Understanding the Risk of Malware

Malware is commonly spread in several different ways:

• Included with legitimate software Malware is often bundled with legitimate software. For example, a peer-to-peer file transfer application might include potentially unwanted software that displays advertisements on a user's computer. Sometimes, the installation tool might make the user aware of the malware (although users often do not understand the most serious compromises, such as degraded performance and compromised privacy). Other times, the fact that unwanted software is being installed might be hidden from the user (an event known as a non-consensual installation). Windows Defender, as described later in this tutorial, can help detect both the legitimate software that is likely to be bundled and the potentially unwanted software bundled with it, and it will notify the user about the software running on their system. Additionally, when UAC is active, standard user accounts will not have sufficient privileges to install most dangerous applications.
• Social engineering Users are often tricked into installing malware. A common technique is to attach a malware installer to an e-mail and provide instructions for installing the attached software in the e-mail. For example, the e-mail might appear to come from a valid contact and indicate that the attachment is an important security update. E-mail clients such as Microsoft Office Outlook now prevent the user from running executable attachments. Modern social engineering attacks abuse e-mail, instant messages, social networking, or peer-to-peer networks to instruct users to visit a Web site that installs the malware, either with or without the user's knowledge. The most effective way to limit the impact of social engineering attacks is to train users not to install software from untrustworthy sources and not to visit untrusted Web sites. Additionally, UAC reduces the user's ability to install software, AppLocker can prevent users from running untrusted software, and Windows Defender makes users more aware of when potentially unwanted software is being installed. For more information about social engineering, read "Behavioral Modeling of Social Engineering-Based Malicious Software" at http://www.microsoft.com/downloads/details.aspx?FamilyID=e0f27260-58da-40db-8785-689cf6a05c73.
  Note Windows XP Service Pack 2 (SP2), Windows Vista, and Windows 7 support using Group Policy settings to configure attachment behavior. The relevant Group Policy settings are located in User Configuration\Administrative Templates\Windows Components\Attachment Manager.
• Exploiting browser vulnerabilities Some malware has been known to install itself without the user's knowledge or consent when the user visits a Web site. To accomplish this, the malware needs to exploit a security vulnerability in the browser or a browser add-on to start a process with the user's or system's privileges, and then use those privileges to install the malware. The risk of this type of exploit is significantly reduced by Windows Internet Explorer Protected Mode in Windows Vista and Windows 7. Additionally, the new Internet Explorer 8 feature, SmartScreen, can warn users before they visit a malicious site.
• Exploiting operating system vulnerabilities Some malware might install itself by exploiting operating system vulnerabilities. For example, many worms infect computers by exploiting a network service to start a process on the computer and then install the malware. The risks of this type of exploit are reduced by UAC, explained in this tutorial, and Windows Service Hardening.