As more and more computers and other computing devices are interconnected through various networks such as the Internet, computer security has become increasingly more important, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art and others will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, Trojans, RootKits, spy-ware, denial of service attacks, even misuse/abuse of legitimate computer system features, all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will recognize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all malicious computer programs that spread on computer networks such as the Internet, will be generally referred to hereinafter as computer malware or, more simply, malware.
When a computer system is attacked or “infected” by computer malware, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computer system; or causing the computer system to crash. Yet another pernicious aspect of many, though not all, computer malware is that an infected computer system is used to infect other computer systems that are communicatively connected by a network connection.
A traditional defense against computer malware and, particularly, against computer viruses and worms, is antivirus software. Most antivirus software identifies malware by matching patterns within data to what is referred to as a “signature” of the malware. Typically, antivirus software scans for malware signatures when certain events are scheduled to occur, such as when data is going to be written or read from a storage device on the computer. As known to those skilled in the art and others, computer users have ongoing needs to read and write data to storage devices such as a hard drive. For example, a common operation provided by some software applications is to open a file stored on a hard drive and display the contents of the file on a computer display. However, since opening a file may cause malware associated with the file to be executed, antivirus software typically performs a scan or other analysis of the file before the open operation is satisfied. If malware is detected, the antivirus software that performed the scan may prevent the malware from being executed, for example, by causing the open operation to fail.
Increasingly, malware is employing stealth techniques to hide on a computer or otherwise prevent detection by programs designed to protect a computer (e.g., antivirus software, anti-spyware software, and the like). For example, malware may be distributed with a RootKit which is a type of malware that prevents the detection of other malware. Those skilled in the art and others will recognize that a RootKit acts as a “man-in-the-middle,” monitoring and altering communications between an operating system and programs designed to protect a computer from malware.
For illustrative purposes and by way of example only, FIG. 1 depicts how a RootKit is able to control the information that is made available to software designed to protect a computer 100 from malware. As illustrated in FIG. 1, the computer 100 includes an application program 102, an operating system 104, a hardware platform 106, and a RootKit 108. Also, the operating system 104 includes an interface 110 that provides services in the form of an Application Programming Interface (“API”) to application programs installed on the computer 100. The application program 102 performs actions designed to protect the computer 100 from malware. For example, the application program 102 may scan files for malware “on access” when a user attempts to access a file stored on a storage device (not illustrated) included in the hardware platform 106. However, as illustrated in FIG. 1, the application program 102 relies on services provided by the operating system 104 to access data on the hardware platform 106. Moreover, the computer 100 is infected with the RootKit 108 that “hooks” into the operating system 104 where it intercepts calls used to perform basic functions on the computer 100. If an application program attempts to list the contents of a directory containing one or more files used by the RootKit 108, the RootKit 108 will censor the file name from the list. Similarly, the RootKit 108 may hide entries in the system registry, process list, and the like, thereby controlling all of the information that the RootKit 108 wants hidden. As a result, the application program 102 is unable to identify the RootKit 108 and any associated malware that the RootKit 108 is designed to hide.