The constant progress of communication systems that connect computers, particularly the explosion of the Internet and intranet networks, has resulted in the development of a new information era. With a single personal computer, a user may obtain a connection to the Internet and have direct access to a wide range of resources, including electronic business applications that provide a wide range of information and services. However, as more computers have become interconnected through various networks such as the Internet, abuse by malicious computer users has also increased, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, spyware, adware, denial of service attacks, even misuse/abuse of legitimate computer system features, all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will realize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all malicious computer programs will be generally referred to hereinafter as computer malware, or more simply, malware.
Those skilled in the art and others will recognize that malware may become resident on a computer using a number of techniques. For example, a computer connected to the Internet may be attacked so that a vulnerability on the computer is exploited and the malware is delivered over the network as an information stream. By way of another example, malware may become resident on a computer using social engineering techniques. For example, a user may access a resource such as a Web site and download a program from the Web site to a local computer. While the program may be described on the Web site as providing a service desirable to the user; in actuality, the program may perform actions that are malicious.
When a malware becomes resident on a computer, the adverse results may be readably noticeable to the user, such as system devices being disabled; applications, file data, or firmware being erased or corrupted; or the computer system crashing or being unable to perform normal operations. However, some malware perform actions that are covert and not readily noticeable to the user. For example, spyware typically monitors a user's computer habits, such as Internet browsing tendencies, and transmits potentially sensitive data to another location on the network. The potentially sensitive data may be used in a number of ways, such as identifying a commercial product that matches the observed tendencies of the user. Then the spyware or an associated adware program may be used to display an advertisement to the user that promotes the identified commercial product. Since the advertisement interrupts the normal operation of the computer, the actions performed by the spyware may not be desirable to the user.
Increasingly, malware is employing stealth techniques to hide on a computer or otherwise prevent detection by programs designed to protect a computer (e.g., antivirus software, anti-spyware software, and the like). For example, malware may be distributed with a RootKit which is a type of malware that prevents the detection of other malware. Those skilled in the art and others will recognize that a RootKit acts as a “man-in-the-middle,” monitoring and altering communications between an operating system and programs designed to protect a computer from malware. In this regard, if an antivirus software attempts to list the contents of a directory containing one or more files used by a malware, then the RootKit will censor the file name from the list. Similarly, a RootKit may hide entries in the system registry, process lists and the like, thereby controlling access to all of the information that the RootKit wants hidden. However, those skilled in the art and others will recognize that the functionality implemented by a RootKit may be integrated into other types of malware. Thus, the example of a RootKit is one way to implement stealth techniques for preventing detection of a malware, and this example should be construed as exemplary and not limiting.
While specific disadvantages of existing systems have been illustrated and described in this Background Section, those skilled in the art and others will recognize that the subject matter claimed herein is not limited to any specific implementation for solving any or all of the described disadvantages.