Malware is short for malicious software and is used as a term to refer to any software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include computer viruses, worms, trojan horses, rootkits, adware, spyware and any other malicious and unwanted software.
When a device is infected by a malware program the user will often notice unwanted behaviour and degradation of system performance as the infection can create unwanted processor activity, memory usage, and network traffic. This can also cause stability issues leading to application or system-wide crashes. The user of an infected device may incorrectly assume that poor performance is a result of software flaws or hardware problems, taking inappropriate remedial action, when the actual cause is a malware infection of which they are unaware. Furthermore, even if a malware infection does not cause a perceptible change in the performance of a device, it may be performing other malicious functions such as monitoring and stealing potentially valuable commercial, personal and/or financial information, or hijacking a device so that it may be exploited for some illegitimate purpose.
Many end users make use of anti-virus software to detect and possibly remove malware. In order to detect a malware file, the anti-virus software must have some way of identifying it amongst all the other files present on a device. Typically, this requires that the anti-virus software has a database containing the “signatures” or “fingerprints” that are characteristic of individual malware program files. When the supplier of the anti-virus software identifies a new malware threat, the threat is analysed and its signature is generated. The malware is then “known” and its signature can be distributed to end users as updates to their local anti-virus software databases.
Using approaches that rely on signature scanning to detect malware still leaves computers vulnerable to “unknown” malware programs that have not yet been analysed for their signature. To address this issue, in addition to scanning for malware signatures, most anti-virus applications additionally employ heuristic analysis. This approach involves the application of general rules intended to identify patterns that distinguish the behaviour of any malware from that of clean/legitimate programs. For example, the behaviour of all programs on a computer are monitored and if a program attempts to write data to an executable program, the anti-virus software can flag this as suspicious behaviour. Heuristics can be based on behaviours such as API calls, attempts to send data over the Internet, etc.
It can also be useful to perform heuristic analysis of a program whilst it is executed in an isolated environment or test system. The execution of a program in an isolated environment or test system is known as virtualisation or emulation, as the program is executed in a virtual or emulated computer. A virtual machine or emulator comprises a program that mimics the functionality of various components of a real computer system. For example, a computer using a Linux operating system can run a virtual machine that imitates the environment provided by a Windows® operating system. This can include emulation of the CPU, the memory, the communications interfaces and any associated hardware. This enables programs to be executed in the virtual machine/emulator as if it were running on an actual computer system. The program can therefore be analysed without risking damage to the underlying computer system. However, when run within a simulated/emulated computer system or virtual machine, a program may not behave as intended due to the limited resources and/or capabilities of the emulated computer system.