I don't think that the consumer is ever going to be protected with the current way of doing things. Endpoint protection--relying on antivirus vendors to make effective programs and relying on consumers to put AV software on their machines--just plain doesn't work. That model is broken.
I do think it is possible to stage effective defense against malware, but doing so will likely not happen soon because it moves the cost from the consumer onto other bodies who don't want to give up profits.
One effective strategy is to call on broadband providers to become more proactive. They can do this in a number of ways: monitoring for malware command and control traffic and disrupting it, monitoring endpoints (consumers) for signs of malware infection and notifying those users, monitoring for rogue servers on their network (a lot of malware will install Web or file servers on infected computers) and cutting them off.
Some broadband providers, like Comcast, already monitor for (some) signs of virus infection. One of my roommates recently had her computer compromised and Comcast sent us an email.
But they generally don't look for signs of malware and botnet command and control traffic flowing over their pipes. If they did, they could disrupt that traffic and paralyze botnets, but it would cost money. Broadband providers already complain about how much it costs for them to do business; Comcast, for example, is struggling along with a measly 900% profit margin in consumer broadband, and doesn't want to spend more money helping to break up botnets. From their perspective, disrupting botnets is all cost, no benefit.
ISPs can also play a role, by doing more to take down malware droppers, secure their networks, and shut down malware C&C servers. But again, the same economics apply. An ISP that shuts down servers loses money. Worse, they have to pay money (in the form of salaries for security and abuse teams) for the privilege of losing money. From the point of view of management, a security or an abuse employee is someone they pay to make the ISP lose money. I have contacted many, many ISPs--including large, profitable, supposedly "reputable" ISPs like GoDaddy, Rackspace, and Softlayer--to notify them of malware droppers, malware forums, and hacked Web sites, only to have them turn a blind eye. They have no economic incentive to stop malware and plenty of economic incentive not to. Bluntly: They profit by having this crap on their networks.
Another key part of the puzzle is merchant banks. Some malware, like fake antivirus scareware and ransomware, works by taking over a computer and then either warning about fake "viruses" or by encrypting files on the user's computer, and then demanding payment to remove the fake "viruses" or to give the user back his files. These malware programs are usually written by Eastern European organized crime, and they demand payment by credit card. Most US banks won't do business with them, but it's usually not too hard to find folks who will. Panda Security estimates that one organized crime gang in Russia averages about $34,000,000 per month in profits from fake AV scams. When their US-based credit card processor finally cut them off, they picked up an overseas credit card processor quickly. What bank wouldn't turn a blind eye in exchange for ten percent of $34 million a month?
Another bit of the puzzle is international law enforcement. Often, we know exactly who the miscreants are; they brag openly on their Web sites about the malware they've written. Russian law does not forbid writing malware, as long as it isn't released in Russia. Why would they? It brings tons of money into the struggling Russian economy. No extradition treaties exist between Russia and the United States. Leo Kuvayev, aka "Badcow," has been wanted on US warrants for malware distribution and computer hacking for YEARS, and has lived freely in Russia, running a huge spam gang and bragging about the malware he'd written, raking in money from bank-password-stealing Trojans and botnets. It wasn't until he got involved with processing payments for child porn operators that the Russians finally arrested him.
So as it stands right now, the criminals operate openly and with complete impunity from Eastern Europe. The banks that the criminals use to process transactions and hide money willingly do business with them, because the amounts of money in malware are staggeringly large. ISPs and broadband providers tolerate a certain amount of malicious activity on their networks, turning a blind eye to malware traffic, malware distributors, and malware command and control servers, because they don't want to bear the brunt of the cost of fighting them. Only if a problem becomes big enough not to ignore do they get involved, and sometimes then only reluctantly. (psychz.net, an American ISP founded by Russian expats, openly hosts spammers and malware droppers, and its peers won't cut it off because it's a lucrative revenue stream.) And through it all, the only thing everyone will say is "Users should run antivirus programs."
