The term “malware” is short for malicious software and is used as a term to refer to any software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include viruses, worms, trojan horses, rootkits, adware, spyware and any other malicious and unwanted software. Any computer device, such as a desktop personal computer (PC), laptop, personal data assistant (PDA) or mobile phone, can be at risk from malware.
When a device is infected by malware the user will often notice unwanted behaviour and degradation of system performance as the infection can create unwanted processor activity, memory usage, and network traffic. This can also cause stability issues leading to application or system-wide crashes. The user of an infected device may incorrectly assume that poor performance is a result of software flaws or hardware problems, taking inappropriate remedial action, when the actual cause is a malware infection of which they are unaware.
Detecting malware is challenging as the malware authors design their software to be difficult to detect, often employing technology that deliberately hides the presence of malware on a system, i.e. the malware application may not show up on the operating system tables that list currently running processes.
Computer devices make use of anti-virus software to detect and possibly remove malware. This anti-virus software can make use of various methods to detect malware including scanning, integrity checking and heuristic analysis. Of these methods, malware scanning involves the anti-virus software examining files for a virus fingerprint or “signature” that is characteristic of an individual malware program. Typically, this requires that the anti-virus software has a database containing the signatures. When the provider of the anti-virus software identifies a new malware threat, the threat is analysed and its signature is extracted. The malware is then “known” and its signature can be supplied as updates to the anti-virus software database.
In order to detect malware and generate signatures for distribution to client terminals, a “back-end” operation of a malware detection application provider will process large numbers of files and code samples, applying significantly more computational effort than is available at the client terminals. In some cases, this may involve a manual analysis of files and code samples at the back-end. Of course, a goal of the application providers is to automate the malware backend detection process as much as possible, whilst at the same time minimising the risk of false alarms.