Last Updated: 2006-11-26 17:04:40 UTC
by Patrick Nolan (Version: 1)
Anyone with network security monitoring or malware IR responsibilities should consider giving it a read. Some highlights (ymmv) include;
"Backdoor Trojans" .... "are a significant and tangible threat to Windows users.".
"Out of the 5.7 million computers cleaned, the MSRT has removed a backdoor Trojan from over 3.5 million (62%) of them.". "Bots, a sub-category of backdoor Trojans" ..... "represent a majority of the removals.". Rbot, Sdbot, and Gaobot "compose three of the top five slots in terms of total number of removals.".
"The increase in Win32/Rbot removals is due to a large number of variants of that malware family being added to the MSRT each release. On average, approximately 2,000 new variants of Win32/Rbot have been added to the tool each month.".
Correlations in the paper;
"The largest correlation shown" .... "is between rootkits and backdoor Trojans. In approximately 20% of the cases in which a rootkit was found on a computer, at least one backdoor Trojan was found as well. This emphasizes the trend of a large number of rootkits being distributed or leveraged by backdoor Trojans." (handler emphasis/bold). "The percentages are also high between P2P worms and backdoor Trojans and IM worms and backdoor Trojans. The high values here are also expected given that many P2P worms and IM worms will often drop bots on the computer when they are run."