A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence. Once a rootkit is installed, it allows an attacker to mask the intrusion and to gain privileged access to the computer by circumventing normal authentication and authorization mechanisms. Although rootkits can be used for a variety of purposes, they are often used maliciously to make a bundled software payload undetectable by adding stealth capabilities.
Contemporary rootkits are capable of infecting boot drivers which can execute before an operating system becomes active, and thus before conventional antimalware countermeasures can be taken. Once the operating system has become active, an infected boot driver can load and execute additional malware (the so called “payload”). More specifically, some rootkits that attack boot drivers modify the resource section of a boot driver, changing the boot driver entry point to a small section of malicious code. When the infected boot driver loads, this section of malicious code executes and further loads additional malicious code, stored on hidden sectors, for example at the end of the partition. Thus, the boot driver is infected so as to execute just enough malicious code to load the malicious payload, which can subsequently execute undesirable functionality (e.g., misappropriating computing resources, logging key strokes or stealing passwords). Such an infected driver typically is not changed in any other way, and is otherwise fully functional in its original capacity.
Such malicious code can also subvert operating system services that conventional antimalware systems rely on to detect and repair infections. For example, the malware can intercept attempts to read from and/or write to the infected boot driver, and transparently divert the intercepted attempts to a clean copy of the driver stored elsewhere on the computer. Because of this spoofing, the infected boot driver typically cannot be detected by a conventional antimalware system. A secondary problem can occur when the malware infects a critical system component. In this case, even if the infection is detected, a clean copy of the component may not be available to replace the infected one.
For a conventional antimalware system to address malware that infects boot drivers, it is necessary to perform a “clean-boot” from another medium such as a stand-alone DVD-ROM system. The clean boot method for malware repair is time consuming, inconvenient to the user, and requires possession and handling of the additional medium. Also, clean versions of infected files must be acquired from another source such as the operating system distribution medium.
It would be desirable to address these issues.