Do you make online financial transactions from a Windows computer? If so, you may want to re-visit that decision.

It's a given that almost all malicious software targets Windows. In my opinion, while it is possible to secure a Windows computer, the process is too hard, too time-consuming and/or technically over the head of most people.

A recent article at WashingtonPost.com described multiple organizations whose bank accounts were emptied by malicious software on their Windows computers. In one case, the Clampi Trojan sat undetected for a year on the computer of the Controller of a small business, before it decided to make withdrawals from their bank account.


According to recent news reports, "Fraudsters are taking advantage of the widely used but obscure Automated Clearing House (ACH) Network in order to pull off their attacks." Businesses don't have the same safeguards as consumers from this type of theft. Both articles describe serious losses and lawsuits.

In response to this, I wrote Defending against the Clampi Trojan, which applies to all Windows based malicious software (malware). In short, the advice boils down to this:

  1.   Installing and maintaining one or two anti-malware programs that run constantly in the background.

  2.   Periodically scanning with a few other anti-malware programs.

  3.   Be sceptical of all email attachments and don't trust the FROM address of an email message when deciding whether to trust an attachment.

  4.   Consider opening email attachments with alternative applications rather than the more mainstream software that is a larger target. For example, use Open Office rather than Microsoft Office or the Foxit PDF Reader rather than the Adobe Reader.

  5.   Periodically run the Secunia online scanner to insure that you are up to date on bug fixes to Windows and the most popular software.

  6.   Turn off autorun.

  7.   Windows XP users should use DropMyRights to defend against drive by downloads.

  8.   All Windows users should consider using Sandboxie for defending against drive-by downloads.

Is this more time and effort than you have available? Is the technical know-how necessary to carry out all these steps above you?

Here's a test of technical competence. Try to run the Secunia Online Software Inspector. It's a Java applet and requires Java version 6. If you have an old version of Java, don't know what version of Java you have or can't get Java version 6 installed, then you fail.

If the scan runs but finds out of date, vulnerable buggy software installed on the computer, you also fail. For extra credit, try to get a perfect score with the "thorough system inspection" option turned on.

I suspect that a large percentage of Windows users will fail. Anyone who fails should not do online financial transactions on a Windows machine. Consider instead, Macs and Linux, my preference being Linux.

Swimming offers an analogy

Windows is like an ocean full of sharks. Do you really want to swim where the sharks swim, even if you take some defensive measures? Macs are like a swimming pool, no sharks. But, the Mac pool is deep and often neglected. Linux also offers a swimming pool, but it's shallower and better maintained (more later) than the Mac pool.

According to a recent blog posting by Graham Cluley of Sophos, AV-Test.org is detecting more than a million unique malware samples a month. That's a lot of sharks.

Another factor to consider is that really malicious software hides and hides well. If a Windows user thinks their computer is infected because it's acting strangely, then they're in luck, the infection is not particularly sophisticated. It's when nothing appears to be wrong that you may be most at risk. Software that wants a Citibank password from you is not going to announce its presence.

The sophisticated hiding techniques were a big reason behind my recent series of Best Way to Remove Viruses articles that focused on booting from a CD and scanning for malware from outside the suspect/infected system.