Microsoft Sounds Malware Alarm

Data culled from tool reveals scourge of malicious software on Windows

Microsoft security researchers have used data collected from the companys Malicious Software Removal Tool, or MSRT, to produce the clearest picture yet of the malware scourge on Windows—and its not pretty.

On the eve of the TechEd conference in Boston June 11-16, the Redmond, Wash., software maker offered a rare glimpse at the extent of infected Windows systems, warning that back door Trojans and bots present "a significant and tangible threat."

It is the first public confirmation by Microsoft that well-organized mobsters have established a global billion-dollar crime network using keystroke loggers, IRC (Internet Relay Chat) bots and rootkits.

A report detailing the MSRT data, slated for release June 12 at TechEd, comes as Microsoft introduces Ben Fathi as its new security czar and ahead of the expected public beta release of Microsoft Client Protection, the enterprise version of the subscription-based Windows OneCare PC security application.

Since the first iteration of MSRT in January 2005, Microsoft has removed 16 million instances of malicious software from 5.7 million unique Windows machines. On average, the tool removes at least one instance of a virus, Trojan, rootkit or worm from every 311 computers it runs on.

The most significant threat is clearly from back door Trojans, small programs that allow remote attackers to have unauthorized access to compromised computers.

MSRT has removed at least one Trojan from about 3.5 million unique computers. Of the 5.7 million infected Windows machines, about 62 percent were found to have a Trojan or bot.

A bot is a type of Trojan that communicates through IRC networks. Bots are used to launch spam runs and extortion DoS (denial of service) attacks and to distribute spyware programs to unwitting Windows users.

Matt Braverman, the Microsoft program manager who collated the data, said the prevalence of bots proves that the for-profit malware route is lucrative. Indeed, three of the top five most-removed malware families are bots—Rbot, Sdbot and Gaobot. The FU rootkit, which is used primarily to hide bots, is No. 5 on the list.

"The numbers speak for themselves," Braverman said. "Were seeing a significant amount of new variants every day."

The data also confirms that rootkits on Windows machines are a "potential emerging threat," according to Microsofts report, but the company does not believe the stealth programs have spread widely yet. Of the 5.7 million machines cleaned, 14 percent were infected with a rootkit. However, that number dipped to 9 percent when the F4IRootkit, which was used as a DRM (digital rights management) mechanism in music CDs distributed by Sony BMG, was removed.

In 20 percent of the cases in which a rootkit was found and removed, Braverman said at least one back door Trojan was found—confirmation that rootkits are being used to hide other pieces of malicious software from anti-virus scanners.

The most prevalent rootkit is the open-source FU program, which is the fifth-most-removed piece of malware. The Sony rootkit is 11th on the list, while Ispro and Hacker Defender are also listed high.

Overall, a rootkit was found in about 780,000 computers, but this number includes the Sony BMG rootkit, which was widely considered a rootkit but one that was neither offensive nor malicious.

Roger Thompson, chief technology officer at Atlanta-based Exploit Prevention Labs, however, said Microsofts low rootkit detections are not an accurate reflection of the threat. "Theyre only finding what theyre looking for. The tool will not find the rootkits we dont know about," Thompson said.

Microsofts Braverman acknowledged that there are "known rootkits that are not detected by the tool" but insisted that the five rootkit families detected by MSRT represent "a significant portion of rootkits."

Braverman said the most effective technique against rootkits is prevention and urged Windows shops to keep anti-virus signatures up-to-date to get real-time protection. Even so, for some high-assurance corporate environments, he suggested that users weigh the pros and cons of taking additional steps to disinfect systems found with rootkits.

Braverman echoed an earlier statement by a Microsoft security official that businesses consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from rootkit infestation.

"We see that as a last resort, but wiping and restoring the OS to its original state is one of a variety of steps we recommend," Braverman said. "It should be part of a layered model of dealing with malware."

The MSRT data shows a prevalence of malware linked to social engineering attacks. Worms spread through e-mail, peer-to-peer networks and instant messaging clients account for 35 percent of computers disinfected.

It is against this backdrop that Fathi takes over as Microsofts new security chief to guide the company through a crucial period in its history.

Fathi, who most recently served as general manager for storage and high availability in Microsofts Windows division, will use the TechEd conference to deliver a strategic briefing on building trust in computing.

Fathi is expected to highlight Microsofts investment in security technologies—in the enterprise and consumer markets—and position the company as a leader in developing trust in an interconnected world.

Mike Nash, Microsofts long-serving corporate vice president who has handed over the security portfolio to Fathi, said Fathis "first priority is Vista. The second priority is Vista. The third is Vista."

Malware by the Numbers

The following data was compiled by the Malicious Software Removal Tool.

16 million

Instances of malicious software from 5.7 million unique Windows computers over the past 15 months.


Number of malware families that have been detected less frequently since a total of 61 families were targeted between January 2005 and February 2006.

3.5 million

Computers on which MSRT has removed at least one back door Trojan, which can enable an attacker to control an infected computer and steal confidential information.


Portion of 5.7 million unique computers from which MSRT has removed a rootkit.


Percentage of cases where MSRT found worms that spread through e-mail, peer-to-peer networks and instant messaging clients.

Source: Microsoft