Comments on: Do 1.28 Million computers have a Rootkit? http://www.antirootkit.com/blog/2006/11/04/do-128-million-computers-have-a-rootkit/ Antirootkit Software, News, Articles and Forums Mon, 22 Mar 2010 02:19:52 +0000 http://wordpress.org/?v=2.0.4 by: steo http://www.antirootkit.com/blog/2006/11/04/do-128-million-computers-have-a-rootkit/#comment-4 Sat, 11 Nov 2006 22:44:38 +0000 http://www.antirootkit.com/blog/2006/11/04/do-128-million-computers-have-a-rootkit/#comment-4 Phil, thanks for your reply, indeed I did make the assumption "like for like" but this was to represent the fact that both parties were trying to find currently used rootkits. The Symantec tests were against rootkits picked by an independent researcher not linked with Symantec. I am currently trying to get some actual figures to give a better indication as to how many PC's are infected. What I found unusual about the MS report is that they say rootkits are on the decrease when it makes sense for all malware writers to use them and evolve them against detection. More to come... regards Steo Phil,
thanks for your reply, indeed I did make the assumption “like for like” but this was to represent the fact that both parties were trying to find currently used rootkits. The Symantec tests were against rootkits picked by an independent researcher not linked with Symantec.

I am currently trying to get some actual figures to give a better indication as to how many PC’s are infected.

What I found unusual about the MS report is that they say rootkits are on the decrease when it makes sense for all malware writers to use them and evolve them against detection.

More to come…

regards
Steo

]]> by: Phil http://www.antirootkit.com/blog/2006/11/04/do-128-million-computers-have-a-rootkit/#comment-3 Sat, 11 Nov 2006 20:37:26 +0000 http://www.antirootkit.com/blog/2006/11/04/do-128-million-computers-have-a-rootkit/#comment-3 Your maths includes a logical error. You cannot "assume like for like". That is, you cannot equate 20% of rootkit TYPES with 20% of rootkit INSTALLATIONS. If the 20% of the rootkits that MS detect are the most common rootkits, the situation is much better than you suggest. On the other hand, the 20% could be the easiest to detect and therefore, (by survival of the fittest), be least likely to survive. In this case, the situation could be very much worse than you suggest. Without prevalence figures for the individual rootkits, it is impossible to infer anything about the number of infected computers. I am the last person to defend MS, but since the test figures were produced by Symantec, I would suggest that they are likely to have stacked the cards in their favour by choosing the more obscure rootkits, all of which (coincidentally) their software happens to detect. I should be interested to read a follow-up article which includes a breakdown by "market-share" of the rootkits detected. Your maths includes a logical error. You cannot “assume like for like”. That is, you cannot equate 20% of rootkit TYPES with 20% of rootkit INSTALLATIONS.

If the 20% of the rootkits that MS detect are the most common rootkits, the situation is much better than you suggest. On the other hand, the 20% could be the easiest to detect and therefore, (by survival of the fittest), be least likely to survive. In this case, the situation could be very much worse than you suggest.

Without prevalence figures for the individual rootkits, it is impossible to infer anything about the number of infected computers.

I am the last person to defend MS, but since the test figures were produced by Symantec, I would suggest that they are likely to have stacked the cards in their favour by choosing the more obscure rootkits, all of which (coincidentally) their software happens to detect.

I should be interested to read a follow-up article which includes a breakdown by “market-share” of the rootkits detected.

]]>