Malware protection needs to be built into operating systems rather than bolted on as an afterthought if the industry stands any chance of dealing with the evolving threat of targeted attacks, according to a senior security researcher.

Joanna Rutkowska, chief exec of Invisible Things Lab, who is best known for her research on rootkits and Vista security, told delegates to the Gartner security conference in London on Monday that user stupidity was only part of the security problem.

She said competent users who, for example, used the privilege separation features built into Vista, were still not safe from security exploits. Better auto-exploit protection technology needs to be developed. In order to work properly this needs to built into operating systems.

"Third party prevention uses tricks and hacks. And that's no good," she said.

Rutkowska has been prominent in the industry for exposing the security shortcomings of Vista's kernel protection technology.

While recognising the general importance of security protection technologies, Rutkowska also noted their shortcomings. "Current technology is not reliable in detecting stealth malware. Protection solutions fail so we need detection. The two need to go together.

"Detection technologies are currently immature and even as the approach develops it will not replace prevention technologies, which are far more mature, despite their shortcomings," she said.

"Detection can never replace prevention. It's too late to do anything if, for example, you detect that your data has been stolen. You can't do anything to make an attacker forget what he has discovered."

Anti-virus vendors have found themselves locked in a perpetual arms race with virus writers, who are increasingly looking to make money from malware. Advances in rootkit development and obfuscation are accompanied by counter-responses from security vendors. Rutkowska argues that we need to move beyond this approach and develop an "automated way to check system integrity".

"The difficulty is that operating systems are too complex. We can't even reliably read system memory," Rutkowska pointed out. "It's not exactly a question of starting from scratch, but some code will need to be rewritten from the start," she added. ®

Related stories

Open source release takes Linux rootkits mainstream (4 September 2008)
http://www.theregister.co.uk/2008/09/04/linux_rootkit_released/
Phlashing attack thrashes embedded systems (21 May 2008)
http://www.channelregister.co.uk/2008/05/21/phlashing/
Rootkits on routers threat to be demoed (15 May 2008)
http://www.channelregister.co.uk/2008/05/15/router_rootkit/
Excuse me sir: there's a rootkit in your master boot record (9 January 2008)
http://www.channelregister.co.uk/2008/01/09/mbr_rootkit/
ATI driver flaw exposes Vista kernel (10 August 2007)
http://www.channelregister.co.uk/2007/08/10/ati_driver_snafu/
Showdown persists over '100% undetectable' rootkit (6 July 2007)
http://www.channelregister.co.uk/2007/07/06/blue_pill_showdown/
Vista security overview: too little too late (20 February 2007)
http://www.theregister.co.uk/2007/02/20/vista_security_oversold/
Windows Defender spyware-blocking under fire (again) (20 February 2007)
http://www.channelregister.co.uk/2007/02/20/anti-spyware_tests/
Vista security overhaul questioned (19 February 2007)
http://www.channelregister.co.uk/2007/02/19/vista_uac/
Vista raises the bar for flaw finders (31 January 2007)
http://www.channelregister.co.uk/2007/01/31/vista_flaw_finders/
Vista kernel fix 'worse than useless' (24 October 2006)
http://www.channelregister.co.uk/2006/10/24/vista_kernel_fix_controversy/
Stealth attack undermines Vista defences (7 August 2006)
http://www.channelregister.co.uk/2006/08/07/vista_black_hat_attack/