Malware is short for malicious software and is used as a term to refer to any software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include computer viruses, worms, Trojan horses, rootkits, adware, spyware and any other malicious and unwanted software.
When a device is infected by malware program the user will often notice unwanted behaviour and degradation of system performance as the infection can create unwanted processor activity, memory usage, and network traffic. This can also cause stability issues leading to application or system-wide crashes. The user of an infected device may incorrectly assume that poor performance is a result of software flaws or hardware problems, taking inappropriate remedial action, when the actual cause is a malware infection of which they are unaware. Furthermore, even if a malware infection does not cause a perceptible change in the performance of a device, it may be performing other malicious functions such as monitoring and stealing potentially valuable commercial, personal and/or financial information, or hijacking a device so that it may be exploited for some illegitimate purpose.
Many end users make use of anti-virus software to detect and possibly remove malware. However, in order to hide the presence of malware from end users and to evade detection by anti-virus software, malware authors try to hide their malware by designing it to mask or disguise itself as legitimate processes running on the computer. The malware achieves this by injecting its executable code into another process running on the computer, the target process then blindly executes this malware code effectively concealing the source of the malicious behaviour.
One of the ways used to detect malware is to use a technique known as “sandboxing”. A sandbox is a security mechanism used for executing untrusted programs. A sandbox is a confined execution environment in which the untrusted program can be executed in order to analyse the effects and actions of the untrusted program, and so determine whether or not it is malware. A sandbox environment provides controlled resources in which the program can be executed. Typically, a sandbox environment will not allow an untrusted program to access a network, inspect the host system or read from input devices. A sandbox environment can operate as a virtual machine, in which case a virtual machine is emulated and appears to have almost all the resources of an operating system.
As malware becomes more sophisticated, it is coded so as to be more effective at avoiding detection. When malware is executed in a sandbox, it can determine any anomalies between the environment in which it is executed and the expected environment of a real operating system. If it detects any differences, it can determine that it is being executed in a sandbox and so avoid behaviour that would reveal it to be malware. In this way, malware can evade detection even in a sandbox environment.
A typical method of detecting a sandbox is to compare the appearance and functionality of the environment to the real environment. This could be done by comparing the results or error codes of API functions, analyzing the content of system memory structures or analyzing the state of CPU registers after API function calls.