“Malware” is a term used to define malicious software that can be unwittingly installed on computers and computer systems. Whilst the term encompasses viruses, trojans, spyware etc, it is often used interchangeably with the term “computer virus” or “virus. Malware can be used by an attacker, for example, to disrupt normal computer operation, to take control of a computer, or to collect confidential user information such as bank login details. In order to defend against malware attacks, a computer user may install an anti-virus application such as, for example, F-Secure Internet Security™. Such applications employ a number of techniques to detect malware including searching for fingerprints of known viruses, and analysing device and/or software behaviour (including using rules or “heuristics” to identify suspicious behaviour).
Today, the majority of malware infections arise as a result of so-called “drive-by” downloads. This type of attack starts with a computer user directing his or her web browser to a website that is controlled by an attacker or which is otherwise compromised. The code that is downloaded into the web browser includes code that either contains the malware or directs the browser to another internet site from which the malware is downloaded. Infection may also result from a user loading a disk (e.g. CD, DVD, etc) into a computer or plugging into the computer a removable storage device such as a USB stick, with the malware or installation code (which directs the computer to download malware from an Internet site) being present on the disk or other removable storage device. Whilst users can to a large extent protect themselves against drive-by download attacks, i.e. by visiting only trusted sites and/or avoiding suspicious sites, they may be more vulnerable to attacks associated with removable storage devices, particularly as they may believe that conventional anti-virus application will always prevent virus infection by scanning such devices prior to installing data or software from them. This is especially true in the case of USB devices as these may be presumed to be more trustworthy than disks. Reliance by an attacker on a typical but mistaken assumption on the part of users is often termed “social engineering”.
Considering further an attack involving a removable storage device, in order to gain the upper hand over anti-virus applications, an attacker may seek to compromise the contents of the master boot record (MBR) stored on the device. The MBR is the 512-byte boot sector that is the first sector (“LBA Sector 0”) of a partitioned data storage device. In the case of a computer's hard disk drive, the MBR is that sector that the BIOS (stored in RAM memory) looks to first for instructions, when the computer is booted. Whilst the BIOS is usually configured to look first at the MBR of the computer's hard disk drive, in some cases it is possible for the BIOS to look first to a removable storage device to see if it contains an MBR. Benign removable storage devices do often contain an MBR, but the MBR code is typically trivial, for example merely directing the computer to display on the device screen a message advising the user to remove the device and reboot the computer. Of course, by inserting malicious code into a device's MBR, an attacker may be able to install malware into the computer itself. This malware might be an MBR infection of the computer hard disk drive, e.g. similar to the “MebRoot” trojan, or a more conventional form of malware.