Backdoors, Bots Biggest Threats To Windows

Backdoor Trojans are a clear and present danger to Windows machines, Microsoft said Monday as it released the first-ever analysis of data collected by the 15-month run of its Malicious Software Removal Tool, a utility that seeks out and destroys over five-dozen malware families.

According to Microsoft's anti-malware engineering team, Trojans that, once installed, give an attacker access and control of a PC, are a "significant and tangible threat to Windows users."

Of the 5.7 million unique PCs from which the Malicious Software Removal Tool (MSRT) has deleted malware, 3.5 million of them -- 62 percent -- had at least one backdoor Trojan.

"Backdoor Trojans are a large part of the malware landscape," said Matt Braverman, program manager on the team, and the author of a report on the tool's data that was released Monday at Boston's TechEd 2006 conference.

Bots, a subset of Trojan horses, were especially "popular" on infected PCs, Microsoft's data showed. Bots are small programs that communicates with the controlling attacker, usually through Internet Relay Chat (IRC) channels, less frequently via instant messaging. Of the top 5 on the MSRT's removed malware list, three families -- Rbot, Sdbot, and Geobot -- were bots.Once backdoors and bots are accounted for, all other malware types were seen on only a minority of machines.

"Rootkits are certainly present, but compared to other [malware types] they're not extremely widespread yet," added Braverman. A rootkit was present on 14 percent of the nearly 6 million computers that had to be cleaned.

Since it debuted in January 2005, the MSRT has been run some 2.7 billion times on an increasing number of PCs. In March 2006, the last month for which data was compiled, 270 million unique systems ran the tool, which is automatically downloaded and run on systems with Windows/Microsoft Update turned on.

Over those 15 months, the MSFT found malware on one in every 311 computers.

"I think that's a valid, accurate number," argued Braverman, even though the MSFT doesn't detect and delete every form of malicious software, and runs predominantly on Windows XP SP2 (and not at all on older operating systems, such as Windows 98 and Windows NT).The MSFT data also seemed to validate the long-standing premise that Windows XP SP2 is more secure than earlier Microsoft operating systems, said Braverman.

Although Windows XP SP2 systems account for 89 percent of all machines from which malware was deleted, when the numbers are "normalized" -- to take into account the number of tool executions on each OS -- SP2's rate falls precipitously to just 3 percent.

Together, Windows XP Gold (the original edition launched in October 2001) and Windows XP SP1 account for 63 percent of the deletions when the numbers are normalized.

"This makes sense," Braverman's report read. "Windows XP SP2 includes a number of security enhancements and patches for vulnerabilities not found in earlier versions of Windows XP, making it more difficult to be infected by malware in some cases.

"And it is likely that a user who has not yet upgraded to the latest service pack would be more susceptible to social-engineering-based attacks. In fact, this seems to hold true for Windows 2000 and Windows Server 2003 as well, where the latest versions of the service packs for those operating systems have the lowest number of normalized disinfections compared with the older versions of the operating systems."

"No, I couldn't claim that Windows XP SP2 itself was the only reason why its normalized numbers are so low," admitted Braverman, who pointed to the prodding those users get to turn on Automatic Update (which not only patches their OS, but also runs MSFT monthly) and the idea that they're less likely to engage in potentially risky behavior, like opening attachments or visiting dangerous parts of the Internet.Microsoft uses a combination of internally-generated metrics and outside feedback -- including the WildList and customer comments -- to decide which malware is added to the list targeted by the tool. Anti-virus scan results of Microsoft's for-a-fee security service, OneCare, and its for-free Windows Live Safety Center, said Braverman, are taken into account, as is data from the crash analysis tool that users can invoke when Windows dies.

While the MSFT data has been used mostly by the anti-malware team itself to develop new tools -- such as ones to more quickly crank out signatures for bots -- Braverman sees it as a way for Microsoft and its partners to get a better feel for the current security situation.

"It demonstrates Microsoft's understanding of the malware landscape," he said even as that landscape -- and the tool itself -- change.

"We've already morphed our thinking about how to best attack malware families," he added.

A version of the tool for Windows Vista Beta 2 will be released within weeks, said Braverman, via Windows/Microsoft Update to help protect users trying out the new operating system.The newest edition of the MSFT will be released Tuesday as part of Microsoft's monthly security update.