James O'Neill's Blog

October 30, 2006

Sony rookit on 1/4 million PCs, MSRT removes a malware somewhere every 3 seconds and other statistics.

Filed under: Security and Malware,White Papers,Windows Vista,Windows XP — jamesone111 @ 1:51 pm

I’ve been reading a paper about the Malicious-Software Removal Tool (MSRT, and I hyphenate it to prevent it being read as the Malicious software-removal tool), it’s entitled, MSRT progress made, trends observed. If your interested in what the tool does, or in the statistics it makes fascinating reading.

Here are some points from its summary with a few comments of my own.

  • The data was up to March 2006, over the 15 months it had been out, it had removed 16 million instances of malicious software from 5.7 million unique Windows computers. On average, the tool removes at least one instance of malware from every 311 computers it runs on. It had been run a total of nearly 1.8 billion times – the number of executions per month was rising steadily but averaged of 118 million.
    Quoted executions for March 06 show the tool running roughly 100 times every second, and a malware removed somewhere in the world every 3 seconds. On average a PC which has been cleaned had 2.8 malwares removed (though these may be at different times). My only complaint about the paper is that it talks in some places about PCs cleaned and in others about Malwares removed; the difference makes it difficult to work out some things
  • 41 of the 61 malware families targeted by the MSRT from January 2005 to February 2006 have been detected less frequently since being added to the tool with 21 of the families experiencing decreases greater than 75%. This is hardly surprising, the prevalence of a piece of malware declines over time.
  • Backdoor Trojans are a significant and tangible threat to Windows users. Of the 5.7 million unique computers from which the tool has removed malware, a backdoor Trojan was present in 62% of computers.
  • Rootkits, were found on 14% of computers cleaned although this figure drops to 9% if the WinNT/F4IRootkit, distributed on select Sony music CDs, is excluded. In 20% of the cases when a rootkit was found on a computer, at least one backdoor Trojan was found as well .Wow. The Sony root kit removed from 5% of 5.7 million computers – roughly 250,000! 0
  • Social engineering attacks represent a significant source of malware infections. Worms that spread through e-mail, peer-to-peer networks, and instant messaging clients account for 35% of the computers cleaned by the tool. Or, if people aren’t getting smarter
  • Most of the computers cleaned with each release of the MSRT are computers from which the tool has never removed malware. BUT In the March 2006 version of the MSRT, the tool removed malware from approximately 150,000 computers (20% of all computers cleaned) from which some malware had previously been removed by the tool in an earlier release.

I find the last one is interesting – 600,000 computers which had never been infected were cleaned, bringing the total to 5.7 million, so 5.1 had been cleaned previously. 150,000 of the 5.1M were re-infected – about 3%, compared with 600,000 out of 200M previously clean – an infection rate of about 0.3%. I guess this isn’t surprising. Of people infected most take steps to avoid re-infection; the ones who don’t change are doing the things that make them likely to get re-infected, some will get re-infected after a month, some after 2, some after 3 and so on What we don’t know is how many are clean through  protection and how many through lack of exposure.


This post originally appeared on my technet blog.

Create a free website or blog at WordPress.com.