June 12, 2006 6:00 AM PDT

Microsoft: Zombies most prevalent Windows threat

A correction was made to this story. Read below for details.

Many Windows PCs have been turned into zombies, but rootkits are not yet widespread, according to a Microsoft security report slated for release Monday.

More than 60 percent of compromised Windows PCs scanned by Microsoft's Windows Malicious Software Removal Tool between January 2005 and March 2006 were found to be running malicious bot software, the company said. The tool removed at least one version of the remote-control software from about 3.5 million PCs, it added. That's compared with an overall 5.7 million machines with infections overall.

"Backdoor Trojans?are a significant and tangible threat to Windows users," Microsoft said in the report.

A computer compromised by such a Trojan horse, popularly referred to as a zombie PC, can be used by miscreants in a network of bots, or "botnet", to relay spam and launch cyberattacks. Additionally, hackers often steal the victim's data and install spyware and adware on PCs, to earn a kickback from the spyware or adware maker.

Microsoft introduced the Windows Malicious Software Removal Tool in January last year. An updated version of the program ships monthly with Microsoft's security updates. The tool aims to identify and remove prevalent malicious software from PCs. Since its release, it has run about 2.7 billion times on at least 270 million computers, Microsoft said.

Over the 15-month period covered by the report, the tool found that 5.7 million of unique Windows systems were infected. It removed 16 million instances of malicious software from these systems, Microsoft said.

Backdoor Trojans are the most prevalent threat, followed by e-mail worms, which were found on and removed from just over 1 million PCs, Microsoft said. Rootkits, which make system changes to hide another piece of possibly malicious software, are less widespread, with removals from 780,000 PCs.

"Rootkits?are a potential emerging threat but have not yet reached widespread prevalence," Microsoft said in the report. This contrasts with a study from McAfee, which in April said the numbers of rootkits it sees are rising sharply.

Rootkits lunged into the public spotlight last year when anticopying software on certain Sony BMG Music Entertainment CDs was found to contain a rootkit. Microsoft added detection and removal capabilities for the Sony rootkit in December, and its tool wiped off the software 250,000 times, according to the report.

The Windows Malicious Software Removal Tool found a rootkit on 14 percent of the 5.7 million PCs it removed malicious software from. This figure drops to 9 percent when excluding the Sony rootkit. In about 20 percent of the cases when a rootkit was found on a computer, at least one backdoor Trojan was found as well, Microsoft said.

Attacks in which a victim is tricked into running malicious software are a significant source of infections. Worms that spread through e-mail, peer-to-peer networks and instant messaging clients account for just over one-third of the computers cleaned by the Microsoft tool, the Redmond, Wash., software maker said.

The top five threats identified by Microsoft's removal tool: Rbot, Sdbot, Parite, Gaobot and FURootkit. Parite is an aggressive file-infecting virus that first appeared in 2001, Microsoft said, and the FURootkit is often used to hide a backdoor Trojan such as Rbot, Sdbot and Gaobot on a PC.

The free Windows Malicious Software Removal Tool is available in 24 languages to people who use Windows 2000, Windows XP and Windows Server 2003. The current release of the tool is capable of detecting and removing 61 families of malicious software, Microsoft said. It can be accessed at the company's Web site.

 

Correction: This story incorrectly described the PCs found to be running bot software in scans by Microsoft's Windows Malicious Software Removal Tool. The scans found that 60 percent of compromised PCs were running the malicious software.

See more CNET content tagged:
rootkit, malicious software, zombie, threat, bot

52 comments

Join the conversation!
Add your comment
Maybe not detectable?
>>Rootkits&are a potential emerging threat but have not yet reached widespread prevalence

Maybe because they are almost undetectable?

<a class="jive-link-external" href="http://www.otherthingsnow.blogspot.com" target="_newWindow">http://www.otherthingsnow.blogspot.com</a>
Posted by SqlserverCode (165 comments )
Reply Link Flag
It's VERY Easy to detect: Just Look For A Sony Disc Nearby.
Rootkits, brought to you by Sony.
Please buy Sony.
Posted by kamwmail-cnet1 (292 comments )
Link Flag
Stupid Scamming Users is the Most Prevalent Threat.
Stupid users who think clicking on the free things is GOOD. They "got one over da man", man.

What we need to distribute is a More virius. Virus that kills the machines infected. This way, the stupids will be locked out of sending spam mail zombie like, and they won't clog the bandwidth.
Posted by kamwmail-cnet1 (292 comments )
Reply Link Flag
Concur
The majority of these problems are completely user related... all these people clicking for free screen savers, free spyware blockers that come in on popups. These people do not think before they click.

