As bad as malware is getting, there's plenty you can do to affect excellent, if imperfect, protection. The best ones are tough policies and rapid action by IT, not some magic product you can buy (although there are some good products out there).
It's always hard to tell just how big a threat malware is to those
who are well-protected. I've thought for years now that if you take a
number of well-known precautions and have common sense about some of
the social engineering then you can feel pretty safe.
This is as true as ever. Unfortunately, especially for enterprises,
the two most important things you can do to protect yourself are hard
to do. First you need to run users with least-privileged access, i.e.,
not as administrator or any other level that lets them install
privileged software. Second, you need to be aggressive about applying
critical updates to the operating system and important applications,
and generally by running newer versions (Acrobat 9 vs. 8, Vista vs. XP,
etc.). Both of these are expensive for companies, because they take up
a lot of IT and support time to do well. But consider what you're up
You can think of Conficker as being the state of the art in
conventional malware. It not only uses an important vulnerability, but it's a sophisticated blended attack, using a wide variety of mechanisms
to spread: pseudo-random domains, dictionary attacks on
weakly-protected network shares, USB drives and more. You can admire
the work that went into developing Conficker once you get past the
amorality and greed that inspired it.
But there's nothing that it does that you can't protect against with
best practices. Almost everyone who was hit by it was running a version
of Windows XP that hadn't been patched in many months. And even if you
ran no anti-virus at all, least-privilege, updated software versions
and a few other little things such as a good firewall would block most
of the ill effects of Conficker and most other malware and prevent them
from becoming permanent on the system.
There is a future of new potential malware using new techniques that could make it all the more difficult to detect infections. Rootkit
maven Joanna Rutkowska and her team recently came up with their third
attack on Intel System Management Mode in the last 10 months.
potential for such attacks is the compromise of deep system protections
such as kernel patch protection, compromise of hypervisors, even
rootkits running outside of normal address space.
It's truly horrible stuff, but someone does have to run their attack program on your machine to do it. The paper on the attack
...exploitation can even be achieved from the user mode
(escalation from Ring 3 to SMM), assuming the OS allows for I/O
operations and MTRR manipulation from user mode. E.g. most Linux
systems allow its root user to do the above, while Windows systems do
It sounds like they haven't tested through all the
implications yet. But my takeaway from this paper is still that you can
protect yourself as long as you don't allow users to run unauthorized
And new ways to protect yourself are coming along all the time. Suddenly, and almost for free, we're getting some malware protection through browsers
which have all been adding reputation checks not only for phishing but
for domains and addresses known to push malware. Internet Explorer 8 is
a great example. A study by NSS Labs of 6 major web browsers shows a large difference in their ability to block "socially engineered malware."
The results of the tests:
||Malware Catch Rate|
IE8 clearly wins these tests, but 69 percent is not really a great
number. Does that mean it's worthless? No, because that 69 percent is
combined with the effectiveness of all the other measures you should be
using, including anti-virus in some form, probably Web filtering of
some kind, firewalls and the like. But products like these are not as
important as good policies such as least-privileged access and rapid
Still, there's nothing quite as good as common sense in blocking
these threats. I know a bunch of people who run with no anti-malware at
all because any threat they encounter will have to go past them first
and they figure they know better. I don't do this often because I don't
trust myself so much, but I don't ever get anything blocked by my
anti-virus either, so perhaps it is possible to avoid malware purely by
intending to avoid it. This strategy doesn't work for the average user.
They must be saved from their inclination to "install the codec" or add
all those cool emoticons to the system.
None of these protections, certainly including common sense and experience, are "the answer." As Joanna Rutkowska put it in a later blog
we're all pretty much unprotected today. There are attacks out there,
in proof of concept at least, that can defeat any protections available
on any system. But these aren't the main concern, because attackers do
just fine writing the easy, conventional stuff. Even fairly famous attacks get past many anti-virus systems
, and a well-designed custom attack can get past even the best.
Rutkowska might scoff at the notion, but I think you can get
yourself a pretty substantial level of protection by being scrupulous
about a number of these important measures, with the most important one
probably being least-privileged access.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.