RE: Re[2]: Microsoft: Rootkits and Blaster

[Nick FitzGerald <nick () virus-l demon co uk>]

Hubbard, Dan wrote:

> If anyone can find the meat of the stats from MS that would be
> appreciated.  ...

I don't have time to look for my notes right now, but will try to 
remember to look later...

> ...  My *guess* on this is that there is a definition
> discrepancy. Yes, agreed malcode is more "stealthy" and yes agreed
> malcode is more "sophisticated". But if you compare the number of
> keyloggers and bots that have no rootkit functionality to the number
> that do it's a very small percentage of the total. 

OK -- I think I know what the "problem" is here...

The MSRT _necessarily_ produces badly biased stats.  This is so obvious 
that I did not even mention this component of the bias in my earlier 
message -- given the likely membership of this list, I didn't even 
think I'd have had to consider mentioning this...

It it entirely part of the nature of the beast.  I mean, think about 
what MSRT is and who runs it on their machines for a moment.

Most folk who run it don't even know they are running it -- it arrives, 
once a month, as part of their auto-download from Windows Update and 
runs.  If it finds anything, this is reported back to MS.  Of course 
(if you believe the sales figures for the AV companies) "most" of these 
folk are already running a "proper" AV product.  Given that, MSRT stats 
are going to be heavily biased to reporting detection of things other 
AVs don't detect AND reporting detection of things that disable or 
bypass other AVs.

The relatively small proportion of MSRT-running machines (if you 
believe the sales figures for the AV companies) that do not also run a 
"proper" AV will be the bulk of MSRT machines reporting major "outbreak 
scale" infections.

Given those biases, as I said earlier, I'd say that the MSRT stats do, 
in fact, sound and "feel" about right.  If MSRT's reported rate of 
rootkit detects still seems high to you, consider what that might say 
about most "proper" AVs' abilities to detect active rootkits (as 
compared to their ability to detect the raw, unprotected files 
containing the component parts of those same rootkits...).  I've not 
looked closely, but I don't think many of the big AVs have been putting 
much work into active rootkit detection (at least, as measured in terms 
of ability to detect active rootkits _in currently shipping product_).


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.