Malicious Software Defense:
Recently there have been some major shifts in the use of malware. Prior to 2006, most viruses and worms could be classified as things that the author or developer wanted everyone to know about. The recognition for writing the "fastest spreading worm", or "most damaging virus", etc. was one of the major reasons this software was written. This movement has almost completely shifted from bravado, testosterone driven, alpha male behavior to financially motivated. Most of these tactics are now used in combination with other attack types to commit fraud and identity theft.
Malware has been a key ingredient for those who which to commit crime ever since the major security shift brought about by Microsoft Windows XP service pack 2. Most people remember this time in late 2004 when many of their applications stopped working and there was a lack of malicious software defense. What happened is that Windows XP SP2 now had a built-in firewall that was enabled by default blocking inbound connections. Prior to this time, connections were relatively easy to make to a remote system. Prior to XP SP2, a hacker, virus or worm would simply attempt to compromise a system through a direct connection. With the system based firewall for malicious software defense now installed, the hackers would find alternative methods of getting to those highly coveted systems.
The malware that came out subsequent to XP SP2 was designed to make outbound connections back to the attacker rather than inbound connections. Everything from viruses and worms to malware web sites and Trojan horse programs were used to compromise the systems. This updated malware was often designed to allow full remote control of the system by the attacker; and because the infected system can create an outbound connection back to the attacker, most traditional network based security systems can be averted. These infected systems are referred to as zombies, or systems that are under the control of another. These zombie systems are often collected as part of a botnet army to be used in a variety of attacks.
Worse yet, in the "old days" (a few years ago), you knew right when your system was infected. Your processor would be pegged at 100%, the hard drive light would be going crazy, you would have difficulty opening up programs and doing any work. Now, the malware is often written in such a way that it is very difficult to detect. Often special software or network analyzer tools would have to be employed to see malicious activity from an infected system.
Traditionally, an infection from malware would be from opening malicious email that contained a virus or Trojan horse. Later there were more self-propagating worms. Today, malware can infect systems from any number of sources including the Internet, partner connections, virtual private networks for remote users and site-to-site connections, USB drives and other media, malicious web sites and more.
Risk Reduction Strategies
As all security professionals will tell you, there is no silver bullet to the threats of malware. There are, however, some very good security best practices for malicious software defense that can drastically reduce the overall exposure your organization has to malware. A good layered security practice would include many of these: System Anti-Virus & Spyware - host based software designed to detect and stop malicious code from infecting the system Web content filtering (aka URL content filtering) - disallow your employees from accessing malicious web sites.
Patch management - often, a known bug is exploited to infect the system. Patching systems for known vulnerabilities can reduce the number of targeted exploits on any given system.
IDS/IPS - both network based, as well as host based, intrusion detection systems (NIDS/HIDS) can detect some malicious code attacks. Employing this technology with a prevention component can stop these identified attacks in their tracks.
Firewall - a solid stateful inspection firewall with strong rules and policies.
Gateway Anti-Virus - a network based anti-virus system detecting viruses before they enter the network. These systems can often detect viruses coming from web based email systems. SPAM filtering - block email messages that may contain malicious content, or links that lead to malicious web sites. This should take into account email messages designed for phishing attacks.
Policies & Procedures - Any good security practice should include enforceable policies and procedures that are well defined and available to all personnel.
Learn more about malicious software defense.
