaining undetected. Such penetration method allows the malware to withstand an anti-virus scanner. Current detection and removal instructions instruct the user to boot the operating system from an external media (for example, bootable CD or USB) and to perform an offline disinfection. Such offline methods have poor usability and, moreover, the user may be unaware that the system is infected.