Malware: War without end

We may be facing a stalemate. Or, we may be evolving a new cyber biosphere.

1 2 3 Page 3
Page 3 of 3

"They will then test XP to see if the vulnerability exists there, and if it does they will write exploit code to take advantage of it," Rains says. "Since XP will never get another update, the malware writers will be in a zero-day-forever scenario. If they can run remote code of their choice on those systems it will be really hard for anti-virus protection to be effective. The situation will get worse and worse and eventually you will not be able trust the operating system for XP."

"People should not be running XP," agrees Schouwenberg. "When it was written the malware problem was very different than it is today. It had no mitigation strategies and is extremely vulnerable."

Android, meanwhile, is going like gangbusters on smartphones -- outselling Apple's iOS phones in the third quarter of this year, according to Gartner -- making it a huge target for crackers.

Experts see many parallels between Android's development and the early history of the Windows market, with hardware vendors adapting a third-party operating system for their products, leaving no single party ensuring security. And with the Android market, the additional involvement of telecommunications carriers is a complicating factor.

"It is not like the case with Apple, which can push security updates to every iPhone in the world in one day," says Schouwenberg. "With Android, the manufacturer has to implement the patches and then go through certification with the carrier before the patches are deployed. Assuming your phone still gets security updates it may be months before you get them. That would not be considered acceptable with a laptop."

"Android is in a position that Windows was in a few years ago; there is not enough protection," adds Johannes Ullrich, head of research at the SANS Technology Institute, which certifies computer security professionals.

Is there hope?

Returning to the ecology metaphor, sometimes the impact of an asteroid will drive species into extinction. And, indeed, sources can point to extinction types of events in the short history of the malware biosphere.

Thompson, for instance, points out that the adoption of Windows 95 drove MS-DOS malware into extinction by adding protected mode, so one program could not overwrite another at will. Microsoft Office 2000 drove into extinction (PDF) malware based on Office 1995 macros by adding a feature that basically required user permission before a macro could run. Windows XP Service Pack 2 in 2004 set the Windows firewall on by default, wiping out another generation of malware.

"But there is no extinction-level-event in sight to wipe out the current Trojans," Thompson says.

Even if there were such a miracle, attackers could fall back on persuasive email, officious phone calls, smiling faces or other non-technical manipulations usually referred to as "social engineering."

"The success rate for social engineering is phenomenal," says John Strand, network penetration tester with Black Hills Information Security in Sturgis, SD.

People will call in pretending to be from a help desk, suggesting that the user download (infected) software. Or plausible emails such as a delivery notification will entice users to click on infected links, he explains.

And then there's software that tells the user to disable the system's malware protection "to ensure compatibility." "I don't think there is any legitimate software that needs you to disable security protection for compatibility reasons," says Schouwenberg. "But some software does ask you to disable it during installation, creating a precedent, so they think it's all right when they get email from a website telling them to turn it off."

Even if users are trained to resist such ploys, smiling people with clipboards and faux badges may show up at the front desk saying they need to inspect the server room on some pretext -- and they'll probably be allowed in, says Strand.

Beyond that, large numbers of log-in credentials to corporate networks are always for sale at various malicious sites, because people have registered at third-party sites using their office email addresses and passwords -- and those sites were later compromised, Strand adds.

Holding on

"The good news is that it is relatively easy to defend against most malware, if you use up-to-date anti-virus software, run a firewall, get security updates and use strong passwords," Rains says. "These techniques can block the major attacks used today and probably for years to come."

"The best practices I was telling people about 10 years ago I still have to tell people about today," Haley adds. "Have good security software, update the system and use good common sense. Don't link to email that doesn't seem right."

Finally, Pescatore suggests looking to the field of public health (rather than the military or ecology) for a metaphor about living with malware. "We have learned to wash our hands and keep the cesspool a certain distance from the drinking water," he notes. "We still have the common cold, and we still have occasional epidemics -- but if we react quickly we can limit the number who are killed."

This article, "Malware: War Without End," was originally published on Computerworld.com.

Lamont Wood is a freelance writer in San Antonio.

Copyright © 2013 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
  
Shop Tech Products at Amazon