Malware Is Getting Formidable, but So Are Your Defenses

As bad as malware is getting, there's plenty you can do to affect excellent, if imperfect, protection. The best ones are tough policies and rapid action by IT, not some magic product you can buy (although there are some good products out there).

It's always hard to tell just how big a threat malware is to those who are well-protected. I've thought for years now that if you take a number of well-known precautions and have common sense about some of the social engineering then you can feel pretty safe.

This is as true as ever. Unfortunately, especially for enterprises, the two most important things you can do to protect yourself are hard to do. First you need to run users with least-privileged access, i.e., not as administrator or any other level that lets them install privileged software. Second, you need to be aggressive about applying critical updates to the operating system and important applications, and generally by running newer versions (Acrobat 9 vs. 8, Vista vs. XP, etc.). Both of these are expensive for companies, because they take up a lot of IT and support time to do well. But consider what you're up against.

You can think of Conficker as being the state of the art in conventional malware. It not only uses an important vulnerability, but it's a sophisticated blended attack, using a wide variety of mechanisms to spread: pseudo-random domains, dictionary attacks on weakly-protected network shares, USB drives and more. You can admire the work that went into developing Conficker once you get past the amorality and greed that inspired it.

But there's nothing that it does that you can't protect against with best practices. Almost everyone who was hit by it was running a version of Windows XP that hadn't been patched in many months. And even if you ran no anti-virus at all, least-privilege, updated software versions and a few other little things such as a good firewall would block most of the ill effects of Conficker and most other malware and prevent them from becoming permanent on the system.

There is a future of new potential malware using new techniques that could make it all the more difficult to detect infections. Rootkit maven Joanna Rutkowska and her team recently came up with their third attack on Intel System Management Mode in the last 10 months. The potential for such attacks is the compromise of deep system protections such as kernel patch protection, compromise of hypervisors, even rootkits running outside of normal address space.

It's truly horrible stuff, but someone does have to run their attack program on your machine to do it. The paper on the attack says:

"...exploitation can even be achieved from the user mode (escalation from Ring 3 to SMM), assuming the OS allows for I/O operations and MTRR manipulation from user mode. E.g. most Linux systems allow its root user to do the above, while Windows systems do not."
It sounds like they haven't tested through all the implications yet. But my takeaway from this paper is still that you can protect yourself as long as you don't allow users to run unauthorized code.

And new ways to protect yourself are coming along all the time. Suddenly, and almost for free, we're getting some malware protection through browsers, which have all been adding reputation checks not only for phishing but for domains and addresses known to push malware. Internet Explorer 8 is a great example. A study by NSS Labs of 6 major web browsers shows a large difference in their ability to block "socially engineered malware." The results of the tests:


Malware Catch Rate

IE8 (RC1)


Firefox 3.07


Safari v3


Chrome 1.0.154


Opera 9.84




IE8 clearly wins these tests, but 69 percent is not really a great number. Does that mean it's worthless? No, because that 69 percent is combined with the effectiveness of all the other measures you should be using, including anti-virus in some form, probably Web filtering of some kind, firewalls and the like. But products like these are not as important as good policies such as least-privileged access and rapid security updates.

Still, there's nothing quite as good as common sense in blocking these threats. I know a bunch of people who run with no anti-malware at all because any threat they encounter will have to go past them first and they figure they know better. I don't do this often because I don't trust myself so much, but I don't ever get anything blocked by my anti-virus either, so perhaps it is possible to avoid malware purely by intending to avoid it. This strategy doesn't work for the average user. They must be saved from their inclination to "install the codec" or add all those cool emoticons to the system.

None of these protections, certainly including common sense and experience, are "the answer." As Joanna Rutkowska put it in a later blog. we're all pretty much unprotected today. There are attacks out there, in proof of concept at least, that can defeat any protections available on any system. But these aren't the main concern, because attackers do just fine writing the easy, conventional stuff. Even fairly famous attacks get past many anti-virus systems, and a well-designed custom attack can get past even the best.

Rutkowska might scoff at the notion, but I think you can get yourself a pretty substantial level of protection by being scrupulous about a number of these important measures, with the most important one probably being least-privileged access.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.