By Ryan Naraine
October 24, 2006
New statistics from Microsoft's anti-malware engineering team have
confirmed fears that backdoor Trojans and bots present a "significant"
threat to Windows users.
However, according to data culled from the software maker's security
tools, stealth rootkit infections are on the decrease, perhaps due to
the addition of anti-rootkit capabilities in security applications.
The latest malware infection data, released at the RSA Europe conference
in Nice, France, covers the first half of 2006. During that period,
Microsoft found more than 43,000 new variants of bots and backdoor
Trojans that control millions of hijacked Windows machines in for-profit
Of the 4 million computers cleaned by the company's MSRT (malicious
software removal tool), about 50 percent (2 million) contained at least
one backdoor Trojan. While this is a high percentage, Microsoft notes
that this is a decrease from the second half of 2005. During that
period, the MSRT data showed that 68 percent of machines cleaned by the
tool contained a backdoor Trojan.
Despite increased industry interest in Windows rootkits in 2005,
Microsoft found a surprising 50 percent reduction in the attacks, which
employ stealthy tricks to maintain an undetectable presence on infected
computers. "This is a potential trend that will bear watching," the
Microsoft believes the increase in anti-rootkit tools has helped to
decrease the number of large-scale rootkit attacks in favor of more
specialized techniques related to stealth. "While these techniques may
never progress beyond proof of concept, undoubtedly some will appear as
part of targeted attacks against high-value entities," the company
warned in the report.
Not so surprising is the data surrounding malware that employs social
engineering tactics, especially those that lure targets via e-mail or
P2P (peer-to-peer) networks. "For example, in the case of both the MSRT
and Microsoft Windows OneCare, approximately 20 percent of computers
cleaned were infected with a mass-mailing worm," Microsoft explained.
For the MSRT, which is updated every month on Patch Tuesday, this
represents a slight increase from the previous six-month period.
Data collected by the MSRT suggests that computers that use certain
languages are more likely to be infected with malicious software than
others. For example, when the disinfection figures from an operating
system language are normalized with the appropriate number of tool
executions of that same language, Microsoft found that 16 percent of
computers cleaned by the MSRT are from Turkish language computers.
The bulk of the data was culled from the Windows Defender anti-spyware
application, which counts more than 14 million active users. The MSRT,
which was first shipped in January 2005, has a user base of more than
290 million unique computers. During the first half of 2006, Microsoft
said the tool was executed 1.6 billion times, bringing the total number
of executions since January 2005 to 3.6 billion.
The company also collected removal statistics from the free Web-based
Windows Live OneCare safety scanner, which has performed nearly 7
million scans since August. During that time, the tool has detected
almost 3 million instances of malware or spyware, and cleaned more than
575,000 infected computers.
Some highlights from the report:
* Backdoor Trojans: The first half of 2006 showed a significant number
of new backdoor Trojans. A large number of those belong to bot
families, such as Win32/Rbot and Win32/Sdbot. This trend is consistent
with anecdotal industry knowledge; owners of bot networks are
continually creating and delivering new variants of their bots to
maintain their bot networks, and to evade detection by anti-malware
* Password stealers and key loggers: These make up the second-largest
malware category, in terms of number of variants. Although this type
of malware exists worldwide, the Microsoft anti-malware team has seen
a high number of variants coming from Brazil. Several thousand new
variants from the Win32/Banker and Win32/Bancos families were
discovered during the first half of 2006. These mainly use Portuguese
for their user interface and primarily serve as a tool to steal bank
account information such as passwords.
* Downloaders and droppers: These make up the third-largest category and
are used by the attackers to copy files to the victim's system that
are necessary to complete the attack and control that system.
Downloaders and droppers are also often used to distribute spyware and
adware. Because of this, the presence of downloaders and droppers as
part of malicious attacks is no surprise.
* Worms: The different types of worm families have a relatively low
number of variants, although they remain prevalent. In fact,
mass-mailing worms continue to be an effective way to infect a
significant number of computers around the world.
Visit the InfoSec News store!