AOH :: ISN-3182.HTM

Microsoft: Bot, Trojan Infections High; Rootkits Low

Microsoft: Bot, Trojan Infections High; Rootkits Low
Microsoft: Bot, Trojan Infections High; Rootkits Low,1895,2036439,00.asp 

By Ryan Naraine
October 24, 2006

New statistics from Microsoft's anti-malware engineering team have 
confirmed fears that backdoor Trojans and bots present a "significant" 
threat to Windows users.

However, according to data culled from the software maker's security 
tools, stealth rootkit infections are on the decrease, perhaps due to 
the addition of anti-rootkit capabilities in security applications.

The latest malware infection data, released at the RSA Europe conference 
in Nice, France, covers the first half of 2006. During that period, 
Microsoft found more than 43,000 new variants of bots and backdoor 
Trojans that control millions of hijacked Windows machines in for-profit 

Of the 4 million computers cleaned by the company's MSRT (malicious 
software removal tool), about 50 percent (2 million) contained at least 
one backdoor Trojan. While this is a high percentage, Microsoft notes 
that this is a decrease from the second half of 2005. During that 
period, the MSRT data showed that 68 percent of machines cleaned by the 
tool contained a backdoor Trojan.

Despite increased industry interest in Windows rootkits in 2005, 
Microsoft found a surprising 50 percent reduction in the attacks, which 
employ stealthy tricks to maintain an undetectable presence on infected 
computers. "This is a potential trend that will bear watching," the 
report said.

Microsoft believes the increase in anti-rootkit tools has helped to 
decrease the number of large-scale rootkit attacks in favor of more 
specialized techniques related to stealth. "While these techniques may 
never progress beyond proof of concept, undoubtedly some will appear as 
part of targeted attacks against high-value entities," the company 
warned in the report.

Not so surprising is the data surrounding malware that employs social 
engineering tactics, especially those that lure targets via e-mail or 
P2P (peer-to-peer) networks. "For example, in the case of both the MSRT 
and Microsoft Windows OneCare, approximately 20 percent of computers 
cleaned were infected with a mass-mailing worm," Microsoft explained. 
For the MSRT, which is updated every month on Patch Tuesday, this 
represents a slight increase from the previous six-month period.

Data collected by the MSRT suggests that computers that use certain 
languages are more likely to be infected with malicious software than 
others. For example, when the disinfection figures from an operating 
system language are normalized with the appropriate number of tool 
executions of that same language, Microsoft found that 16 percent of 
computers cleaned by the MSRT are from Turkish language computers.

The bulk of the data was culled from the Windows Defender anti-spyware 
application, which counts more than 14 million active users. The MSRT, 
which was first shipped in January 2005, has a user base of more than 
290 million unique computers. During the first half of 2006, Microsoft 
said the tool was executed 1.6 billion times, bringing the total number 
of executions since January 2005 to 3.6 billion.

The company also collected removal statistics from the free Web-based 
Windows Live OneCare safety scanner, which has performed nearly 7 
million scans since August. During that time, the tool has detected 
almost 3 million instances of malware or spyware, and cleaned more than 
575,000 infected computers.

Some highlights from the report:

* Backdoor Trojans: The first half of 2006 showed a significant number 
  of new backdoor Trojans. A large number of those belong to bot 
  families, such as Win32/Rbot and Win32/Sdbot. This trend is consistent 
  with anecdotal industry knowledge; owners of bot networks are 
  continually creating and delivering new variants of their bots to 
  maintain their bot networks, and to evade detection by anti-malware 

* Password stealers and key loggers: These make up the second-largest 
  malware category, in terms of number of variants. Although this type 
  of malware exists worldwide, the Microsoft anti-malware team has seen 
  a high number of variants coming from Brazil. Several thousand new 
  variants from the Win32/Banker and Win32/Bancos families were 
  discovered during the first half of 2006. These mainly use Portuguese 
  for their user interface and primarily serve as a tool to steal bank 
  account information such as passwords.

* Downloaders and droppers: These make up the third-largest category and 
  are used by the attackers to copy files to the victim's system that 
  are necessary to complete the attack and control that system.  
  Downloaders and droppers are also often used to distribute spyware and 
  adware. Because of this, the presence of downloaders and droppers as 
  part of malicious attacks is no surprise.

* Worms: The different types of worm families have a relatively low 
  number of variants, although they remain prevalent. In fact, 
  mass-mailing worms continue to be an effective way to infect a 
  significant number of computers around the world.

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2015 CodeGods