 |
 |
The vast majority of this stuff are using browser plugins for the initial exploit, so making sure Java, Flash, Acrobat, and Quicktime are updated or removed if not needed should be a top priority to curbing this stuff. OS patching is still important, but when it comes to virus installations 3rd party components are almost always the culprit. There's two primary reasons why this kind of thing gets missed by AV software. The first is that malware packagers are being constantly created and sold to new customers with new packaging algorithms each time and it can take a day or two before new variants have signatures made to detect them. The other problem is that these user profile viruses don't do anything damaging in a traditional sense, instead relying on social engineering to get credit card #'s, so heuristic detection doesn't pick it up. If it did, odds are it would be detecting everything that has a system tray icon and can throw a pop-up and that would make for some terrible AV software. Restricting admin rights is a good first step and will almost always keep the virus contained to a user profile, making it simple to clean up. Admin rights in XP are dangerous as you're probably aware, and training people to use a restricted user and the Run As... option to elevate to a different admin account when needed is good practice. UAC is a nicer way to manage that, but has an increased risk of accidentally elevating something that shouldn't be. Setting DEP to Opt-out mode http://support.microsoft.com/kb/875352 is another good preventative step that kills off some exploits as they execute. It isn't fool-proof, but we saw our infection rate drop by a good 30% when it was enabled on our workstations. You need to do some rather extensive testing before you do it because some programs are compiled poorly and will conflict, but you can set up process exclusions if need be. UAC brings in the concept for Integrity Levels in to applications that support it (IE being one of them). This marks an integrity level to a process and prevents file system writes to higher integrity level areas. In IE's case, it is a low-integrity process and restricts writes to outside temporary internet files. Plugin vendors need to write their software to take advantage of this, but its another one of those little reasons to get off XP at this point. Then there is SEHOP http://support.microsoft.com/kb/956607 on Vista/Win7 which walks through the heap allocation of processes looking for breaks, which typically indicates an injection attack, and kills off the process when found. This one doesn't have nearly the compatibility issues of DEP but are possible, so test it out and apply it if you're off XP. Most of these exploits use a free DNS registrar (*.[somedomain].cz) that you can typically see in the AV logs for HTTP access. Since we run our own DNS server between ourselves and MSU, I've started adding in blank zones for these problematic domains so lookups simply fail. Sunbelt offers a service called Clear Cloud http://www.clearclouddns.com/ that is a filtered DNS service that blocks known bad domains. I'm testing it at home and have been satisfied enough that I'll extend the test to our mobile users and potentially use it as the primary upstream provider for our DNS server. Proactive prevention will most likely prove to be the most effective to this kind of issue.