Be Thankful: You Can Be Safe

Things have changed. Nobody should ever be complacent, but a responsible user can be confident that defensive software and good habits will protect them. More interestingly, attacks just aren't what they used to be.

A report by Alexander Gostev, senior virus analyst at Kaspersky Lab, indicates that innovation in malware development is stagnant. There have been no major developments in some time. In fact, there have been no major attacks since the release of Zotob in August 2005.

Zotob, incidentally, targeted mainly Windows 2000 systems and XP SP1 to a lesser degree. What Microsoft has been saying about XP SP2 is true: Users are much safer running XP SP2 than earlier versions of Windows. Their own data from their Malicious Software Removal Tool (Word .doc file) shows as much, and in fact probably understates the matter.

There have been a number of small attacks. Some of them, like the WMF vulnerability, enter the background of the malware scene and will be with us for a long time. Perhaps the most prominent security term of 2006 was "targeted attack." We had quite a few of them, mostly centered around zero-day vulnerabilities in Microsoft Office. See the Kaspersky report for more interesting details on these vulnerabilities.

The focus on vulnerabilities generally is another point in the report. As I said, there is no innovation anymore in malware—except where it involves the exploit of a vulnerability, especially a zero-day exploit. But even these are often less of a threat than they used to be. A few years ago vulnerabilities brought us attacks like Blaster and Sasser, where users could be infected over the Internet while they were asleep. Now the exploit usually involves substantial user action and can often be blocked by anti-virus software.

Now I'm going to re-ask a question I've been asking vendors for a while now without what I consider a full answer: How many truly new infections do we have these days as opposed to re-compromises of systems already infected with other malware? I think the latter is where the action has been for a long time now. My theory that a very large percentage of new infections are on already-infected systems has two main arguments in its favor:

• The systems are compromised, providing a hole through which new malware can attack
• The users are proven to be willing to click on things they shouldn't

When you look at the data from AV companies on what the most prevalent attacks are it's like a trip through the way-back machine. Look at Sophos' report on the Top 10 viruses reported to Sophos in October 2006, and bear in mind that Sophos doesn't have much of a consumer presence, just business:

1. W32/Netsky-P
2. W32/Mytob-AS
3. W32/Stratio-Zip
4. W32/Bagle-Zip
5. W32/Netsky-D
6. W32/Stratio-AY
7. W32/Mytob-C
8. W32/Zafi-B
9. W32/Nyxem-D
10. W32/Mytob-E

Next page: Stagnantware.

Netsky-P was discovered, according to Sophos, on March 22, 2004. It's a classic mass-mailer worm of the type that used to generate fear. It was at or near the top of all the anti-virus malware lists until just a few months ago; I suspect all the other anti-virus companies changed their ranking system somehow to dislodge old geezers like Netsky-P that are well past their prime.

The Kaspersky list, for example, has different attacks, but many of them are still just e-mail worms. Most of these are now downloaders, which means that the attached program just downloads and executes other programs.

This sort of attack only has a chance of success nowadays if you are doing things that no reasonable person should be doing, principally running software that hasn't been updated in years. For more than five years both Outlook and Outlook Express have, by default, blocked all executables. Combine that with what we know about the enhanced security of newer versions of Windows and it's easy to see the problem as one largely of old versions and headed for history some day.

The last ingredient is behavior: Even on new versions irresponsible users can do irresponsible things. If you go around porn sites and wrestling sites downloading and installing programs and ignoring warning messages you can still get your computer into trouble. This will always be the case, and Windows isn't alone in being vulnerable to bad behavior.

Even phishing is a problem that is being shown to be manageable by software innovation. The new version of both Internet Explorer and Firefox have phishing filters built in. They aren't top-notch yet, but they will get better over time, and other security products, such as Norton Confidential, are adding fraud protection to the PC security mix. Once these are widespread it will be much harder to make a decent living off of phishing.

The recent surge in e-mail spam hawking penny stocks and penis enlargement pills is the handiwork of Russian hackers running a 70,000-strong botnet powered by hijacked computers in more than 160 countries. Click here to read more.

Attackers are left now trying to get through zero-day holes and bizarre new attacks. A good example was discussed recently by John Heasman of Next Generation Security Software: It's possible to hide malware in the memory of PCI-based devices like graphics cards in such a way that they can survive a reboot. These attacks often share a lack of universality for their target. The PCI rootkit attack described in the paper may have to be written specifically to each type of card.

So as you're relaxing on Thanksgiving (instead of watching the night game, because it's on the NFL Network and your mother-in-law's cable system doesn't carry the damn channel!) think about how much better things are than in the past. In a few years computer crime and security attacks won't be gone, but things will be even better.

Do you get the NFL Network? Let me know how the game went in the Talkback section below.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine's eWEEK Security Watch blog.

More from Larry Seltzer