InfoWorld - Security Adviser: The killer app for mashing malware

/Home/Internet Security: Blogs/Internet Security: InfoWorld blog/InfoWorld: Security Adviser 2009

Security software needs to take a multipronged approach to stopping Trojan horse executables

By Roger A. Grimes
July 30, 2009

Most successful attacks on client desktops occur when end-users are duped into launching Trojan horse executables, a fact I've raised time and again in the past couple of years. Users might think they're installing an Outlook security patch, a recommended anti-virus program, or codec needed to watch Britney slink out of a cab, but they end up unleashing malware that can wreak havoc not only on their systems, but on your entire corporate network.

Unfortunately, no matter how up to date your organization's anti-virus software is, there is no 100 percent effective way to stop this type of attack once a user opens the infected file. They'll work regardless of whether you're using Windows -- the most targeted platform -- or OS X, Linux, or BSD.

For years now, anti-malware companies have tried everything to combat malware, but without great success. Part of the problem is that anti-malware software is struggling as never before to detect the tens of thousands of new variants being generated daily by criminals and hosted on legitimate (or legitimate-looking) Web sites. The body of evidence shows that the best detection rates are between 40 and 70 percent -- and most products are not on the high end. (Here's a good report on the subject.)

Compounding the problem is the inherent shortcomings of today's anti-malware software: Installation and execution warnings tend to be non-existent, overly generic, or excessively enthusiastic, eventually teaching users to ignore them with a click.

It's time for the anti-malware industry to completely reinvent how we detect malware and put the intelligence of the professional anti-malware engineer into the hands of every end-user. Security software developers need to take the best of all the various technologies (signature detection, heuristics/behavior detection, whitelisting, blacklisting, code signing, community groups, and so on) and make them work in concert to give end-users the best chance of escaping infection.

Click the URL above to read the full article