Three out of four rootkit infections are on Windows XP

FREEMIUM antivirus vendor Avast warns that unpatched Windows XP machines continue to pose a serious threat to the internet ecosystem by harbouring three quarters of all rootkit infections.

The company has an unique insight into the threat landscape thanks to over 130 million active Avast! antivirus installations worldwide that send it malware telemetry. According to a recent analysis performed by the firm’s researchers, 74 per cent of 630,000 rootkit samples found in the wild originated from Windows XP machines.

This rootkit infection rate is almost two times higher than the decade-old operating system’s global usage share of 38 per cent. Avast’s statistics show that 49 per cent of its customers have XP running on their computers.

The numbers clearly show that the high Windows XP infection count can’t simply be explained by its market share. “One issue with Windows XP is the high number of pirated versions, especially as users are often unable to properly update them because the software can’t be validated by the Microsoft update,” said Przemyslaw Gmerek, Avast’s leading rootkit expert.

Rootkits are serious threats because they function at the lowest levels of the operating system, which makes them hard to detect. For example, some rootkits hook the file system drivers to hide malicious files.

Others even operate outside the OS, giving them much more control over machine. These are called bootkits because they infect a partition’s Master Boot Record (MBR) and, according to Avast, they are responsible for 62 per cent of all rootkit infections.

The top MBR rootkit family is known as Alureon, TDL or TDSS. The latest variant, TDL4, is capable of self-propagation and can infect 64-bit versions of Windows Vista and Windows 7.

These Windows flavors employ advanced protection technologies like mandatory driver signing, Patchguard and User Access Control (UAC).

Computers infected with TDL4 operate as part of a botnet whose use of the KAD peer-2-peer network for updating purposes has led to security researchers from Kaspersly Lab calling it indestructible.

Avast claims that Alureon variants account for 74 per cent of all MBR rootkit infections, but just to put this number into perspective, Kaspersky Lab estimates that the TDL4 botnet alone is made up of 4.5 million infected computers.

Windows 7 has slowly eaten away at Vista and XP’s market share for the past two years, but the rootkit problem won’t go away anytime soon. Microsoft will continue to support Windows XP until 8 April, 2014, and rootkit creators have already demonstrated their ability to defeat all defences in its newer operating systems.

On 12 April, Microsoft issued a Windows 7 security update which, according to security researchers, targeted TDL4 in particular. The modifications it made rendered the rootkit ineffective, but new variants bypassing the patch were spotted by 3 May.

Leave a Reply

Your email address will not be published.