funsec mailing list archives
RE: Re[2]: Microsoft: Rootkits and Blaster
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 07 Dec 2005 14:00:40 +1300
Hubbard, Dan wrote:
If anyone can find the meat of the stats from MS that would be appreciated. ...
I don't have time to look for my notes right now, but will try to remember to look later...
... My *guess* on this is that there is a definition discrepancy. Yes, agreed malcode is more "stealthy" and yes agreed malcode is more "sophisticated". But if you compare the number of keyloggers and bots that have no rootkit functionality to the number that do it's a very small percentage of the total.
OK -- I think I know what the "problem" is here... The MSRT _necessarily_ produces badly biased stats. This is so obvious that I did not even mention this component of the bias in my earlier message -- given the likely membership of this list, I didn't even think I'd have had to consider mentioning this... It it entirely part of the nature of the beast. I mean, think about what MSRT is and who runs it on their machines for a moment. Most folk who run it don't even know they are running it -- it arrives, once a month, as part of their auto-download from Windows Update and runs. If it finds anything, this is reported back to MS. Of course (if you believe the sales figures for the AV companies) "most" of these folk are already running a "proper" AV product. Given that, MSRT stats are going to be heavily biased to reporting detection of things other AVs don't detect AND reporting detection of things that disable or bypass other AVs. The relatively small proportion of MSRT-running machines (if you believe the sales figures for the AV companies) that do not also run a "proper" AV will be the bulk of MSRT machines reporting major "outbreak scale" infections. Given those biases, as I said earlier, I'd say that the MSRT stats do, in fact, sound and "feel" about right. If MSRT's reported rate of rootkit detects still seems high to you, consider what that might say about most "proper" AVs' abilities to detect active rootkits (as compared to their ability to detect the raw, unprotected files containing the component parts of those same rootkits...). I've not looked closely, but I don't think many of the big AVs have been putting much work into active rootkit detection (at least, as measured in terms of ability to detect active rootkits _in currently shipping product_). Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Microsoft: Rootkits and Blaster Fergie (Dec 06)
- <Possible follow-ups>
- RE: Microsoft: Rootkits and Blaster Hubbard, Dan (Dec 06)
- RE: Microsoft: Rootkits and Blaster Nick FitzGerald (Dec 06)
- RE: Microsoft: Rootkits and Blaster Fergie (Dec 06)
- Re: Microsoft: Rootkits and Blaster Dude VanWinkle (Dec 06)
- Re: Microsoft: Rootkits and Blaster Blue Boar (Dec 06)
- Re[2]: Microsoft: Rootkits and Blaster Pierre Vandevenne (Dec 06)
- Re: Microsoft: Rootkits and Blaster Dude VanWinkle (Dec 06)
- RE: Microsoft: Rootkits and Blaster Marius Gheorghescu (Dec 06)
- Re[2]: Microsoft: Rootkits and Blaster Pierre Vandevenne (Dec 06)
- RE: Re[2]: Microsoft: Rootkits and Blaster Hubbard, Dan (Dec 06)
- RE: Re[2]: Microsoft: Rootkits and Blaster Nick FitzGerald (Dec 06)
- RE: Re[2]: Microsoft: Rootkits and Blaster Jason Geffner (Dec 06)