Security threats Toolkit

Microsoft: Zombies most prevalent Windows threat

Tags:
Bot,
Malware,
Spyware

Joris Evers CNET News

Published: 13 Jun 2006 09:20 BST

Many Windows PCs have been turned into zombies, but rootkits are not yet widespread, according to a Microsoft security report slated for release on Monday.

More than 60 percent of compromised Windows PCs scanned by Microsoft's Windows Malicious Software Removal Tool between January 2005 and March 2006 were found to be running malicious bot software, the company said. The tool removed at least one version of the remote-control software from about 3.5 million PCs, it added. That's compared with an overall 5.7 million machines with infections overall.

"Backdoor Trojans... are a significant and tangible threat to Windows users," Microsoft said in the report.

A computer compromised by such a Trojan horse, popularly referred to as a zombie PC, can be used by miscreants in a network of bots, or "botnet", to relay spam and launch cyberattacks. Additionally, hackers often steal the victim's data and install spyware and adware on PCs, to earn a kickback from the spyware or adware maker.

Microsoft introduced the Windows Malicious Software Removal Tool in January last year. An updated version of the program ships monthly with Microsoft's security updates. The tool aims to identify and remove prevalent malicious software from PCs. Since its release, it has run about 2.7 billion times on at least 270 million computers, Microsoft said.

Over the 15-month period covered by the report, the tool found that 5.7 million of unique Windows systems were infected. It removed 16 million instances of malicious software from these systems, Microsoft said.

Backdoor Trojans are the most prevalent threat, followed by email worms, which were found on and removed from just over 1 million PCs, Microsoft said. Rootkits, which make system changes to hide another piece of possibly malicious software, are less widespread, with removals from 780,000 PCs.

"Rootkits... are a potential emerging threat but have not yet reached widespread prevalence," Microsoft said in the report. This contrasts with a study from McAfee, which in April said the numbers of rootkits it sees are rising sharply.

Rootkits lunged into the public spotlight last year when anticopying software on certain Sony BMG Music Entertainment CDs was found to contain rootkit-like code. Microsoft added detection and removal capabilities for the Sony rootkit in December, and its tool wiped off the software 250,000 times, according to the report.

The Windows Malicious Software Removal Tool found a rootkit on 14 percent of the 5.7 million PCs it removed malicious software from. This figure drops to 9 percent when excluding the Sony rootkit. In about 20 percent of the cases when a rootkit was found on a computer, at least one backdoor Trojan was found as well, Microsoft said.

Attacks in which a victim is tricked into running malicious software are a significant source of infections. Worms that spread through email, peer-to-peer networks and instant messaging clients account for just over one-third of the computers cleaned by the Microsoft tool, the software maker said.

The top five threats identified by Microsoft's removal tool: Rbot, Sdbot, Parite, Gaobot and FURootkit. Parite is an aggressive file-infecting virus that first appeared in 2001, Microsoft said, and the FURootkit is often used to hide a backdoor Trojan such as Rbot, Sdbot and Gaobot on a PC.

The free Windows Malicious Software Removal Tool is available in 24 languages to people who use Windows 2000, Windows XP and Windows Server 2003. The current release of the tool is capable of detecting and removing 61 families of malicious software, Microsoft said. It can be accessed at the company's Web site.