Protecting Against Network Worms

Bundling, social engineering, and browser exploits all rely on the user to initiate a connection to a site that hosts malware, but worms can infect a computer without any interaction from the user. Network worms spread by sending network communications across a network to exploit a vulnerability in remote computers and install the worm. After it is installed, the worm continues looking for new computers to infect.

If the worm attacks a Windows Vista or Windows 7 computer, Windows offers four levels of protection:

■ Windows Firewall blocks all incoming traffic that has not been explicitly permitted (plus a few exceptions for core networking functionality in the domain and private profiles). This feature blocks the majority of all current worm attacks.

■ If the worm attacks an updated vulnerability in a Microsoft feature, Automatic Updates—which is enabled by default—might have already addressed the security vulnerability.

■ If the worm exploits a vulnerability in a service that uses Windows Service Hardening and attempts to take an action that the service profile does not allow (such as saving a file or adding the worm to the startup group), Windows will block the worm .

■ If the worm exploits a vulnerability in a user application, limited privileges enabled by UAC block system-wide configuration changes .

These levels of protection are illustrated in Figure 2-3.

Automatic Updates 1

3 <s


Windows Service Hardening

Was this article helpful?

0 0

Post a comment