Malware doesn't have to have obvious effects. Some of the worst of it hides quietly in your system, stealing resources and raising hob behind your back. You may not see any symptoms at all while there's all sorts of badness going on in your desktop computer.
A big part of the problem is that modern security is still mostly perimeter oriented. The security measures are designed to keep bad things from getting into your system, or somewhat less frequently, from getting out. Once the stuff is in, most security software pretty much ignores it. It takes a different set of tools and techniques to find and eliminate malware that's made itself at home in your system.
This hidden software is different from adware, spyware, and most viruses in that it's not designed to be visible to you or to your users. Indeed, software of this sort typically goes to great lengths to hide itself and not give an indication of its presence.
So what is this unauthorized junk that people are loading onto your computers? You'd be surprised, not to mention appalled, by some of the malware you'll find on a compromised system.
In hackerdom the principle is to store as little on your own computer as possible. Instead smart hackers try to compromise other computers and put stuff there. That includes everything from gigabytes of pornography, to stolen email messages, to the bulletin boards malicious hackers use to communicate with each other, to warez, to just about anything else their fertile little minds can come up with.
In addition to stealing your resources, this sort of bad guys’ carnival can open you to legal liability, or at least it makes you vulnerable to a great deal of trouble to prove you didn't know the malware was there.
Some malware makes its presence known, especially if you're paying attention. Really obvious symptoms include mysterious pop-ups and multiple crashes. Less obvious, but more common symptoms include a computer system being slow to load or running slower than normal. This can be hard to spot unless you've got some feel for how fast the system should run. It's a good idea to make a note of the average boot-up time and run time of a popular application. If things start slowing down, you should suspect something is wrong.
One of the problems here is that a modern system has so much processing power and memory that it takes a good deal of malware to slow the system down noticeably. By the time the symptom shows up, you're often in real difficulty.
Of course the real troublemakers don't give any obvious sign of their presence. They continue doing their damage completely hidden from the average user – or from a casual glance by a system administrator.
A classic example is malware that uses Alternate Data Streams (ADS) to hide itself. ADS is a Windows (mis)feature for attaching one file invisibly to another. The attached file is hidden from most operating system tools, including dir, and all that is visible is the original, innocuous, file. This makes ADS a spectacularly bad design feature because it generally takes a specialized tool to ferret out malicious ADS. And no, you can't disable ADS; it’s also used by legitimate programs.
While you can detect an ADS addition by looking at the date on the file that isn't much help. ADS doesn't change the file size, but it does change the date. Of course that's not much use when you have 50,000 files on the system and any of them could be infected.
One symptom that's a lot less useful than it used to be is chunks of disk space mysteriously disappearing without showing up as used in the directories. The reason this is less useful today is that hard disks have gotten so large and software does so much behind the scenes that it's hard to track even gigabytes of diverted space. Of course the reducto ad absurdum of this situation comes when the system runs out of disk space, in spite of telling you that it's got a lot of space left.
The obvious, if painstaking, method of finding hidden bad stuff is to do a detailed scan of the computer, including what processes are running, the directories, the list of installed software, what's in the registry, and what's on disks and memory. An honest detailed scan is time consuming and usually requires several different tools, but it does find the malware and let you start eliminating it. (For CERT's detailed instructions on finding the bad stuff, see the Windows Intruder Detection Check List.)
However, the bad guys know this too and some of them go to great lengths to keep you from running an honest scan. They use tricks like infecting the operating system with malicious rootkits so their files don't show in the directory. They can do this by methods like getting inside the kernel and modifying the basic system commands, such as dir. It's an article of faith among hackers that “once you get dir to lie, it's all over.”
On the first level you can use utilities like unhide.exe to try to find hidden files. These utilities bypass the method the operating system uses to hide files, revealing them to inspection.
This works if the attack isn't too sophisticated. However, if the bad guys have gimmicked your operating system with a rootkit, it may be that nothing that uses the installed operating system will find the hidden malware. In this case, you need to reboot the system with a known clean copy of the OS and then start running scans. This is why some rootkit detection software (like BartPE) comes on a CD complete with its own executable version of the OS. Similarly, PCTools offers AOSS which can boot the system with an uncorrupted copy of the OS and allow you to run anti-malware scans from it.
The underlying problem here is that this isn't a static situation. In fact it's a Red Queen's Race between the bad guys and the writers of protection software. New versions of anti-virus and anti-spyware plug known holes, and the bad guys come up with even newer holes. This is why it's important to keep your software up to date and to be aware of the latest exploits.
Of course prevention is the best cure for hidden badness. While it's true that most security focuses on the perimeter, a growing number of programs can monitor what's going on inside your system and alert you to suspicious activity. Some of them automatically block the most common attacks.
To back this up you need baseline scans of your system before it is corrupted. If you don't have baselines to go on it's much harder to know if your system is compromised.
Even with the best tools, detecting hidden malware is a tedious process, especially if it's sophisticated malware. However you need to check your system regularly for problems and fix them when you find them. This requires not only good software; it also takes careful analysis and a detailed knowledge of your system and its history.
See also:
