funsec mailing list archives
RE: Microsoft: Rootkits and Blaster
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 07 Dec 2005 07:47:35 +1300
Dan Hubbard wrote:
Hmm, this stat seem way off to me. Either that or a) they don't have detection / removal for mass mailing worms and BOT's or b) the definition of "rootkit" is very broad.
I saw Jason's full presentation (?? -- well, a 40 minute version of it) on this data at the AVAR conference in Tianjin a couple of weeks ago. Sadly, I cannot find my scribbled notes at the moment, which included a URL to the actual stats somewhere on MS' web site (or where they will be when they are publicly posted), so all that follows is based on my increasingly jaded memory... Anyway, in a nutshel, the top three things the Malicious Software Removal Tool (MSRT) removes _across all systems_ are variants of the three big bot families, which total more than 50% of all removals between them. Included among the top-ten (or was it top-twenty?) were two or three rootkits (this was _prior_ to addition and shipping of detection and the removal for the First4Internet (aka Sony) DRM rootkit). The reason the rootkits are so high in the list is because, increasingly, some common adware and some spyware are installing one of those two or three rootkits to help hide themselves (or their "guardian" or "re-installer" processes). The reason that rootkits are more commonly removed _from XP SP2 systems_ is because the network- crawling things are less likely to get on such machines (because of the change to default-on firewall setting) and, perhaps, mass-mailed stuff is less likely to get executed (because of the increased "attachment security" of OE??). My gut feeling is that the stats are right, once you allow for their sampling bias -- non-XP SP2 users will be quite under-representated in the MSRT, etc stats because until SP2 there was no compelling reason for/pressue on users to enable auto-updates, so such users are less likely to be going to Windows Update and being offered the MSRT. This means certain regions where pirated software is much more widely used are likely to be badly under-represented (perhaps, for example, explaining the total lack of visibility to MS/MSRT of the South American banking Trojans??). Regardless of such biases, I think the overall picture painted by these stats is quite reasonable -- there has been a distinct shift from mass- <whatever> malware because it is too noisy and thus it gains too much negative attention too quickly. That's all "bad" if the motive of the malware author is much less making the front page of Time, and much more making money... Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Microsoft: Rootkits and Blaster Fergie (Dec 06)
- <Possible follow-ups>
- RE: Microsoft: Rootkits and Blaster Hubbard, Dan (Dec 06)
- RE: Microsoft: Rootkits and Blaster Nick FitzGerald (Dec 06)
- RE: Microsoft: Rootkits and Blaster Fergie (Dec 06)
- Re: Microsoft: Rootkits and Blaster Dude VanWinkle (Dec 06)
- Re: Microsoft: Rootkits and Blaster Blue Boar (Dec 06)
- Re[2]: Microsoft: Rootkits and Blaster Pierre Vandevenne (Dec 06)
- Re: Microsoft: Rootkits and Blaster Dude VanWinkle (Dec 06)
- RE: Microsoft: Rootkits and Blaster Marius Gheorghescu (Dec 06)
- Re[2]: Microsoft: Rootkits and Blaster Pierre Vandevenne (Dec 06)
- RE: Re[2]: Microsoft: Rootkits and Blaster Hubbard, Dan (Dec 06)
- RE: Re[2]: Microsoft: Rootkits and Blaster Nick FitzGerald (Dec 06)
- RE: Re[2]: Microsoft: Rootkits and Blaster Jason Geffner (Dec 06)