Windows XP PCs breed rootkit infections

By +Frank B.
in Back Page News

 Share

Recommended Posts

Grand Master

+Frank B. Subscriber²

Posted
  • Subscriber²
Posted

Windows XP PCs breed rootkit infections

Three-fourths of all rootkits on decade-old OS, says antivirus firm

Machines running the decade-old Windows XP make up a huge reservoir of infected PCs that can spread malware to other systems, a Czech antivirus company said today.

Windows XP computers are infected with rootkits out of proportion to the operating system's market share, according to data released Thursday by Avast Software, which surveyed more than 600,000 Windows PCs.

While XP now accounts for about 58% of all Windows systems in use, 74% of the rootkit infections found by Avast were on XP machines.

XP's share of the infection pie was much larger than Windows 7's, which accounted for only 12% of the malware-plagued machines -- even though the 2009 OS now powers 31% of all Windows PCs.

Rootkits have become an important part of the most sophisticated malware packages, particularly botnets, because they mask the infection from the user, the operating system and most security software. By installing a rootkit, the hacker insures the compromise goes undetected as long as possible, and that the PC remains available to the botnet's controller for nefarious chores, such as sending spam or spreading malware to other machines.

Avast attributed the infection disparity between XP and Windows 7 to a pair of factors: The widespread use of pirated copies of the former and the latter's better security.

"According to our stats, as many as a third of XP users are running SP2 [service Pack 2] or earlier," said Ondrej Vlcek, the chief technology officer of AVAST, in an interview Thursday. "Millions of people are out of support and their machines are unpatched."

Vlcek assumed that many of the people running XP SP2, which Microsoft stopped supporting with security patches a year ago, have declined to update to the still-supported SP3 because they are running counterfeits.

Although Microsoft serves everyone, even pirates, its monthly security patches and service packs, most security experts believe that users of illegal copies are very hesitant to upgrade or even patch for fear that they'll trigger the black screen and anti-piracy nag notices that Microsoft slaps on screens when it deems a PC is running a counterfeit copy of Windows.

Rootkit%20Numbers.jpg

Vlcek urged users running legal copies to upgrade to XP SP3. "Moving to SP3 is the most basic thing that should be done," he said.

Also in play, said Vlcek, is Windows 7's stronger security, especially the 64-bit version.

"The 64-bit version [of Windows 7] has some technologies that really make it much more difficult for rootkits to infect the computer," said Vlcek, calling out that version's kernel driver-signing feature as key to keeping rootkits off machines.

But that hasn't completely protected Windows 7 64-bit, as Vlcek acknowledged.

"The surprising part to me was that I thought the Windows 7 [number] would be even smaller," Vlcek said.

Rootkits able to infect 64-bit copies of Windows 7 remain relatively rare, but they're certainly not unknown: The first popped up in August 2010, and a massive botnet some have called "practically indestructible" last month used a variant of the same malware to install a 64-bit rootkit on Windows 7.

That malware, which goes by a number of names -- Alureon, TDL, Tidserv and most recently, TDL-4 -- is especially devious, as it installs the rootkit into the Master Boot Record (MBR). The MBR is the first sector -- sector 0 -- of the hard drive, where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks.

By subverting the MBR, the rootkit is even tougher to detect, since it's already in place by the time the OS and security software are loaded into memory.

Avast found that rootkits which infected the MBR were responsible for 62% all rootkit infections.

Users who suspect that their PC is infected with an MBR-based rootkit can scrub their machine with one of several free rootkit detectors, including Avast's "aswMBR" and Sophos' "Anti-Rootkit."

Source: Computerworld

Grand Master

Fraud OS 11

Posted
Posted

/pwned only if running as admin. Just run it as limited user and use the built-in RunAs or SuRun (http://www.wilderssecurity.com/showthread.php?t=196737) if you use app that require admin privileges. There's ASLR (http://wehntrust.codeplex.com/) for XP too.

Experienced

Wolfbane

Posted
Posted

The fact that Windows 7 has a 12% share of the infections shows that MS still has a way to go with idiot-proofing their OS.

I guess one of the problems with security software is that the more often it notifies the user about something, the less likely the user is to read it (and the more likely they are to just click "Yes").

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

The fact that Windows 7 has a 12% share of the infections shows that MS still has a way to go with idiot-proofing their OS.

I guess one of the problems with security software is that the more often it notifies the user about something, the less likely the user is to read it (and the more likely they are to just click "Yes").

The issue is everyone has java and nobody updates it.

Grand Master

HawkMan

Posted
Posted

since when did XP have a 58% market share.

http://en.wikipedia.org/wiki/OS_market_share

Even the artifically high values of "Net Market Share" only lists it as 51, while the more realistic median value is 37. Heck even the second highest value after the artificial NMS numbers is 42.1%.

so assumign the rootkit share numbers are more correct than the OS market share numbers they use. the numbers are even more scary for XP. and that would seem more in line with my experiences as well.

