New Means To Root Out Malware

Malware continues to be a problem for customers, with many users unaware their systems are infected with some kind of hidden “bot” that steals their personal info or hijack’s their computer.

“A lot of people have no protection, and even people who have protection, it isn’t complete,” said Peter Firstbrook, research director for information security and privacy at Gartner. “The software doesn’t address known threats, and at best they catch 80 percent of spyware.”

One reason many antivirus and antispyware tools fail is because they don’t perform kernel-level detection. This makes the Windows a safe harbor for many viruses and rootkits to hide. Only Kaspersky and Symantec’s antivirus offerings look into the kernel, McAfee and Trend Micro, plus a lot of the smaller players, do not, said Firstbrook.

But now add Webroot to the list of anti-spyware products to offer kernel-level protection and more in Spy Sweeper Enterprise 3.0, released today.

This is done though direct disk scanning technology to bypass the Windows API’s that control disk access. A common trick of rootkits is to obfuscate the files from the Windows API, so Spy Sweeper simply skips the Windows API.

New in Spy Sweeper Enterprise 3.0 are real-time Smart Shields, a set of intelligent spyware detectors. These include an ActiveX Shield that protects ActiveX components, a Spy Communication Shield that blocks communications to known spyware threat sites, a BHO Shield to block the installation of Browser Helper Objects (BHOs) unless specifically approved by the administrator and IE Trusted Sites Shield to prevent spyware from modifying Internet Explorer security-zone settings.

Also new is the ability to scan compressed files, improved scalability performance and configurable SNMP alerts for detected spyware at the conclusion of sweeps. Administrators can now also throttle CPU usage for both the memory and file scans to minimize impact on the CPU during sweeps.

“Webroot’s done a really good job. I think they’re the best product from a spyware perspective,” said Firstbrook. But Webroot has the problem of being a small player in a market with a few dominant players and many contenders, he said.

Firstbrook estimates McAfee, Symantec and Trend Micro have 75 percent of the security market, which leaves Webroot, Sophos, Kaspersky, Eset and many other firms to fight for the remaining 25 percent.

“People don’t want another scanner. You want one engine, one distribution mechanism, one update engine, one management console,” said Firstbrook.
“Incumbent vendors have such a leg up and no one wants to move vendors, so little guys have a hard time making inroads in the enterprise. In the enterprise space, [IT] will just turn to their current vendor and say ‘Why don’t you do this?'”

At least enterprise customers are taking precautions. Gartner estimates that at the most, around 10 percent of corporate computers are out-of-date when it comes to patching security holes and keeping their malware scanners current.

But that’s a lot better than the general population, where the firm estimates as much as 70 percent of the computing population does not use some form of virus/spyware/malware protection. Judging by a report from Microsoft this week, those risk-takers are getting off easy.

Since releasing the Windows Malicious Software Removal Tool (MSRT) in January 2005, it has been used on at least 270 million unique computers and removed 16 million instances of malicious software from 5.7 million unique computers over the past 15 months, according to a report issued Monday by the software giant.

That’s just two percent of the population, but that two percent does a lot of damage. Of those 5.7 million infected computers, 62 percent were running backdoor Trojans, mostly “bots,” applications that relay spam or fire off cyber attacks. Mostly, though, it’s spam.

More than 70 percent of the spam that clogs our inboxes comes from these kinds of bots that most people don’t even know are running on their computer in the first place, said Firstbrook.

He also said there’s no excuse for it, that nothing should be firing off email except the email client. “Why would I want my PC to send SMTP mail from anything other than Outlook?” he said “A simple rule would be don’t send SMTP mail unless it comes from Outlook.”

But Windows machines aren’t locked down in this manner. Firstbrook blames software vendors (including Microsoft) that want machines to be as open as possible for automatic software updates via the Internet.

“Application developers have this sense they can do whatever they want to our PCs as long as it’s good,” he said. “The problem is all the tools they use to keep their programs up-to-date are the same tools malware writers are using to download malicious software onto our PCs.” Another loophole in spyware catchers is that legal keystroke loggers aren’t detected, only illicit ones, he said.

The issue of using some kind of virus and malware protection isn’t new, nor is the attention to the lack of protection. The bottom line, said Firstbrook, is he’s not surprised at the stats from Microsoft, and thinks the User Account Control (UAC) feature in Windows Vista is necessary.

“It’s gotta happen. Seventy to 80 percent of malware won’t run properly on a Windows machine if you’re not running with Administrator rights. UAC disconnects a lot of user rights from manager rights,” he said. As for user complaints the UAC is too cumbersome, he responded that Macintosh and Unix have similar features “and you don’t hear them complaining.”

News Around the Web