Malware is short for malicious software and is used as a term to refer to any software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include viruses, worms, trojan horses, rootkits, adware, spyware and any other malicious and unwanted software. Any client device, such as a desktop personal computer (PC), laptop, personal data assistant (PDA) or mobile phone, can be at risk from malware.
When a device is infected by malware the user may notice unwanted behaviour and degradation of system performance as the infection can create unwanted processor activity, memory usage, and network traffic. This can also cause stability issues leading to application or system-wide crashes. The user of an infected device may incorrectly assume that poor performance is a result of software flaws or hardware problems, taking inappropriate remedial action, when the actual cause is a malware infection of which they are unaware. Current malware typically tries to stay invisible to the user so that whoever controls the malware can use it for their benefit, for example by capturing user credentials to online banks, sending spam, distributing malware to other users and so on.
Malware detection happens primarily at two different stages: pre-infection and post-infection. Pre-infection detection involves analyzing a piece of software before it is allowed to execute to determine whether it is malicious. Post-infection detection involves analyzing a computer system for a malware infection already present on the system by scanning through the files present in the system, looking at the processes in the system, searching possibly hidden files and processes, analysing network traffic leaving the computer and looking at other signs of a malware infection.
Behavioural analysis can be performed on a running computer system by looking at actions performed by various processes and then determining whether the actions taken by the process are typical for a piece of malware.
Detecting malware in the post-infection phase is especially challenging (it's also challenging at the pre-infection phase), as the malware authors design their software to be difficult to detect, often employing technology that deliberately hides the presence of malware on a system. For example, the malware application may not show up on the operating system tables that list currently running processes.
Client devices make use of anti-virus software to detect and possibly remove malware. This anti-virus software can make use of various methods to detect malware including scanning, integrity checking and heuristic analysis. Of these methods, malware scanning involves the anti-virus software examining files for a virus fingerprint or “signature” that is characteristic of an individual malware program. Typically, this requires that the anti-virus software has a database containing the signatures. When the provider of the anti-virus software identifies a new malware threat, the threat is analysed and its signature is extracted. The malware is then “known” and its signature can be supplied as updates to the anti-virus software database. However, scanning files for malware can consume significant processing resources potentially resulting in a reduction in the performance of a computing device. Recently, the number of malware samples has increased greatly, with the result that the size of the signature databases for anti-virus products has grown significantly.
A problem with detecting malware using signature methods is that malware authors may specifically create large amounts of unique samples to make the traditional local signature mechanisms obsolete.
A further problem is that malware is increasingly written with a specific target in mind, and so malware infecting a client device may be unique. They are created to target a specific company or even an individual. As the malware is unique, it becomes more difficult to detect. It is also typically tested against the anti-virus software used by the target company/individual to make sure the signature and other mechanisms don't detect the sample. Typically, the payload of two malware samples created by the same person will be the same. However, malware is often protected by using a protective layer using an obfuscating packer to obfuscate or encode the malware in a way that makes it difficult to detect using a signature for the payload. By varying the method or manner of obfuscation, each malware can be uniquely tailored to a particular target whilst the malware payload remains the same. However, two different samples of unique malware may have completely different outer level signatures despite having the same payload.
There are different methods for handling malware protected by an obfuscating packer. One is to detect the malware by the type of obfuscation layer being used. This method works well where the the protective layer is used only by the malware, but causes problems if the protective layer is used both by the malware and by legitimate applications. The other method is to remove the protection layer (by emulation or otherwise) to reveal the malware payload code. This can consume more processing resources than is desirable, especially on client devices such as mobile telephones that have limited processing resources. There might also be code that bypasses the unpacking mechanisms or breaks out from the emulation environment.
In addition to unique malware created by using a unique protective layer, it is also possible for the malware payload to be written specifically with a target in mind. In this case it will have a unique signature regardless of whether a protective layer is used.