Grand Master

Xilo

Posted
Posted

The fact that Windows 7 has a 12% share of the infections shows that MS still has a way to go with idiot-proofing their OS.

I guess one of the problems with security software is that the more often it notifies the user about something, the less likely the user is to read it (and the more likely they are to just click "Yes").

There's no cure for stupid.

Mentor

+Neyht Subscriber²

Posted
  • Subscriber²
Posted

Java's updater doesn't make it any easier at times.

Yeah, does the 64 bit version of java even have a working updater?

since when did XP have a 58% market share.

The 58% was probably true when the study was conducted and these are the results of that study....or are you really asking when did xp have 58% market share? If that's the case, then probably sometime last year?

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Still using Classic Outlook? Microsoft highlights 15 reasons to switch to New Outlook

      By Jdoe25 · Posted

      Getting so tired of this push for that new useless slop over the less-useless old slop that at this point I just want M$ to have this nice, big, hearty cup of *FU*.
    • Brave Browser 1.91.168

      By Copernic · Posted

      Brave Browser 1.91.168 by Razvan Serea Brave Browser is a lightning-fast, secure web browser that stands out from the competition with its focus on privacy, security, and speed. With features like HTTPS Everywhere and built-in tracker blocking, Brave keeps your online activities safe from prying eyes. Brave is one of the safest browsers on the market today. It blocks third-party data storage. It protects from browser fingerprinting. And it does all this by default. Speed - Brave is built on Chromium, the same technology that powers Google Chrome, and is optimized for speed, providing a fast and responsive browsing experience. Brave Browser also features Brave Rewards, a system that rewards users with Basic Attention Tokens (BAT) for viewing opt-in ads. This innovative system provides an alternative revenue model for content creators and a way to support the Brave community. SlimBrave Neo takes all the good things about Brave and makes them even better by keeping everything clean, light, and privacy-focused. It removes the extra clutter, turns off features you might not need, and cuts down on anything that could slow you down or collect unnecessary data. Because it relies on simple settings and policies instead of modifying the browser itself, you still get full Brave compatibility—just in a smoother, lighter, and more privacy-friendly package. Brave Browser 1.91.168 changelog: Web3 Added “Get Started” section to the “Portfolio” page. (#54029) Added the ability to view “Asset Distribution” in “Portfolio”. (#54028) Added dotted texture to wallet line chart. (#54216) Migrated Jupiter swap provider to “Gate3”. (#51848) Updated the “Permission” panel to display the site origin. (#54482) Updated NFT balance fetch to remove duplicate entries prior to fetching balances. (#55036) Fixed missing back button on the “Deposit Funds” page. (#55842) Fixed reloading an account tab redirecting to the “Accounts” page. (#54826) Leo Added support for text file uploads with renderer-based extraction. (#54062) Added PDF text extraction at upload time. (#51911) Updated display of Brave Leo attachment previews to scroll horizontally instead of vertically. (#54258) Updated the “Copy” button for the code block header to be sticky when scrolling. (#53704) Updated the staged content in the Leo side panel to be the active tab. (#53533) Updated the search terms in the answer’s footer to be left aligned. (#54204) Fixed crash which could occur in certain cases when using multiple tool requests. (#55438) General Added support for Brave Origin. (#37127) [Security] Added the ability to disable or delay automatic extension updates when brave://flags/#brave-user-extension-auto-update is enabled. (#7200) Enabled ability to force context menu using “Shift + Right Click” by default. (#54790) Improved performance by caching adblock DATs. (#27161) Updated background color for PWA install button in the omnibox. (#54736) Fixed tab hover card position when using vertical tabs. (#54199) Fixed extra border displaying around the content area when vertical tabs are used on macOS. (#54153 & #52961) Fixed audio farbling distortion in multi-voice Web Audio API synthesized music. (#52906) Upgraded Chromium to 149.0.7827.54. (#55943) Download: Brave Browser 64-bit | 1.2 MB (Freeware) Download: Brave Browser 32-bit View: Brave Homepage | Offline Installers | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Still using Classic Outlook? Microsoft highlights 15 reasons to switch to New Outlook

      By SkyDX · Posted

      Thanks Microsoft but no, I find both iterations of Outlook terrible nowadays and switched back to Thunderbird at home.
    • Ladybird Browser is no longer accepting outside contributions thanks to AI

      By CHUNWEI · Posted

      Same no problem to me too.
    • The official animal captions thread

      By Mindovermaster · Posted

      Happens to the best of us, bro. 😛 

  • Recent Achievements

    • One Year In
      CHUNWEI earned a badge
      One Year In
    • Conversation Starter
      FBSPL earned a badge
      Conversation Starter
    • Week One Done
      I2D earned a badge
      Week One Done
    • Week One Done
      Dr Jared Dental Studio earned a badge
      Week One Done
    • Week One Done
      RG INVESTMENT GROUP earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      470
    2. 2
      PsYcHoKiLLa
      254
    3. 3
      Skyfrog
      80
    4. 4
      FloatingFatMan
      63
    5. 5
      Michael Scrip
      62
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!