Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Malware propagation information from microsoft. - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware propagation information from microsoft.

Microsoft recently released a report on the statistics they are collecting via MSRT.

If you need to know what kinds of malware is being detected and removed by the Malicious software removal tool this is a great report. It only covers windows of course but that makes sense.

There is a nice executive summary but please read beyond that. One security trade publication clearly misread the summary and posted a misquote (62% of computers infected with backdoor). That is not what the report states. The 62% number is the percentage of machines that had malware removed from them by MSRT AND had a backdoor installed on them. Restated more then of the machines where an infection was detected and removed also had remote control backdoors on them. No surprise there really. Although there are ways for the hackers to use a system without a backdoor tool installed for the most part the hackers want to be able to remotely upgrade and control systems they have compromised.

The actual report comes from the Rapid Response Team Waggener Edstrom Worldwide.

Overall the report is very good. There are lots of nice charts and graphs. The author did a good job normalizing statistics but also provided the unnormalized view. They don't really mention false negatives until nearly the end of the document. I do not completely agree with their malware categories however since those are well defined up front I had no problem understanding what they meant by email worm, p2p worm, im worm exploit worm, backdoor Trojan, rootkit or virus. They also claim that MSRT is part of a defense in depth even when you have another antivirus package installed. Due to its lack of realtime protection I would say its not defense at all. Its reactive and only comes into play after the fact of infection. Since it is also fairly limited in the malware it detects and the signatures are usually only updated once a month I don't know of any current antivirus package that would miss a virus that MSRT would detect. So I do not agree this provides defense in depth. I do however see serious benifit to running MSRT. It certainally has contributed to the effort of getting infected systems cleaned.

Some other fun facts I gleaned from this report:
MSRT only removes live malware or malware that will be autorun during a reboot.
1 computer in 355 had malware that was recognized and removed.
5% of the root kits removed were WinNT/F4IRootkit (aka the sony root kit) with about 420k removals from 250k machines.
35% of the computer infected were infected via the end user clicking or opening something.
20% of the computers cleaned had been infected sometime in the past. 

So if you have a little time and you are interested in malware propagation I recommend reading this report.

donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!