Many of the assorted trojans/worms will simply not work if the users fooled into executing them are not running in Adminstrator mode on Windows. The malware won't be able to change Hosts files, disable anti-virus software, change DNS servers, install startup software, install browser hijackers, etc.

However, Microsoft and many IT departments don't think their users are willing to log into a different account to install software, so they default to "fully vulnerable" mode. Sadly even some software out there needs to run in administrator mode to work properly.

Unix systems don't normally have ordinary users logging in as administrators (root). Normal accounts have user-level access. This is one of the reasons there is far less worm activity and zero virus activity for those systems.

Maybe it's time to re-think the deployment of Windows systems in "vulnerable administrator mode". It certainly won't stop all malware activity (like worms that use OS-level vulnerabilities), but it could take a big chunk out of it!

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11209/32686#32686