2009 is ancient history when it comes to where malware is today. Windows 7
was only released in July '09 and Vista adoption was low; the vast majority
of systems deployed were XP executing everything with local admin rights.
The low-hanging fruit was everywhere, every conceivable buffer overflow gave
you immediate root access to the system.
It's not like that any more.
The Windows out of box config doesn't let you arbitrarily execute everything
with admin rights, it defaults to a restricted user and elevates through
secure user interaction. Folder integrity levels were introduced to help
prevent some classes of browser exploits from breaking out of their temp
cache directories.
Malware writers know this, and they intentionally avoid needing admin rights
and triggering unexpected UAC dialogs because it can tip people off that
something is on their system. If you're building a botnet, the last thing
you want is for it to be so noticeable that the computer gets hauled in for
repairs, removing the infection. The browsers got locked down so they looked
for the next best thing: Browser plugins that don't bother honoring any of
the security improvements that Microsoft is building in to their own
products. First it was Flash, then Acrobat, and now we're on Java. These
exploits consistently do not need or request admin rights to deliver their
payload; you can harvest personal information, install a keylogger, attach
to a botnet, steal email, or run a local sniffing proxy that routes browser
traffic through it all on a restricted user account without any problem.
Don't get me wrong, you shouldn't be giving your users admin rights. Take it
away and there will be a dramatic drop in system problems from viruses along
with all the other issues that comes along with it. But it's not going to
stop 90% of infection attempts from succeeding, not in 2013. Further
sandboxing or block lists can help as well, but those can incur a large
management overhead and valid domains are often the ones inadvertently
hosting malware attacks these days. Anything short of an approved process
list derived from hashes is going to be ultimately ineffective to some
degree (again, management nightmare and can be bypassed by registering a dll
in to an existing process), and you're going to be blind to whatever has
bypassed the perimeter protections that are in place.
That's where anti-virus software fits in to this. It may be 50/50 on
stopping a new threat through heuristics, but over the following day or two
samples are submitted, definitions are updated, and the files executing on
your system are rescanned and either cleaned up on the spot or generate an
alert so they can be manually addressed. If that isn't in place, you're blind.
On Thu, 7 Feb 2013 18:29:13 +0000, Hoort, Brian <[log in to unmask]> wrote:
After years of cleaning systems and asking about operator behavior just
prior to the infection, and at times reading reports of the top 10 AV's
averaging between 48-52% effective at blocking *emerging* threats, I've
increasingly been convinced operator behavior is far more effective (yet
elusive) than AV protection. Multiple times to test this theory I've removed
my AV for months (6-9?) and instead run several of the multiple layers of
protection you suggest; usually an ad blocker or MVPS hosts file (which
could be done at the network level), NoScript or Sandboxie. Web of Trust is
also helpful. Of three times doing this test over the last five years, I
have yet to get an infection, while those I support continue to become
infected at regular frequency while running up-to-date AV.
Pair this information with the BeyondTrust 2009 Microsoft Vulnerability
Analysis, which strongly advocates removing admin rights (with a better
success rate than AV software against emerging threats, I should point out)
and I think we've got an interesting case for either replacing AV (radical!)
or at least supplementing it and no longer considering AV our only defense
at the desktop level.
I highly recommend reading BeyondTrust 2009 Microsoft Vulnerability
Analysis, if you haven't already :
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CD0QFjAA&url=https%3A%2F%2Fwww.techdata.com%2F(S(5qsgeo45hwjh1on5noga4r45))%2Fbeyondtrust%2Ffiles%2Fwp039_BeyondTrust_2009_Microsoft_Vulnerability_Analysis.pdf&ei=j7kTUempHsfd2QX6kICYBw&usg=AFQjCNFtFkBKWy9fSHud-zZVW30RBgd8vA&sig2=1h3_vug2kvPFnYBPX6yccg&bvm=bv.42080656,d.b2I
Brian Hoort
College of Agriculture and Natural Resources
Technology Services Helpdesk
Michigan State University
Helpline: (517) 355-3776
http://support.anr.msu.edu
|
