Vista Malware: Fighting Malware with Vista's Tools

Sunday Apr 29th 2007 by Tony Piltzecker
Share:

Windows Vista offers a number of updated features to prevent malware - and keep your PC safe and clean.

Vista Malware: Prevention and Response

Before we get into how Microsoft’s new products can help you reduce the threat of malware, it makes sense to discuss prevention and response first.

As mentioned earlier, staying secure is a two-step dance. You need good software that protects you, and the mindset to protect your surfing habits. Protecting systems and networks from the damage caused by Trojans, viruses, and worms is mostly a matter of common sense. It’s up to you to prevent harm by being aware of it, and then being able to respond to it and make the systems (or network) operational without any downtime, if possible.

Although there are many ways to protect yourself and your system using Microsoft’s tools, it always helps to practice some of the following general security practices as well:

• Periodically update every piece of software you install on your system, as well as the OS itself, which also needs to be updated periodically. You can do this by installing the latest updates, hotfixes, security patches, and SPs that are available for your software. Keep on top of when new patches come out, and try to test and then install the current patches to keep your system at its best.

vista malware tools

This article is excerpted from “Vista for IT Security Professionals.” To order this book, please visit Syngress.

• When using your e-mail client, pay close attention to “who” is sending you e-mail and “where” the e-mail originates. Because e-mail can be spoofed, you may not always be able to do this, but in most cases, a spam filter can quickly identify unspoofed e-mail and send it right to the trash or automatically remove it.

• If you receive files from sources that you do not recognize, it’s wise not to execute them. Instead, delete them. In other words, if someone sends you a file such as harmless.jpg.exe, it’s a good idea to delete the file and not execute it because it seems to fall into the characteristic of a typical malware hoax intended on getting you to launch it.

• When using your e-mail client, make sure you turn off any preview pane functionality so that you do not open and, therefore, execute any attached scripts simply by opening your Inbox.

• To prevent macro viruses, ensure that macro security is enabled in Office so that if you open a Word document, you won’t necessarily run a malicious script that may also be contained within it.

• Do not use floppy disks from untrusted sources. Also, pay attention to any file that enters your system from any source, whether it is a CD or DVD-ROM, USB flash device, or something similar.

• Use host-based instruction detection/prevention (IDS/IPS) software if possible, as well as firewall software, antivirus software, and spyware removal software such as Microsoft Defender.

• Harden your systems and disable unneeded or unwanted services.

• Use a strong password policy. If malware does attempt to try to steal your credentials, having a strong password policy in place will help you if your system does become infected.

• Configure your Web browser (such as Internet Explorer 7) to ignore or warn for cookies, and disable JavaScript and ActiveX, two commonly exploited scripting languages. Keep a close eye on sites that are not trusted and try to block sites that you know are malware-infected.

You may also want to make sure your network is also secure. Some more advanced practices include the following:

• Configure your routers, switches, and other adjoining network hardware to be secure, which means locking down services, keeping the router or switch OS updated, and applying any security measures such as disabling broadcasts on certain interfaces, applying access control lists (ACLs), and so on.

• Disable the Simple Network Management Protocol (SNMP) and any other services that you do not need.

• Make sure any e-mail relays in use are protected and aren’t being used to send spam.

• Use application gateway firewalls to protect against large-scale attacks.

• Apply defense in depth. Using a firewall alone is almost meaningless. You need to ensure that you have multiple levels of security in place, such as desktop policies, a firewall, and an IDS.

• Use a security policy and keep it updated. Security is upheld only when it’s supposed to be, so make sure your company has a policy in place that dictates what needs to be secured and how it needs to be secured.

vista malware tools

This article is excerpted from “Vista for IT Security Professionals.” To order this book, please visit Syngress.

• Make sure you have an incident response plan ready, with detailed steps and a team that can carry it out. Your goal should be to prevent a crisis if you can, but your real responsibility when dealing with incident response concerns the response; in other words, taking care of the issue either while it is happening or after it has happened.

TIP Creating backups of your important data is one place to start. Incident prevention and risk mitigation begin with your proactive planning. A great response to an attack that destroys your company’s important data is data backup that restores that data to its original state.

Incident Response

Recognizing the presence of malicious code should be your first response step if the system does get infected. Administrators and users need to be on the alert for common indications that a virus might be present, such as missing files or programs; unexplained changes to the system’s configuration; unexpected and unexplained displays, messages, or sounds; new files or programs that suddenly appear with no explanation; memory “leaks” (less available system memory than normal) or unexplained use of disk space; and any other odd behavior of programs or the OS.

If a virus is suspected, a good antivirus program should be installed and run to scan the system for viruses and attempt to remove or quarantine any that are found. Finally, all mission-critical or irreplaceable data should be backed up on a regular basis in case all of these measures fail.

Remember that virus writers are a creative and persistent bunch and will continue to come up with new ways to do the “impossible,” so computer users should never assume that any particular file type or OS is immune to malicious code. There is only one way to completely protect yourself against a virus, and that is to power down the computer and leave it turned off entirely.

TIP You may want to consider creating an incident response plan as well as an incident response team for your future incident endeavors. You should also review “Creating a Computer Security Incident Response Team: A Process for Getting Started,” released by CERT (www.cert.org/csirts/Creating-A-CSIRT.html).

Microsoft Vista and Security .

The battle for malware wages on, but new weapons have been pushed to the front line. For Windows Vista, many new security features (as well as some updated ones) help to protect computer systems from past, present, and future malware threats of any class.

