Windows Malware - Protecting Against Network Worms

Bundling, social engineering, and browser exploits all rely on the user to initiate a connection to a site that hosts malware, but worms can infect a computer without any interaction from the user. Network worms spread by sending network communications across a network to exploit vulnerability in remote computers and install the worm. After it is installed, the worm continues looking for new computers to infect.

If the worm attacks a Windows Vista or Windows 7 computer, Windows offers four levels of protection:

• Windows Firewall blocks all incoming traffic that has not been explicitly permitted (plus a few exceptions for core networking functionality in the domain and private profiles). This feature blocks the majority of all current worm attacks.

• If the worm attacks an updated vulnerability in a Microsoft feature, Automatic Updates—which is enabled by default—might have already addressed the security vulnerability.

• If the worm exploits a vulnerability in a service that uses Windows Service Hardening and attempts to take an action that the service profile does not allow (such as saving a file or adding the worm to the startup group), Windows will block the worm.

• If the worm exploits a vulnerability in a user application, limited privileges enabled by UAC block system-wide configuration changes.

The original release of Windows XP lacked all of these levels of protection. With Windows XP Service Pack 2 (SP2), Windows Firewall and Automatic Updates are enabled, but the other levels of protection offered by Windows Vista and Windows 7 are unavailable.



Source of Information : Windows 7 Resource Kit 2009 Microsoft Press