We dont get many stats as to how many PC’s in the world have rootkits installed and hiding malware like keyloggers and spyware in the background. Rootkits are too good to be true for the malware authors out there so it only goes to say that rootkits should be more prevalent. Except Microsoft does not think they are.
Microsoft recently published a Security Intelligance report entitled “An in-depth perspective of trends in the malicious and potentially unwanted software landscape in the first half of 2006″. This report had many references to rootkits. The references included the amount of individual PC’s scanned using the Windows Malicious Software Removal Tool (MSRT) and Windows Defender along with the percentage of rootkits found. Symantec today released a Security Brief entitled “Handling Today’s Tough Security Threats” in which they compared their software against other companies like Microsoft and McAffee. The Interesting part of the report for me is the rootkit detection section.
But first lets have a look at the Microsoft stats.
Microsoft says in it’s report that of the 3.2 million computers 8% had rootkits which is a drop from 17% since 2005. This means that Microsoft was able to find 256,000 (256K) computers with rootkits.
Microsoft like Symantec scanned for the Sony XCP rootkit which it could be argued didnt hide malware ( although malware authors used it’s stealth capabiliies to hide their own malware ).
The Symantec report says they tested for rootkits that are currently being used in the wild. Thompson Cyber Security Labs randomly selected 20 rootkits and used their own samples for this test. We dont know if the Sony Rootkit was one of the 20 rootkits picked.
Symantec, in the report state that of the 20 rootkits tested against the Symantec software identified all 20 while Microsoft only identified 5. This shows that Microsoft only identified 20% of the rootkits tested.
So assuming like for like, the Microsoft figure of 256,000 unique computers with rootkits could mean, taking Symantec results into account, Mirosoft have only found 20% of the actual number of computers with rootkit. Thats a staggering 1,280,000 (1.28 Million) computers infected with rootkits.
We could also add the highly publicised Gromozon and Haxdoor rootkits that are taking computers by storm at the moment but again there are no solid figures to use.
Hopefully we can get more precise details so we can really see if Microsoft is falling behind in the identification of rootkits and whether there really are 1.28 Million computers with rootkits hiding malware.
Keep Safe,
regards
Steo
www.antirootkit.com
Your maths includes a logical error. You cannot “assume like for like”. That is, you cannot equate 20% of rootkit TYPES with 20% of rootkit INSTALLATIONS.
If the 20% of the rootkits that MS detect are the most common rootkits, the situation is much better than you suggest. On the other hand, the 20% could be the easiest to detect and therefore, (by survival of the fittest), be least likely to survive. In this case, the situation could be very much worse than you suggest.
Without prevalence figures for the individual rootkits, it is impossible to infer anything about the number of infected computers.
I am the last person to defend MS, but since the test figures were produced by Symantec, I would suggest that they are likely to have stacked the cards in their favour by choosing the more obscure rootkits, all of which (coincidentally) their software happens to detect.
I should be interested to read a follow-up article which includes a breakdown by “market-share” of the rootkits detected.
Phil,
thanks for your reply, indeed I did make the assumption “like for like” but this was to represent the fact that both parties were trying to find currently used rootkits. The Symantec tests were against rootkits picked by an independent researcher not linked with Symantec.
I am currently trying to get some actual figures to give a better indication as to how many PC’s are infected.
What I found unusual about the MS report is that they say rootkits are on the decrease when it makes sense for all malware writers to use them and evolve them against detection.
More to come…
regards
Steo