Microsoft: Trojans, Bots Are Significant and Tangible Threat

Data collected from Microsoft's malicious software removal tool offers the clearest picture yet of the extent of the malware scourge on Windows.

BOSTON—Microsoft security researchers have used data collected from its MSRT (malicious software removal tool) to produce the clearest picture yet of the malware scourge on Windows -- and its not a pretty sight.

On the eve of the Tech 2006 conference here, the software maker offered a rare glimpse of the extent of infected Windows systems, warning that the threat from backdoor Trojans and bots present "a significant and tangible threat."

It is the first public confirmation by Microsoft that well-organized mobsters have established control a global billion-dollar crime network using keystroke loggers, IRC bots and rootkits.

The report comes as Microsoft introduces Ben Fathi as its new security czar and ahead of a rebranding of Microsoft Client Protection, the companys enterprise anti-spyware software that is now called Forefront Client Security.

Since the first iteration of the MSRT in January 2005, Microsoft has removed 16 million instances of malicious software from 5.7 million unique Windows machines. On average, the tool removes at least one instance of a virus, Trojan, rootkit or worm from every 311 computers it runs on.

The most significant threat is clearly from backdoor Trojans, small programs that open a back door to allow a remote attacker to have unauthorized access to the compromised computer.

The MSRT has removed at least one Trojan from about 3.5 million unique computers. Of the 5.7 million infected Windows machines, about 62 percent was found with a Trojan or bot.

A bot is a type of Trojan that communications through IRC (Inter Relay Chat) networks. Bots are used to launch spam runs, launch extortion denial-of-service attacks and to distribute spyware programs to unwitting Windows users.

Matt Braverman, the Microsoft program manager who collated the data and prepared the report, said the startling prevalence of bots proves that the for-profit malware route is lucrative for online criminals.

Three of the top five most removed malware families are bots – Rbot, Sdbot and Gaobot. The FU rootkit, which is used primarily to hide bots, is number five on the list.

"The numbers speak for themselves," Braverman said in an interview with eWEEK. "In addition to the fact that bots are high on the list, were seeing a significant amount of new variants everyday. Were adding detections for about 2,000 new Rbot variants [to the [MSRT] with each release."

"Bots are not only active on computers. Its something that the attackers are modifying and turning around quickly. Theyre moving in, corralling a set of users, stealing information, then moving on to the next target," he explained.

The data also confirms that rootkits on Windows machines is a "potential emerging threat" but Microsoft does not believe the stealth programs have reached widespread prevalence yet. Of the 5.7 million machines cleaned, 14 percent was infected with a rootkit. However, that number dips to 9 percent if F4IRootkit, a rootkit used as a DRM mechanism in music CDs distributed by Sony BMG, is removed.

In 20 percent of the cases when a rootkit was found and removed, Braverman said at least one backdoor Trojan was found. This is confirmation that rootkits are being used to hide other piece of malicious software from anti-virus scanners.

The most prevalent rootkit is the open-source FU rootkit, which is the fifth most removed piece of malware. The Sony rootkit is number 11 on the list while Ispro and Hacker Defender are also listed high.

Overall, a rootkit was found in approximately 780,000 computers but this number includes the Sony BMG rootkit, which was not considered an offensive/malicious rootkit.

Roger Thompson, chief technical officer at Atlanta-based Exploit Prevention Labs, believes Microsofts low rootkit detections is not an accurate reflection of the severity of the threat. "Theyre only finding what theyre looking for. The tool will not find the rootkits are we dont know about. We know they are out there and they are becoming harder and harder to find," Thompson said in an interview with eWEEK.

Microsofts Braverman acknowledged that there are "known rootkits that are not detected by the tool" but insists the five rootkit families detected by the MSRT represent "a significant portion of rootkits actively affected a large group of users today."

Braverman said the most effective technique against rootkits is prevention and urged Windows shops to keep anti-virus signatures up-to-date to get real-time protection. Even so, in some high-assurance corporate environments, Braverman suggested that users weigh the tradeoffs of taking additional steps to disinfect systems found with rootkits.

He echoed an earlier statement by a Microsoft security official that businesses consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from rootkit infestation.

"We see that as a last resort but wiping and restoring the OS to its original state is one of a variety of steps we recommend. It should be part of a layered model of dealing with malware," he added.

The MSRT data also shows an alarming prevalence of malware linked to social engineering attacks. Worms that spread through e-mail, peer-to-peer networks and instant messaging clients account for 35 percent of computers disinfected.

"The attackers have become more sophisticated in terms of understanding what end users will click on or execute from an e-mail. They are exploiting a weakness in that situation," Braverman said.

E-mail is still the most successful vehicle for social engineering attacks but, according to the data, IM-borne attacks that try to trick users into clicking on a malicious link are less likely to succeed because of advancements in security technology built into IM clients.

It is against this backdrop that Fathi, Microsofts new security chief, takes over to guide the Redmond, Wash. technology giant through a crucial period in its history.

Fathi, who most recently served as general manager for Storage and High Availability in the Windows division, will use the TechEd conference to deliver a strategic briefing on building trust in computing.

He is expected to highlight Microsofts investment in security technologies --- in the enterprise and consumer markets -– and position the company as a leader in developing trust in an interconnected world.

Mike Nash, the long-serving corporate VP who has handed over the security portfolio to Fathi, said the priority for his replacement is a no-brainer.

"The first priority [for Fathi] is Vista. The second priority is Vista. The third is Vista," Nash said in an interview with eWEEK.

"We have to get Vista completed with quality and make sure we build a platform that supports the rest of the industry. One of Bens priorities is to make sure that were explaining to customers how to take advantage of some of the great technologies weve built," Nash added.

Microsoft is promising that Windows Vista will feature significant security improvements to thwart malware infestation.

Based on the picture painted by the MSRT statistics, Vista cant ship fast enough for Fathi.

/zimages/6/28571.gifTo see reader response to this article, click here.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.