Let me start by saying that professional malware, spyware, and adware hunters have many advantages that ordinary home or office users do not. This could be a polite way of saying “Don’t try this at home.” Or it could just help you to understand how they can figure out how to reverse the effects of the many details involved when malicious software takes up residence on a PC.
Here are some things that such professionals have available to them when they start their analyses to detect and document what malware does, and build tools to reverse its effects and remove its presence.
- Laboratories, full of test machines
When somebody’s desktop or server catches something, it’s scary (and potentially traumatic) because these computers have specific uses, contain important data, and provide essential services. A test machine’s intended use is to expose it to malicious software, just to see what happens!
- Special software designed to compare before and after information
TripWire is probably one of the best known tools in this category. The program is run right after a machine is set up and configured to create a snapshot of the machine’s files and other data like a “before” snapshot. It is used again right after the infection is introduced on the machine for an “after” shot.
Of course, the professionals have other advantages too, that can’t be overlooked. For one thing, they’ve got a pretty good idea they’re dealing with something nasty. This gives them an advantage over most other users, including those who catch things from malware, spyware, and adware as its being discovered and documented, because this usually comes as an unpleasant surprise. For another thing, such professionals have investigated the effects of malware before so they already have some ideas about what kinds of changes are likely to occur.
Finally, the professionals don’t care what happens to the test machines. They can calmly watch them being destroyed, since they can create new, ready to run installation on those machines in a relatively short time.
|