Back to Top

Sunday, April 06, 2008

How efficient are non-standard configurations in combating the malware problem?

Very. Thank you for reading this article, hope to see you soon.

Just kidding :-), you won't get off this easy. You'll have to read my ramblings about the topic.

It isn't a new idea to model the malware problem using methods borrowed from the field of the biology, more specifically the study of diseases and how they spread during epidemics. One of the idea taken from this field is the slowing down / reducing the impact of an epidemic through diversity. In biology this means that one epidemic affects only one species (or even a part of the species) and even if the worst-case happens (the entire sub-species disappears because of the disease), it doesn't mean that life in general ceased to exists.

This line of reasoning is usually applied to computer-security the following way: we need to use different operating systems, because a threat affecting one OS won't affect the other (for example a DCOM exploit won't work against OpenSolaris). While this line of reasoning is completely accurate, the problem with it at both the micro (home-user) and macro (corporation) level is that programs (operating systems in this case) are not 100% (or even 70%) interchangeable. You can get away fairly easily with switching between related OS's (for example switching from one Linux distribution to an other), however as the "distance" grows, so does the switching pain. Other (very real) problems of a heterogeneous environment are interoperability, manageability and user training (the order of enumeration is arbitrary, their relative importance depends on the given situation).

The line of reasoning presented until now is analogous to the situation of having multiple species (the same type of program - for example an OS - from multiple sources) and saying that "life" in general will still exists even if one of the species ceases to exists. I would argue however that the same type of argument can be made on the sub-species level. And by sub-species I mean instances of the same program (operating system, relational DBMS, etc) configured differently. To summarize, my claim is that:

Software systems (most of the time) can be configured in a way which makes them immune to a very large part of the non-targeted attacks and still remain usable. This is equivalent to (or better) than the performance of many blacklist-type security software.

A few examples:

Network facing software can be configured to listen on a non-standard port (if it has a limited user base). For example imagine if a MS SQL database would have listened on a non-standard port during the Slammer outbreak (making abstraction from the fact that a patch was already available and that database systems should not be accessible from the Internet), it wouldn't have been affected.

The second example: using a non-standard browser (Firefox, Opera, Safari, etc). This also exemplifies two other aspects of the problem: first, the "alternative configuration" must work on an acceptable level (there are sites out there which don't work on some of these browsers). Second, as such an "alternative" configuration gains popularity, it won't be so effective (for example we start to see "mainstream" attacks against Firefox). A sidenote: if you wish to use an alternative browser, make sure that you're using one with an alternative engine, not just one which presents an alternative interface to the same engine (for example the Maxthon browser uses the IE engine, the Galeon browser uses the Gecko engine, the same one which powers Firefox, etc). Also, to be more effective you might want to change the User-Agent string for the given browser. This will throw-off the current (rather primitive) methods used to target different browsers.

Third example: use an alternative PDF reader instead of Adobe Acrobat (on Windows you could try FoxIt). Use an alternative office suite.

Final example: don't run as Administrator or Power User (if you are using Windows XP). Run as a regular user. This will kill off many malware which expect to be able to write to key areas of the file system / registry.

The common aspect of all these examples is that the working environment was altered only slightly, but the protection achieved against mass-attacks is very significant.

My conviction (based on seeing many, many malware in the last couple years) is that such measures reduce the exposure to current and future malware to less than 0.1%! To be clear: this is not a silver bullet and there are many situations it fails to be effective. Two such cases would be: if the given alternative starts to become mainstream (where "mainstream" needs to be interpreted in the largest sense of the world - for example Firefox is used by around 20% of the Internet population and is already targeted by general attacks. Opera with its considerably smaller user base seems safe for the moment). The other problem is a targeted attack, against which it also fails to protect.

In conclusion: do yourself and your aunt a favor and don't make her an Administrator on the next system you install for her. This will make both of your lives easier.

PS. I'm sure that many of you will ask if this means that AV software is obsolete. My response is : no, but it must be accompanied by other measures, it can't stand on its own (and neither can any other solution).


  1. What you say about using alternative programs makes a lot of sense. Because your site is dedicated to eliminating the half-truths in the computer world, I should point out one common misconception that your blog might perpetuate.

    You identified Maxthon as running on the IE engine (true) and only presenting an "alternative interface" to the IE engine. That's not accurate. The creators of Maxthon have added code that takes it beyond the security protections you'll find in Internet Explorer itself. It is, if you will, a safer, not to mention faster, more powerful, and more versatile IE.

    Even with this proper distinctionn of how Maxthon works, your advice to take the less beaten path still applies. But I did want to set the record start about this common misunderstanding of Maxthon's relationship to the IE engine.

  2. Thank you for the correction. I personally never used Maxthon, but indeed it seems from their feature page that they have additional security features compared to IE.

    Thank you for the correction.