I always wished for ISPs that could detect which machines were in botnets and then cancel those people's account. If they want their internet back, then they need to take an internet safey course or something.

Would be nice if you had to take an exam or something to get internet access, sorta like a drivers license. If you fail, too bad, no myspace for you... come back in 6 months and try again.
Posted by SeizeCTRL (1333 comments )
Link Flag
Unfortunately
You are exactly right. Who ever the moron was that decided to give root privileges to all users is the real cause of the problem. This should have been addressed in DOS 3.3. Instead M$ has made it their official position to blame the victim so they can sell them more stuff.

In a real free market such behavior would have been suicide but in our current market of monopolies it only serves the interests of the plutocrats and passes the costs onto the naive user. Yep, it is the users fault if they do not spend hours installing patches every month and many hours more trying to get programs to work after the patches have been installed.

The state or our current OS market is just like the old manufacturing industries of the former Soviet Union, bureaucratic, officious, and grossly ineffective. There is only one solution to this problem, a truly free market with multiple players all serving to keep each other in check and provide a constantly improved product to the consumer (1 behemoth and a few bit players do not constitute a free market!).

Until such time, we will be stuck with what we have now. A product designed primarily to stifle competition and maximize profit with little or no regard for the end user.
Posted by Mister C (423 comments )
Link Flag
Hmmm . . .
I sometimes wonder if M$ themselves are creating these things.
Anyways, just another reason to stay away from Windows for the
average Joe.

Programmer #A-5 of www.totallyparanoia.com
Posted by fakespam (239 comments )
Reply Link Flag
Yeah, right...
I'm sure that this is exactly what Microsoft wants -- more negative publicity.
Posted by Get_Bent (534 comments )
Link Flag
Math problem here?
Guys, I'm having trouble with your math. Since when did "On average, that's at least one instance of a virus, Trojan horse, worm or rootkit from every 311 computers it runs on." become 60 percent of all computers. Isn't it 1/311 * 100% = 0.32% ???

Or did you actually mean to say of those that had a problem, 60% of them had a zombie?

Either way it seems like a gross exaggeration.
Posted by whogrant (32 comments )
Reply Link Flag
Math Clarification
Back door Trojan horses were found on 60 percent of the computers infected with malicious software, not on all the computers scanned. We have cleared that up in the story. Thanks for noticing. -- Joris, CNET.
Posted by JorisEvers (48 comments )
Link Flag
How...
I have seen this little program downloaded during updates, but have never found a way to access it. How do you access the wonderful Microsoft tool when they don't include a link to it? Does it just work in the background or what?

R
Posted by Heebee Jeebies (632 comments )
Reply Link Flag
RE: How ...
Check out M$'s site linked at the bottom of the article and you'll
notice this little comment:

"Note The version of the tool delivered by Microsoft Update and
Windows Update runs in the background and then reports if an
infection is found. If you would like to run this tool more than
once a month, use the version on this Web page or install the
version that is available in the Download Center."

So yes, it runs in the background once a month.
Posted by Dalkorian (3000 comments )
Link Flag
Thanks!
For being clear that all of these millions of infections apply only to
WINDOWS.
<a class="jive-link-external" href="http://movies.apple.com/movies/us/apple/getamac_ads1/" target="_newWindow">http://movies.apple.com/movies/us/apple/getamac_ads1/</a>
viruses_480x376.mov
Posted by robot999 (109 comments )
Reply Link Flag
There are Mac vulnerabilities too.
Just remember that. However, as you will no doubt say, these exist in an exponentially smaller number than Windows' Virus' (Virii?). But they exist nonetheless.

The thing is, most of both the Windows and Mac ones share the same common need: An idiotic user who opens and clicks on anything he sees attractive.

I jst hope everyone remembers that no software is safe from dumb or extremely ignorant/uninformed users. users.
Posted by Tomcat Adam (272 comments )
Link Flag
Oops
Oops, someone just found out how large NSA other online computer bots system really is! The power of a world wide internet distributed program system, is mind blowing, on it's number crunching ability!

Oh well, given that a majority of users fail to use even the most simplest of firewalls and computer security systems in place, it seems to be a fair estimate!

Thankfully, if not for computer bloggers blowing the whistle, SONY BMG's rootkit, would have continued to spread on a world wide exponential basis, for they would have ultimately implemented this demented technology, to their world wide pressing plants, in a steady progression!
Posted by heystoopid (691 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.