Vendors are finding increasingly more effective ways to battle malware such as viruses, Trojans, and bots. Unfortunately, malicious programmers continue to concoct newer, nastier code, and companies need to update their security arsenal and defense plan accordingly.
Viruses, which normally modify legitimate host code to spread, are not very popular anymore. They're harder to write than worms and Trojans because the virus coder must take great pains to ensure the newly modified file doesn't crash.
With Microsoft Windows, Windows File Protection (first introduced as System File Protection in Windows Me) protects about 99 percent of the default installed system files against unauthorized modification. If a virus modifies a covered file, Windows replaces the modified copy with a known good copy a few seconds later.
Windows Vista's forthcoming Windows Resource Protection is an even better defender, protecting more files and preventing modifications in the first place. Because of these issues and a few others, most of today's malware programs create new files to do their mischief.
Removing viruses requires cleaning the virus from the infected files, which is often harder than detecting the virus. Just ask your anti-virus vendor.
Worms, bots, spyware, and Trojans, on the other hand, simply require identifying and removing the new malicious stand-alone files. I frequently use Sysinternals' Autoruns or SilentRunner.vbs to locate and identify unauthorized programs. For the past half decade, with viruses almost gone, removing malware has been a snap unless the computer has been infected with a root kit program.
But now a new series of companion worms -- referred to as Downloader.Agent.awf by some AV products -- are complicating the identification process. Also known also known as spawners or twins, these companion worms (and viruses) modify the infected computer's environment in such a way that when the system attempts to execute a legitimate file, the malicious file is run first.
After executing, the Download.Agent.awf malware program reads the infected computer's HKLM (or HKCU) \Run registry keys to identify the previously installed auto-running programs. Then the worm copies the original executable to a new location, and replaces the original file with a copy of the worm renamed to the original file's name. When the computer executes the \Run registry keys, it runs the companion program instead, which then launches the original program.
This complicates detection and removal process, because the worm will appear as a previously known or commonly recognized installed executable. So, when looking for malicious code, you cannot simply trust file names and locations. You must verify each file's integrity hash against a known good copy or value.
With the re-appearance of companion malware and the growing threat of root kit Trojans, however, forensic investigators need to inspect suspected infected computer disks with out-of-band (e.g., external boot) methods and verify the integrity of all installed programs.
To be honest, any good computer security person really should have been taking the extra precautions all along. But when most of the malware hasn't been doing this, it's easy (and I'm guilty of this) to become lazy and take shortcuts.