RE: Microsoft: Rootkits and Blaster

[Nick FitzGerald <nick () virus-l demon co uk>]

Dan Hubbard wrote:

> Hmm, this stat seem way off to me. Either that or a) they don't have
> detection / removal for mass mailing worms and BOT's or b) the
> definition of "rootkit" is very broad.

I saw Jason's full presentation (?? -- well, a 40 minute version of it) 
on this data at the AVAR conference in Tianjin a couple of weeks ago.  
Sadly, I cannot find my scribbled notes at the moment, which included a 
URL to the actual stats somewhere on MS' web site (or where they will 
be when they are publicly posted), so all that follows is based on my 
increasingly jaded memory...

Anyway, in a nutshel, the top three things the Malicious Software 
Removal Tool (MSRT) removes _across all systems_ are variants of the 
three big bot families, which total more than 50% of all removals 
between them.  Included among the top-ten (or was it top-twenty?) were 
two or three rootkits (this was _prior_ to addition and shipping of 
detection and the removal for the First4Internet (aka Sony) DRM 
rootkit).

The reason the rootkits are so high in the list is because, 
increasingly, some common adware and some spyware are installing one of 
those two or three rootkits to help hide themselves (or their 
"guardian" or "re-installer" processes).  The reason that rootkits are 
more commonly removed _from XP SP2 systems_ is because the network-
crawling things are less likely to get on such machines (because of the 
change to default-on firewall setting) and, perhaps, mass-mailed stuff 
is less likely to get executed (because of the increased "attachment 
security" of OE??).  

My gut feeling is that the stats are right, once you allow for their 
sampling bias -- non-XP SP2 users will be quite under-representated in 
the MSRT, etc stats because until SP2 there was no compelling reason 
for/pressue on users to enable auto-updates, so such users are less 
likely to be going to Windows Update and being offered the MSRT.  This 
means certain regions where pirated software is much more widely used 
are likely to be badly under-represented (perhaps, for example, 
explaining the total lack of visibility to MS/MSRT of the South 
American banking Trojans??).

Regardless of such biases, I think the overall picture painted by these 
stats is quite reasonable -- there has been a distinct shift from mass-
<whatever> malware because it is too noisy and thus it gains too much 
negative attention too quickly.  That's all "bad" if the motive of the 
malware author is much less making the front page of Time, and much 
more making money...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.