When the FBI went looking for computers infected with illicit remote control software, it found over a million in the US alone. There are multiple millions more worldwide, threatening e-commerce, privacy, business efficiency, even state security.
The standard advice given by the FBI and the anti-malware companies is to use memory-resident security software. This is woefully inadequate: bot software, like many viruses, trojans and the like, is explicitly designed to detect and circumvent these measures. By the time you think your computer is compromised, it's too late. The proof of failure is out there — millions upon millions of infected computers, clogged emails and endemic levels of data theft show that we need to do a lot more.
The problem needs new thinking. Taking a medical approach, it's not good enough to leave the pharmaceutical companies in charge of the show. Neither is it enough for officialdom to issue advice and warnings. There has to be a long-term strategy that includes hardware and software companies working together with governmental agencies. If we think of malware as a contagious disease, one capable of affecting entire societies, then a proportionate response will be easier.
For a start, PCs must be designed so that they will reliably boot from CD on demand — not being reliant on a Bios boot sequence setting that can be changed by malicious software. Then, bootable CDs that contain scanning software capable of downloading the latest signatures from secure servers should be produced and distributed with all PCs, together with unambiguous instructions on its use. These CDs should also be available free of charge from retail stores, police stations and other trusted distribution networks.
This will cost money. It may impact on the sales of antivirus software in general. Tough. There's a job that needs to be done for the good of everyone, and it isn't being done — and that's no excuse to maintain the status quo. If security software companies and operating system vendors want to produce new and better products then by all means they should. But a basic level of computer health should be available to all: it's achievable, it's desirable, and it's inevitable. Let's get on with it.