Windows Vista and Malware

How does Windows Vista stand up to the current crop of malware and crapware coming from the Internet? Pretty good if you ask Jim Allchin, in a recent post he talks about a comparison that Sophos did. In it’s monthly report they track the top ten threats reported to them for that month, so Sophos tried to see if Windows Vista was vulnerable to them. Straight out of the box with the default settings, Windows Vista was not vulnerable to any of them. But not according to Sophos.

These are listed as, Virus and then the percentage of reports to Sophos.
W32/Stratio-Zip 33.3%
W32/Netsky-P 15.6%
W32/Bagle-Zip 6.1%
W32/Zafi-B 4.3%
W32/Netsky-D 3.9%
W32/Nyxem-D 2.5%
W32/MyDoom-O 2.5%
W32/Mytob-C 2.4%
W32/Sality-AA 1.8%
W32/Zafi-D 1.7%

Source: Top Ten Threats for November 2006.

This is the article, here, that Sophos posted saying Windows Vista was vulnerable to 3 of the top 10 malware threats, and here is an excerpt,

Sophos experts note that on the launch date of Microsoft’s Windows Vista operating system, three of the top ten – including Stratio-Zip – are capable of bypassing the operating system’s security defenses and infecting users’ PCs. The Vista-resistant malware – W32/Stratio-Zip, W32/Netsky-D and W32/MyDoom-O – comprise 39.7% of all malware currently circulating.

The results showed that while the Windows Mail email client (Vista’s upgrade of Outlook) was able to identify and halt all of the threats, W32/Stratio-Zip, W32/Netsky-D and W32/MyDoom-O – each of which are commonly disseminated via email – were able to bypass the defenses when accessed via a third-party web email client. This represents a serious issue for businesses who allow employees to access their personal email at work, as well as for companies that are considering adopting an alternative email client.

“There has been much speculation about whether Vista would render existing malware extinct, and the news is now in – it won’t,” said Carole Theriault, senior security consultant at Sophos. “While Microsoft should be commended for the huge security improvements it has made in Vista, running separate security software is still essential to eliminate the risk of infection. On top of this, cyber criminals will already be looking at creating Vista-specific malware. Users need to think carefully about whether their current solution is going to offer sufficient protection against such emerging threats, given that some vendors continue to experience problems adapting their software for the Vista operating environment.” Source: Three of the top ten malware threats run on Microsoft Vista, Sophos tests show

So, Jim Allchin set his team to testing these malware apps in Windows Vista themselves to see how the affected the operating system, and they say, if you are using only the software in Windows Vista, meaning the mail client and no other security software, then it is not vulnerable.

In order to understand what was really going on here, I asked the team to go look at the technical facts behind the story, and that started in the lab. We began by observing first-hand how these various forms of malware affect a Windows Vista system using a machine that was configured with the default settings and without any additional security software. What we found was that if you are using only the software in Windows Vista (e.g., Windows Mail and no add-on security software), then you are immune to all ten of the malware threats that Sophos cited.

If you are using Microsoft Outlook or a third-party email client that blocks execution of known executable formats, then a user running Windows Vista is not vulnerable to eight of the ten malware threats. In the case of the ninth piece of malware, Bagle-Zip, the malware is able to run because it uses the .ZIP file format which some mail programs do not block. In the case of the tenth piece of malware, Mydoom-O, the malware is sometimes able to run because it randomly chooses the file type to which to distribute its payload and sometimes that file type is an executable inside a .ZIP file, which some mail programs do not block. In both cases, this is a function of the e-mail software, not Windows Vista. That said, even when a user receives a mail infected with Bagle-Zip or Mydoom-O in the .ZIP file format, in order for the malware to affect the system, the user must first explicitly open the .ZIP file and then explicitly run the executable file that’s contained inside the .ZIP file — there is no way for this to happen without two steps of user action. If you happen run a third-party email client that does not block known executable formats, then you may also be vulnerable to Netsky-D. Source: Windows Vista and protection from malware on the Windows Vista team Blog.

So, the difference is, if your email client allows the zip format and if it allows it, you still have to open the zip and then run the executable. So, while Sophos tests show that Vista is vulnerable to three of them, apparently, they left out the fact that they actually had to open up the allowed zip files and they installed Microsoft Outlook and did not use the Windows mail client. So, is this a case of Sophos trying to sell more software, or do they just never tell exactly how they test software? I noticed that there are a couple links to their Windows Vista version of their anti-virus software on this “press release”.