The vast majority of this stuff are using browser plugins for the initial
exploit, so making sure Java, Flash, Acrobat, and Quicktime are updated or
removed if not needed should be a top priority to curbing this stuff. OS
patching is still important, but when it comes to virus installations 3rd
party components are almost always the culprit.
There's two primary reasons why this kind of thing gets missed by AV
software. The first is that malware packagers are being constantly created
and sold to new customers with new packaging algorithms each time and it can
take a day or two before new variants have signatures made to detect them.
The other problem is that these user profile viruses don't do anything
damaging in a traditional sense, instead relying on social engineering to
get credit card #'s, so heuristic detection doesn't pick it up. If it did,
odds are it would be detecting everything that has a system tray icon and
can throw a pop-up and that would make for some terrible AV software.
Restricting admin rights is a good first step and will almost always keep
the virus contained to a user profile, making it simple to clean up. Admin
rights in XP are dangerous as you're probably aware, and training people to
use a restricted user and the Run As... option to elevate to a different
admin account when needed is good practice. UAC is a nicer way to manage
that, but has an increased risk of accidentally elevating something that
shouldn't be.
Setting DEP to Opt-out mode http://support.microsoft.com/kb/875352 is
another good preventative step that kills off some exploits as they execute.
It isn't fool-proof, but we saw our infection rate drop by a good 30% when
it was enabled on our workstations. You need to do some rather extensive
testing before you do it because some programs are compiled poorly and will
conflict, but you can set up process exclusions if need be.
UAC brings in the concept for Integrity Levels in to applications that
support it (IE being one of them). This marks an integrity level to a
process and prevents file system writes to higher integrity level areas. In
IE's case, it is a low-integrity process and restricts writes to outside
temporary internet files. Plugin vendors need to write their software to
take advantage of this, but its another one of those little reasons to get
off XP at this point.
Then there is SEHOP http://support.microsoft.com/kb/956607 on Vista/Win7
which walks through the heap allocation of processes looking for breaks,
which typically indicates an injection attack, and kills off the process
when found. This one doesn't have nearly the compatibility issues of DEP but
are possible, so test it out and apply it if you're off XP.
Most of these exploits use a free DNS registrar (*.[somedomain].cz) that you
can typically see in the AV logs for HTTP access. Since we run our own DNS
server between ourselves and MSU, I've started adding in blank zones for
these problematic domains so lookups simply fail. Sunbelt offers a service
called Clear Cloud http://www.clearclouddns.com/ that is a filtered DNS
service that blocks known bad domains. I'm testing it at home and have been
satisfied enough that I'll extend the test to our mobile users and
potentially use it as the primary upstream provider for our DNS server.
Proactive prevention will most likely prove to be the most effective to this
kind of issue.
|