Vista includes many new features that help to thwart malware threats. Behind the actual making of the software was a major plan to shift the way Microsoft does business in the security sector. Now, making a secure, private, and reliable computing experience has become the company’s top priority and has been dubbed “Trustworthy Computing.”

vista malware tools

This article is excerpted from “Vista for IT Security Professionals.” To order this book, please visit Syngress.

To preserve data confidentiality, integrity, and availability (CIA), Windows Vista brings a new level of confidence to computing through improved security, reliability, and management. It achieves this by establishing innovative engineering, applying best practices, and creating a system where the OS can be updated and maintained consistently to avoid intrusion or exploitation.

New features include:

Windows Service Hardening (WSH) Windows Service Hardening limits the amount of damage an attacker can do if a service is compromised.

Network Access Protection (NAP) Network Access Protection is used to prevent clients from connecting to the network if they are infected with malware.

Internet Explorer 7 Internet Explorer 7 comes with Windows Vista by default as the built-in Web browser. It includes many security enhancements that protect users from malware attacks such as phishing and spoofing, and it uses a new mode, called Protected Mode, to further secure the user’s browsing experience.

Updated Windows Firewall The new outbound filtering feature in the personal firewall helps to apply more granular control over traffic traversing it.

User Account Control (UAC) This feature will allow a user to change computer settings while running as a standard user, instead of requiring administrator privileges to perform most tasks.

Windows Defender The Windows Defender utility detects malware on your system and, when used in conjunction with SpyNet, can help to eliminate most spyware attacks and exploits.

Other features within Vista help to secure the system; however, these relate to the battle against malware.

Windows Service Hardening (WSH)

For a long time, malware seemed to be connected to Windows-based services. Because Windows services have always been an open door for malware creators, Microsoft took steps to ensure that this doesn’t continue to be a problem. In the past, there has been a major issue with the number of critical services running as System, which basically gave an open door to anyone who could bypass the minimal security in place.

The Sasser, Blaster, Slammer, and Code Red exploits targeted unprotected and easily exploited services. WSH is a new service released with Microsoft Vista that allows you to harden the security posture of your host system. It’s not realistic to leave a PC powered down and not in use, because this goes against what a computer was originally designed to do, which is to help you be more productive. The computer was not meant to act as a 150-pound paperweight. Microsoft has raised the bar on system service hardening by releasing WSH.

A system service is normally a background process that runs to support specific functions, such as the Messenger service that is used to send and receive messages throughout the system. In the past, services have been able to be exploited because once they were breached they basically opened the door to the system for the malware creator. Now, WSH focuses on using the least-privileged account—for example, LocalService. To further understand how this works consider that the hardened service would be protected via service SID access via ACLs. The service would use an SID, an ACL, and a “write-restricted token” to further harden and protect the system from exploitation.

Microsoft’s system services have been the base for many attacks because of the high level of privileges these services run with. If exploited, some services can give unfettered access to the entire system. The malware can then run with the highest possible system privileges, or LocalSystem privileges. Once the system has been exploited, the attacker can run exploits on the system with administrator privileges. Worms such as Slammer exploited known system service holes. System services are kept secure with Windows Vista through the use of restricted services.

vista malware tools

This article is excerpted from “Vista for IT Security Professionals.” To order this book, please visit Syngress.

This is done by running the services used with the “least privilege” needed, which reduces the risk of a threat. Using restricted services minimizes the number of exploitable services that are running and helps to secure the ones that do run. Windows services are run under service profiles that help to classify the service further so that the Vista OS has full control over its own services, further limiting malware exploitation.

Used in conjunction with the newly updated Windows Firewall, inbound and outbound network ports that the services are allowed to use are now under Vista’s control. If a system service attempts to send and receive network data on a specific port, the firewall will block access. The commonly exploited Remote Procedure Call (RPC) service is an example. When RPC is needed, it will be loaded and “restricted” to doing only certain things. No longer can it be used to replace system files and other data, modify the system Registry, and so on.

WSH is important to Vista’s overall security because even if you cannot prevent your system from being infected by malware, at least now you have a good feeling that if the system does get infected, the payload will not be as extreme as it used to be with older versions of the Windows OS. WSH also opens the door for independent software vendors (ISVs) to develop components and programs that are secure and will not cause issues for Windows Vista.

WSH (in conjunction with other new security features) provides an additional layer of protection which builds on the defense in depth principle. Defense in depth is a general security term that means applying many levels of security to enhance your security posture. Do not rely on one form of security, such as a firewall, to protect you. Incorporate other forms of security so that you do not have all your eggs in one basket. With WSH, Vista adds another layer of security to the system, which can help thwart future attacks and exploits even further.

Network Access Protection (NAP)

NAP is used to prevent clients from connecting to the network if they are infected with malware. NAP is a policy enforcement platform incorporated into Windows Vista as well as Windows Server 2007 (codenamed Longhorn). By enforcing compliance with very specific system health requirements, Vista is able to help prevent malware from accessing the rest of the network and attached systems.

NAP can help verify that each computer connected to the network is malware-free; if it is not, it will not be allowed to connect to the network and further infect other systems. Until the system checks out as malware-free, it will not be allowed to use the network or its services.

WARNING

Vista supports NAP with limited functionality. You will need to use Windows Server 2007 to provide full network access protection because this is used as the NAP policy server.

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved