The invention relates to systems and methods for protecting users from malicious software, and in particular to detecting and deactivating rootkits.
Malicious software, also known as malware, affects a great number of computer systems worldwide. In its many forms, malware presents a serious risk to millions of computer users, making them vulnerable to loss of data, identity theft, and loss of productivity, among others.
Computer programs dedicated to malware scanning employ various methods of detecting and eliminating malware from user computer systems. Such methods include behavior-based techniques and content-based techniques. Behavior-based methods may involve emulating the suspected program in an isolated virtual environment, identifying malicious behavior, and blocking the execution of the offending program. In content-based methods, the contents of a suspected object are commonly compared to a database of known malware-identifying signatures. If a known malware signature is found in the suspected object, the object is labeled as malicious.
Rootkits include stealth capabilities designed to hide the existence of associated processes or programs from normal methods of detection by subverting standard system functionality. For example, some rootkits may hijack file system functionality so that rootkit objects are not listed or otherwise disclosed in response to file system calls. Rootkits can be particularly difficult to identify and remove.
Fifteen years ago, malware writers were often young and motivated by peer approval and notice. Modern cyber criminals are more often interested in staying away from the public eye, and in remaining undetected as long as possible. In particular, targeted attacks directed at specific individuals and organizations benefit greatly from stealth. Specifically-crafted malware, distributed only to a handful of computers, may be unlikely to show up on the radar of security companies, especially given recent increases in detected malware. Rootkits are also used by spam botnets.