Protecting Against Network Worms

Bundling, social engineering, and browser exploits all rely on the user to initiate a connection to a site that hosts malware, but worms can infect a computer without any interaction from the user. Network worms spread by sending network communications across a network to exploit a vulnerability in remote computers and install the worm. After it is installed, the worm continues looking for new computers to infect.

If the worm attacks a Windows Vista or Windows 7 computer, Windows offers four levels of protection:

• Windows Firewall blocks all incoming traffic that has not been explicitly permitted (plus a few exceptions for core networking functionality in the domain and private profiles). This feature blocks the majority of all current worm attacks.
• If the worm attacks an updated vulnerability in a Microsoft feature, Automatic Updates-which is enabled by default-might have already addressed the security vulnerability.
• If the worm exploits a vulnerability in a service that uses Windows Service Hardening and attempts to take an action that the service profile does not allow (such as saving a file or adding the worm to the startup group), Windows will block the worm.
• If the worm exploits a vulnerability in a user application, limited privileges enabled by UAC block system-wide configuration changes.

XP Service Pack 2 (SP2), Windows Firewall and Automatic Updates are enabled, but the other levels of protection offered by Windows Vista and Windows 7 are unavailable.