New statistics from Microsofts anti-malware engineering team have confirmed fears that backdoor Trojans and bots present a “significant” threat to Windows users.
However, according to data culled from the software makers security tools, stealth rootkit infections are on the decrease, perhaps due to the addition of anti-rootkit capabilities in security applications.
The latest malware infection data, released at the RSA Europe conference in Nice, France, covers the first half of 2006. During that period, Microsoft found more than 43,000 new variants of bots and backdoor Trojans that control millions of hijacked Windows machines in for-profit botnets.
Of the 4 million computers cleaned by the companys MSRT (malicious software removal tool), about 50 percent (2 million) contained at least one backdoor Trojan. While this is a high percentage, Microsoft notes that this is a decrease from the second half of 2005. During that period, the MSRT data showed that 68 percent of machines cleaned by the tool contained a backdoor Trojan.
Despite increased industry interest in Windows rootkits in 2005, Microsoft found a surprising 50 percent reduction in the attacks, which employ stealthy tricks to maintain an undetectable presence on infected computers. “This is a potential trend that will bear watching,” the report said.
Microsoft believes the increase in anti-rootkit tools has helped to decrease the number of large-scale rootkit attacks in favor of more specialized techniques related to stealth. “While these techniques may never progress beyond proof of concept, undoubtedly some will appear as part of targeted attacks against high-value entities,” the company warned in the report.
Not so surprising is the data surrounding malware that employs social engineering tactics, especially those that lure targets via e-mail or P2P (peer-to-peer) networks. “For example, in the case of both the MSRT and Microsoft Windows OneCare, approximately 20 percent of computers cleaned were infected with a mass-mailing worm,” Microsoft explained. For the MSRT, which is updated every month on Patch Tuesday, this represents a slight increase from the previous six-month period.
Data collected by the MSRT suggests that computers that use certain languages are more likely to be infected with malicious software than others. For example, when the disinfection figures from an operating system language are normalized with the appropriate number of tool executions of that same language, Microsoft found that 16 percent of computers cleaned by the MSRT are from Turkish language computers.
The bulk of the data was culled from the Windows Defender anti-spyware application, which counts more than 14 million active users. The MSRT, which was first shipped in January 2005, has a user base of more than 290 million unique computers. During the first half of 2006, Microsoft said the tool was executed 1.6 billion times, bringing the total number of executions since January 2005 to 3.6 billion.
The company also collected removal statistics from the free Web-based Windows Live OneCare safety scanner, which has performed nearly 7 million scans since August. During that time, the tool has detected almost 3 million instances of malware or spyware, and cleaned more than 575,000 infected computers.
Some highlights from the report:
- Backdoor Trojans: The first half of 2006 showed a significant number of new backdoor Trojans. A large number of those belong to bot families, such as Win32/Rbot and Win32/Sdbot. This trend is consistent with anecdotal industry knowledge; owners of bot networks are continually creating and delivering new variants of their bots to maintain their bot networks, and to evade detection by anti-malware products.
- Password stealers and key loggers: These make up the second-largest malware category, in terms of number of variants. Although this type of malware exists worldwide, the Microsoft anti-malware team has seen a high number of variants coming from Brazil. Several thousand new variants from the Win32/Banker and Win32/Bancos families were discovered during the first half of 2006. These mainly use Portuguese for their user interface and primarily serve as a tool to steal bank account information such as passwords.
- Downloaders and droppers: These make up the third-largest category and are used by the attackers to copy files to the victims system that are necessary to complete the attack and control that system. Downloaders and droppers are also often used to distribute spyware and adware. Because of this, the presence of downloaders and droppers as part of malicious attacks is no surprise.
- Worms: The different types of worm families have a relatively low number of variants, although they remain prevalent. In fact, mass-mailing worms continue to be an effective way to infect a significant number of computers around the world.