Securing computer systems from attack by malware, i.e., harmful programs such as viruses, trojans, worms, rootkits, and the like, is an evolving challenge as perpetrators of malware constantly develop new technologies. Of particular concern are pieces of malware known as bootkits, which change the computer system boot process. These are among the hardest-to-detect malware for contemporary computer systems. Infiltration in the boot process allows a piece of harmful code to bypass the existing protection features, hide itself and complicate the computer's ability to detect and remove the harmful process.
The computer boot process has a number of steps, which include testing and initialization of hardware, operating system boot and automatic loading of user applications. The earlier in the boot sequence that a harmful can take control, the harder it is to counter the threat. One goal of an anti-malware program is to take control of the boot sequence before it is taken over by a piece of harmful code, which will allow the anti-virus program to monitor and detect abnormalities and suspicious data.
Today, anti-rootkit technologies are known and used for this purpose, examples of which are described in U.S. Patent Applications, Pub. No. 2006/480774 and 2007/873583. These approaches are designed as operating system drivers which modify the operating system boot process, track further boot process activities and, if necessary, block and delete harmful boot programs. These technologies are effective only for threats aiming to infiltrate the operating system and do not allow detection of bootkits loaded before the operating system. Bootkits modify the boot process at the earliest stage by changing the boot record. When combined with rootkit technologies, such programs become unreachable for conventional protection features installed on a computer system.
One approach for combating this type of malware uses external boot technologies, examples of which are disclosed in Publications No. EP1995936668 and WO2007069245. When booting from external devices, the computer's malware is not loaded and can be detected during conventional anti-virus scanning of the file system, hard drive, etc. Drawbacks of this type of approach include the need for specialized external disks or devices, and the need for users to take specific, targeted actions to carry out the evaluation of boot process malware by employing the external boot technology.
At least for the above reasons, a solution is needed that provides practical and automated detection of bootkit-deployed malware.