By Gregg Keizer
Jun 12, 2006
Backdoor Trojans are a clear and present danger to Windows machines,
Microsoft said Monday as it released the first-ever analysis of data
collected by the 15-month run of its Malicious Software Removal Tool,
a utility that seeks out and destroys over five-dozen malware
According to Microsoft's anti-malware engineering team, Trojans that,
once installed, give an attacker access and control of a PC, are a
"significant and tangible threat to Windows users."
Of the 5.7 million unique PCs from which the Malicious Software
Removal Tool (MSRT) has deleted malware, 3.5 million of them -- 62
percent -- had at least one backdoor Trojan.
"Backdoor Trojans are a large part of the malware landscape," said
Matt Braverman, program manager on the team, and the author of a
report on the tool's data that was released Monday at Boston's TechEd
Bots, a subset of Trojan horses, were especially "popular" on infected
PCs, Microsoft's data showed. Bots are small programs that
communicates with the controlling attacker, usually through Internet
Relay Chat (IRC) channels, less frequently via instant messaging. Of
the top 5 on the MSRT's removed malware list, three families -- Rbot,
Sdbot, and Geobot -- were bots.
Once backdoors and bots are accounted for, all other malware types
were seen on only a minority of machines.
"Rootkits are certainly present, but compared to other [malware types]
they're not extremely widespread yet," added Braverman. A rootkit was
present on 14 percent of the nearly 6 million computers that had to be
Since it debuted in January 2005, the MSRT has been run some 2.7
billion times on an increasing number of PCs. In March 2006, the last
month for which data was compiled, 270 million unique systems ran the
tool, which is automatically downloaded and run on systems with
Windows/Microsoft Update turned on.
Over those 15 months, the MSFT found malware on one in every 311
"I think that's a valid, accurate number," argued Braverman, even
though the MSFT doesn't detect and delete every form of malicious
software, and runs predominantly on Windows XP SP2 (and not at all on
older operating systems, such as Windows 98 and Windows NT).
The MSFT data also seemed to validate the long-standing premise that
Windows XP SP2 is more secure than earlier Microsoft operating
systems, said Braverman.
Although Windows XP SP2 systems account for 89 percent of all machines
from which malware was deleted, when the numbers are "normalized" --
to take into account the number of tool executions on each OS -- SP2's
rate falls precipitously to just 3 percent.
Together, Windows XP Gold (the original edition launched in October
2001) and Windows XP SP1 account for 63 percent of the deletions when
the numbers are normalized.
"This makes sense," Braverman's report read. "Windows XP SP2 includes
a number of security enhancements and patches for vulnerabilities not
found in earlier versions of Windows XP, making it more difficult to
be infected by malware in some cases.
"And it is likely that a user who has not yet upgraded to the latest
service pack would be more susceptible to social-engineering-based
attacks. In fact, this seems to hold true for Windows 2000 and Windows
Server 2003 as well, where the latest versions of the service packs
for those operating systems have the lowest number of normalized
disinfections compared with the older versions of the operating
"No, I couldn't claim that Windows XP SP2 itself was the only reason
why its normalized numbers are so low," admitted Braverman, who
pointed to the prodding those users get to turn on Automatic Update
(which not only patches their OS, but also runs MSFT monthly) and the
idea that they're less likely to engage in potentially risky behavior,
like opening attachments or visiting dangerous parts of the Internet.
Microsoft uses a combination of internally-generated metrics and
outside feedback -- including the WildList and customer comments -- to
decide which malware is added to the list targeted by the tool.
Anti-virus scan results of Microsoft's for-a-fee security service,
OneCare, and its for-free Windows Live Safety Center, said Braverman,
are taken into account, as is data from the crash analysis tool that
users can invoke when Windows dies.
While the MSFT data has been used mostly by the anti-malware team
itself to develop new tools -- such as ones to more quickly crank out
signatures for bots -- Braverman sees it as a way for Microsoft and
its partners to get a better feel for the current security situation.
"It demonstrates Microsoft's understanding of the malware landscape,"
he said even as that landscape -- and the tool itself -- change.
"We've already morphed our thinking about how to best attack malware
families," he added.
A version of the tool for Windows Vista Beta 2 will be released within
weeks, said Braverman, via Windows/Microsoft Update to help protect
users trying out the new operating system.
The newest edition of the MSFT will be released Tuesday as part of
Microsoft's monthly security update.
Copyright =A9 2006 CMP Media LLC, All rights reserved.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.