Malware vs. anti-malware, 20 years into the fray

From Robert Morris Jr. to mayhem, with tips for practical living

This happens to some extent because proprietary operating systems and programs rely in part on the mistaken idea of security by obscurity: If no one knows there's a hole, the logic goes, then no one can exploit it. That works, so long as no one knows the hole is there. But if someone does know about the hole -- as is always the case by the time a patch is finally issued for it, thanks to excellent communications among malware factions -- then there's no security at all. The bug carnivals in the news during much of 2006 and 2007, in which security researchers declared that they were going to reveal a bug in a particular software or operating system every day for a certain amount of time, were based on that idea of shaming manufacturer out of the security-by-obscurity mind-set. According to logic, if researchers can point to a different vulnerability every day for a week/month, companies will be forced to address systemic problems in their security awareness.

Your first line of defense is, of course, to update your software as soon as humanly possible and to keep abreast of what's happening out there. If you're a network or system administrator, you need to keep an eye on zero-day tracking news sites like the Secunia Advisories by Product listings. If you see a product listed with a hole on such lists, you know that the program or operating system has a known security problem. Hopefully, the program's vendor, or a white hat hacker or researcher, will have a fix available before a baddie exploits the problem. In the meantime, these trackers will give you the information you need to keep an eye out for unexplained behavior from newly vulnerable software. That usually but not always means that the software vendor has to patch as soon as humanly possible, but on occasion a third party or even the researcher who first spotted the problem will have a patch prepared faster.

The dangers of installing third-party patches versus letting a zero-day flap in the breeze is a risk-tolerance question that most IT professionals will confront at least once in their careers; alas, there's no one-size-fits-all answer. And if you are unlucky enough to get hit by a zero-day attack anyway, there are ways of at least detecting and limiting the damage from such attacks.

Here, we move away from PC-centric protection to monitoring your network. If your company doesn't have network auditing and network intrusion-prevention tools, it needs them. The name of the game is to look for unexpected network traffic and network scanning activities. For example, there's no reason on Earth that Joe-in-accounting's workstation should be trying to reach a SMTP server when there's nothing else operating on his machine because he is out sick.

In short, if your PCs and servers start producing unusual network traffic patterns -- even if it's just a higher volume of ordinary network traffic -- you may, heuristically thinking, have malware on your systems. Poring over endless logs may not sound like a party to you, but keeping logs of Web requests may allow you to spot patterns over time if you suspect trouble. You should also fight the impulse to install everything plus kitchensink.exe on the servers and systems you monitor. In a world where patching eats up more and more of your time every month, the fewer programs you have running means the fewer attack surfaces available to the enemy.

If all this makes it sound like securing your systems from malware is a thankless task, well, you're right. On the other hand, it's also absolutely necessary work. Twenty-first century malware doesn't hurt you or your company by trying to wreck your systems with one massive attack. Instead, it seeks your ruin with the death of a thousand small cuts -- here, an important password, there a vital account number. But at the end of it all, today's malware is far more dangerous and more deadly than such historically more dramatic events as the Morris worm.

Steven J. Vaughan-Nichols has been writing about technology and business since smoke signaling was the hot new wireless communications technology.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about F-SecureGood GuysMicrosoftMITPLUSSecurityFocusSickSpeedSymantecThe Good GuysVIA

Show Comments