Malware is short for malicious software and is used as a term to refer to any software designed to infiltrate or damage a computer device without the owner's informed consent. Malware can include computer viruses, worms, trojan horses, rootkits, adware, spyware and any other malicious and unwanted software.
When a computer device is infected by malware program the user will often notice unwanted behaviour and degradation of system performance as the infection can create unwanted processor activity, memory usage, and network traffic. This can also cause stability issues leading to application or system-wide crashes. The user of an infected computer device may incorrectly assume that poor performance is a result of software flaws or hardware problems, taking inappropriate remedial action, when the actual cause is a malware infection of which they are unaware. Furthermore, even if a malware infection does not cause a perceptible change in the performance of a computer device, it may be performing other malicious functions such as monitoring and stealing potentially valuable commercial, personal and/or financial information, or hijacking a computer device so that it may be exploited for some illegitimate purpose.
Many computer device users make use of anti-virus software to detect and possibly remove malware. However, in order to hide the presence of malware from end users and to evade detection by anti-virus software, malware authors try to hide their malware by designing it to mask or disguise itself as legitimate processes running on the computer. The malware achieves this by injecting its executable code into another process running on the computer. The target process then blindly executes this malware code effectively concealing the source of the malicious behaviour.
Some types of malware are more difficult to detect and remove than others. For example, malware may be in the form of a rootkit, which obscures the fact that the malware is present by hiding files or processes that would otherwise be interpreted as malware activity, or by replacing system executable files with files that appear to be uninfected system executable files.
Removing malware from a computer device can be challenging. For example, if a computer device is running a Windows® operating system, then the anti-virus application tasked with the removal of the malware is also running under the Windows® operating system. If the Windows® operating system has been modified by the malware, then it may prevent the anti-virus application from modifying the necessary files or data to remove the malware.
There are several approaches that can be used to mitigate this problem, as follows:
1. Starting an anti-virus component early during boot-up of the operating system. Some malware programs are designed to run as early as possible during the start-up procedures of the computer. They can then inject themselves into one of the running processes that have been loaded onto the computer device's RAM, before removing almost all references and traces of the malware from the system, such as the original start-up files on the hard disk and any launch point (usually, an entry in the registry) that caused the start-up files to run automatically, keeping only the run-time code inside of target process. This makes it more difficult to detect and remove such malware programs once the anti-virus software is active. Starting the anti-virus component early during boot-up of the operating system relies on the fact that the malware is unlikely to be active before the removal operation starts, and so the anti-virus component has access to all necessary data in order to remove the malware.
2 Starting the anti-virus component late during shut down of the operating system: Typically, the shutdown of a computer system causes all services, including those provided by anti-virus software, to stop any activity. However, there is still a short period during which the malware can set itself to run once the computer is rebooted. As such, some malware programs are designed to re-write themselves onto the hard disk and re-create their launch points to ensure that they will run the next time the computer is started. Starting the anti-virus component late during the shut down of the computer device relies on the fact that the malware is no longer active while the operating system still has enough function to support the anti-virus component in removing the malware. This may not be the case.
3 Booting the computer from a separate medium (such as a CD or a flash drive) to second operating system (for example, a Linux® operating system) and executing an anti-virus component under the second operating system in order to perform removal of the malware.
The first two approaches described above are not always reliable, particularly if the malware has been designed to be active early in the boot sequence or late in a shut down operation. The third approach described above tends to be more effective, but relies on the user of the computer device having access to a separate medium that includes a bootable operating system and the anti-virus application. Furthermore, the third approach may rely on the user of the computer device to modify BIOS settings in order to ensure that the computer device boots from the separate medium rather than the usual start point (typically a hard drive connected to the computer device).