Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Backdoor Trojans significant and tangible threat to Windows users - MS Antimalware Team

Published: 2006-11-26
Last Updated: 2006-11-26 17:04:40 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Windows Malicious Software Removal Tool: Progress Made, Trends Observed is a paper published in early November by the Microsoft Antimalware Team giving "perspective of the malware landscape based on the data collected by the MSRT". The tool, by default, "only looks for malware that are currently running or linked to through an auto-start point, such as in the registry.".

Anyone with network security monitoring or malware IR responsibilities should consider giving it a read. Some highlights (ymmv) include;

"Backdoor Trojans" .... "are a significant and tangible threat to Windows users.".

"Out of the 5.7 million computers cleaned, the MSRT has removed a backdoor Trojan from over 3.5 million (62%) of them.". "Bots, a sub-category of backdoor Trojans" ..... "represent a majority of the removals.". Rbot, Sdbot, and Gaobot "compose three of the top five slots in terms of total number of removals.".

"The increase in Win32/Rbot removals is due to a large number of variants of that malware family being added to the MSRT each release. On average, approximately 2,000 new variants of Win32/Rbot have been added to the tool each month.".

Correlations in the paper;

"The largest correlation shown" .... "is between rootkits and backdoor Trojans. In approximately 20% of the cases in which a rootkit was found on a computer, at least one backdoor Trojan was found as well. This emphasizes the trend of a large number of rootkits being distributed or leveraged by backdoor Trojans."  (handler emphasis/bold). "The percentages are also high between P2P worms and backdoor Trojans and IM worms and backdoor Trojans. The high values here are also expected given that many P2P worms and IM worms will often drop bots on the computer when they are run."
Keywords:
0 comment(s)
Diary Archives