Microsoft: Trojans, Bots Are 'Significant and Tangible Threat'
BOSTON -- Microsoft security researchers have used data collected from its MSRT (malicious software removal tool) to produce the clearest picture yet of the malware scourge on Windows -- and it's not a pretty sight.
On the eve of the Tech 2006 conference here, the software maker offered a rare glimpse of the extent of infected Windows systems, warning that the threat from backdoor Trojans and bots present "a significant and tangible threat."
It is the first public confirmation by Microsoft that well-organized mobsters have established control a global billion-dollar crime network using keystroke loggers, IRC bots and rootkits.
The report comes as Microsoft introduces Ben Fathi as its new security czar and a public beta of Microsoft Client Protection, the enterprise version of the subscription-based Windows OneCare PC security application.
Since the first iteration of the MSRT in January 2005, Microsoft has removed 16 million instances of malicious software from 5.7 million unique Windows machines. On average, the tool removes at least one instance of a virus, Trojan, rootkit or worm from every 311 computers it runs on.
The most significant threat is clearly from backdoor Trojans, small programs that open a back door to allow a remote attacker to have unauthorized access to the compromised computer.
The MSRT has removed at least one Trojan from about 3.5 million unique computers. Of the 5.7 million infected Windows machines, about 62 percent was found with a Trojan or bot.
A bot is a type of Trojan that communications through IRC (Inter Relay Chat) networks. Bots are used to launch spam runs, launch extortion denial-of-service attacks and to distribute spyware programs to unwitting Windows users.
Matt Braverman, the Microsoft program manager who collated the data and prepared the report, said the startling prevalence of bots proves that the for-profit malware route is lucrative for online criminals.
Three of the top five most removed malware families are bots Rbot, Sdbot and Gaobot. The FU rootkit, which is used primarily to hide bots, is number five on the list.
"The numbers speak for themselves," Braverman said in an interview with eWEEK. "In addition to the fact that bots are high on the list, we're seeing a significant amount of new variants everyday. We're adding detections for about 2,000 new Rbot variants [to the [MSRT] with each release."
"Bots are not only active on computers. It's something that the attackers are modifying and turning around quickly. They're moving in, corralling a set of users, stealing information, then moving on to the next target," he explained.