Think malware will fade away with Vista? Sorry. There's about as much chance of the thriving throngs of online criminals packing up shop as there is of Microsoft doing the same.
"Malware technology will evolve just like a business," says Vlad Gorelik, chief technology officer of Sana Security. "There are definitely improved protections [in Vista] with permissions control and things like that, but that type of protection could be overcome by malware."
Some malware can already do its nefarious work under Vista, while others will need only minor changes. Fake alerts and other social engineering tricks already in use will become more sophisticated and more common as methods for evading Vista's defences. You'll also likely see more Web-based threats able to steal data passing through any browser, and malware may hide more often in seemingly innocuous installation programs.
These threats and others will find a way around Vista's defences as long as there's a buck to be made -- but you can act to protect yourself.
According to Gorelik, Microsoft's efforts to allow legacy XP software to run on Vista means that many varieties of malware can easily make the jump along with legit programs. Some won't need to change at all; Gorelik says that out of a few hundred malware samples his company regularly works with on XP, about 30 percent ran happily under Vista without any modifications.
For those attack apps that might be blocked from installing surreptitiously by Vista's User Access Control, for instance, expect social engineering to play an ever greater role. UAC attempts to limit malware's reach into the system by denying malware automatic permission to change important system files. If a user or a program tries to make sensitive changes, a pop-up will appear that requires the user to okay the move. Attackers will employ social engineering tricks to get around that defense, or even to co-opt it.
Social engineering already exists in many forms -- as in (to take just one example) the never-ending flood of e-mails that purport to be from your Web mail provider, asking you to open an attached file explaining your password change. Symantec recently posted a warning about another, particularly well-crafted social engineering attack that appears as a Windows activation window.
Trust no one
The counter to social engineering is, of course, to stay sharp. More than ever, you should automatically distrust any unexpected e-mail attachment, even if it appears to come from a trusted friend or a site you do business with. The same goes for links in e-mail -- if you're in the habit of always using a bookmark or typing in the URL to access your accounts, you'll be safe if and when an e-mail comes along that's good enough to trick you.
But social engineering won't stop with e-mail. Both Gorelik and Joe Stewart, a senior security researcher with SecureWorks, expect social engineering to expand with attacks that purposely pop-up a seemingly normal UAC prompt -- but if you ok it, you'll give malware a free pass to infect your computer.
These faked pop-ups could work, Stewart says, because people "have to make the right decision about what they're going to run every time. It just takes one thing to get through and disable UAC."