With another year behind us, it's time to take a brief look back at where we've been and take a good, hard look at where we're headed. The 2004 festival of malware included a major increase in the number of specimens we had to fight. The bad guys forced many to revise some long-held assumptions about malicious code and how to defend against it. Let's look at five major assumptions that were rendered simply untrue myths from a bygone era and, more importantly, how to batten down the hatches for the coming year.
Myth number 1: Your browser cannot be infected by surfing the Web, as long as you only surf to sites that you trust.
Reality: An attacker can break into some Web sites that you trust, place malicious code on those sites and take over your system by exploiting holes in your browser.
We saw this sad fact illustrated in two major attacks: the June 2004 Download.Ject/Berbew attack and the November 2004 IFRAME/Bofra attack. In each case, bad guys altered various trusted e-commerce sites and advertising servers and planted malicious code on them. When anyone surfed to these compromised sites using Internet Explorer, the attacker's code on the Web site exploited the visitor's browser, installing a backdoor or worm on the victim's machine. Ouch! To defend against such attacks, make sure you keep your browsers patched in a diligent fashion. Whether you use IE or an alternative browser, stay alert for notices of new holes, and make sure you patch quickly when fixes are released.
Myth number 2: Keep your browser patched, and you'll be safe.
Reality: Sometimes, vendors release browser patches only after a major hole is exploited, and you are left unprotected for weeks waiting for that patch.
Again, we saw this very concern rear its ugly head in the Download.Ject/Berbew and IFRAME/Bofra attacks. In each circumstance, Microsoft took more than two weeks to release fixes for IE, giving attackers a wide-open window of time to spread nastiness. To defend against such attacks, you may want to consider using a browser other than the attackers' favorite punching bag, Internet Explorer. If you can easily migrate to Firefox or Opera, you might want to give these alternative browsers a spin. Remember, ditching IE might not be trivial, but it's at least worth considering.
Myth number 3: Your antivirus tool protects you from all kinds of malicious code.
Reality: Current antivirus tools are good at thwarting worms and viruses, but they barely scratch the surface in protecting us against the rising threat of spyware.
I tested major antivirus products for Information Security magazine to see if they detected fifteen top spyware threats, and I found very disappointing results. Sadly, in 2004 and now in early 2005, you simply cannot rely on your antivirus vendor to defend you from attackers who want to peer in on your surfing habits or dish out extra advertisements to you. To defend against the spyware threat, you need to deploy antispyware software, such as Lavasoft's Ad-aware or Spybot Search and Destroy.
Myth number 4: Update your antivirus signatures once a month, and you'll be safe.
Reality: While that monthly update advice might have been OK three years ago, in today's worm-and-bot-a-day world, you should configure your antivirus tool to update at least daily.
Each day, at least one new specimen of malicious code is released. If you are running on last weeks' signatures, your system could be hosed by yesterday's malware -- to say nothing of the stuff released this morning. We've entered a vicious cycle, and the future is a major concern as things accelerate even more. At this stage of the game, to defend yourself, configure daily updates of your antivirus tools.
Myth number 5: Most malicious code is written by awkward teenagers looking to have fun and make a name for themselves in the computer underground.
Reality: This year has seen a huge rise in the use of malicious code by an increasingly sophisticated criminal underground to foster moneymaking scams.
Attackers have figured out how to make money with malicious code by channeling their efforts into controlling victim machines to launch spam, phishing attacks, identity theft schemes, distributed denial-of-service extortion threats and a variety of other money-making activities. As anyone in law enforcement will tell you, if the bad guys figure out a way to make a certain kind of crime pay, we'll start to see much more of that kind of crime. In the malicious code arena, 2004 has proven this maxim very true, as exemplified by the dueling Bagle and Netsky worms. The creators of these worms fought a turf war this year for control of victims' machines to use as a platform for launching spam and phishing attacks. And, we're going to see a lot more of this activity in 2005. To defend against this threat, employ the malicious code defenses we've discussed in these tips all year long with even more seriousness, thoroughness and vigor than ever before. It's getting rough out there, and we must strive to stay ahead of the malware-wielding bad guys.
About the author
Ed Skoudis, CISSP, is cofounder of Intelguardians Network Intelligence, a security consulting firm, and author of Malware: Fighting Malicious Code (Prentice Hall, 2003).