Malicious software such as computer viruses, worms, etc., more generally known as malware, continues to increase in sophistication despite constant efforts to prevent it. In particular, certain advanced malware is able to infect the bootstrap components of a computer operating system such as the master boot record (MBR), operating system driver files, service items in the registry and other components such as native applications. Such an infection is especially problematic in the case of malware such as a root kit or a boot kit.
As known in the art, a root kit is software inserted onto a computer system after an attacker has gained control of the system. Root kits often include functions to hide the traces of the attack, as by deleting logged entries or by cloaking the attacker's processes. Root kits might include backdoors, allowing the attacker to easily regain access later or to exploit software to attack other systems. Because they often hook into the operating system at the kernel level to hide their presence, root kits can be very hard to detect. A backdoor is a piece of software that allows access to the computer system by bypassing the normal authentication procedures. There are two groups of backdoors depending upon how they work and spread. The first group works much like a Trojan horse, i.e., they are manually inserted into another piece of software, executed via their host software and spread by the host software being installed. The second group works more like a worm in that they get executed as part of the boot process and are usually spread by worms carrying them as their payload. A boot kit is much like Root kit, but it usually inserts malicious code into system components which are indispensable for operating system bootstrapping and keeps alive and invisible even after operating system rebooting.
Because this type of malware may have infected the bootstrap components of the operating system it can be problematic to clean this malware or to remove it. Historically, it has been hard to determine whether cleaning or removing this type of malware might lead to an operating system bootstrap failure, thus causing a very bad user experience, let alone a public-relations disaster for the antivirus vendor of the cleanup software.
Accordingly, an improved technique is desired for detecting, cleaning and/or removing malware that may have infected the bootstrap components of a computer operating system.