Malware is software that the owner/user of the computer system does not install himself. Malware typically enters the computer system without the knowledge of the user—generally via the network interface and sometimes through software or other digital data stored on removable media such as a CD-ROM or USB pen-drive. The intent of malicious software is to damage the user's system by deleting important data or deleting important operating system and application executable files rendering the infected system unable to operate. If user data (such as photos, emails, documents) are deleted and the user does not have a backup of the lost data, that user data may never be recovered. If operating system or application files are deleted, the system may be recovered by re-installing the damaged or deleted software. In either case, malware causes significant damage in terms of loss of productivity as well as user data. Malware is becoming more dangerous in that the software may not noticeably damage the system but rather may remain hidden (deleting important files would immediately alert the user to the presence of the malware), attempting to steal important information such as credit card numbers, usernames and passwords, and so on.
Malware typically enters the system via the internet (i.e., via the network interface). Upon entering the system, malware first attempts to become ‘resident’ on the system by writing a copy of malware system files to the secondary storage or hard disk drive of the system. Once a copy is made in persistent storage, the malicious software remains on the computer system until the malicious software is found and deleted (which is what most anti-virus software does). However, becoming persistent on the platform does not guarantee that the malicious software will be activated (or loaded) if the computer is rebooted. To ensure boot-time activation in addition to becoming persistent, the malicious software inserts commands into the startup (or boot) sequence of the computer. Once this is successfully accomplished, the malicious software is re-activated every time the computer is switched on, surviving reboots/power-cycles.
Malware ‘hook’ into the boot sequence of the system by modifying or ‘attaching’ malware software files and/or commands to operating system executable files that are always loaded and activated during the OS boot process. An alternative, frequently used technique is for malware to modify system configuration files that control the boot processes by listing the malware files as ‘legitimate’ system files to be loaded at boot time. Once these operating system executable files and/or system configuration files are corrupted, malware can establish an environment in which protections normally provided by the operating system are circumvented.
Present attempts to address malware have included using a host operating system-based shadow program to monitor critical software drivers and applications such that if the critical drivers or applications are corrupted, then the shadow program will detect the integrity failure and start the repairing or re-installing the software as needed. However, because the host operating system is itself often the target of malware, these shadow programs can be disabled as well.
Another attempt to address malware is to use an Extensible Firmware Interface (EFI) driver to monitor and/or restore critical software drivers and applications prior to loading the host operating system. However, because an EFI driver runs only at system boot time, this solution does not address problems that arise after malware has corrupted system files and before the system is rebooted.
Currently available Tamper Resistance Software (TRS) performs integrity checks of critical software components. However, most of these integrity checks are also performed using functionality of the host operating system and are thus subject to malware attacks as well.