In part one of this series we explained the different stages of the malware life-cycle. This post will cover in depth the second stage stage, infection.

During infection the malware code has been transferred to the target system and likely has began execution. Now it needs to take root and ensure it will live long enough to deploy its payload.

Infection begins by getting the code into executable memory, either by injecting itself into an existing process already running or by spawning a new process. This sometimes occurs during exploitation or can be performed by tricking a user of the system to execute it through social engineering or through deception as is the case with so called drive-by downloads and most browser based exploits (i.e. popup window saying you are infected and click here to start scan).

This stage is where most AV products either succeed at catching the malware or get subverted and lose sight into its activities. This variance in effectiveness of the AV is due mostly to the design qualities of the infection code. Some of the most advanced infection code will either fly under the radar by masking its malicious intent (bypass behavioural analysis), mutating to evade signature detection, embed into areas that are not scanned or will manipulate the underlying infrastructure the AV uses to hide its presence. These tricks are part of the ongoing arms race between malware creators and AV vendors and will continue to evolve.

Assuming the code has executed and not been caught by any AV software it will begin its next life-cycle stage of taking control of the system.