Win 7's Malware Infection Rate Climbs, XP's Falls

BogenDorpher writes "Microsoft released data today showcasing that Windows 7's malware infection rate has climbed by more than 30% during the second half of 2010, while the infection rate for Windows XP has dropped by more than 20%."

And this is a surprise?

[black6host]

What would one expect as usage of XP decreases and Win7 increases?

Re:And this is a surprise?

[Khoa]

What would one expect as usage of XP decreases and Win7 increases?

The changing usage rate between the two OS's is controlled for. FTFA: It's infection rate per 1000 machines.

Re:And this is a surprise?

[John+Hasler]

The changing usage rate will also drive malware authors to concentrate on Win7.

Re:And this is a surprise?

[Missing.Matter]

While the article says that the number of Win7 infections have gone up while the number of WinXP infections has gone down, the infection rate on XP is still higher at 14 per 1000 compared to 4 per 1000 in Win7.

Re:And this is a surprise?

[sortius_nod]

Corperate environments are usually controlled and less likely to get malware.

That's not true at all. Having worked support in various corporations I can assure you that the infection rate is still very high. I remember working for a large bank and they had conficker on 1500 servers and 20000 workstations. This is supposed to be a sterile environment as it's a bank, not so. Where you have staff who aren't exactly computer literate you will have large infection rates.

Re:And this is a surprise?

[hairyfeet]

Not to mention TFS is badly written. if you look at the actual figures Win 7 32 bit infections rose from 3 per 1000 to 4 per 1000 whereas XP went from 18 infected per 1000 to 14 per 1000 which is pretty damned good numbers for Windows 7, especially considering how many completely clueless users are picking up Windows 7 right now. So to only have an infection rate of 4 per 1000 when you have the "granny demographic" that still haven't figured out the difference between memory and HDD space? I'd say those numbers are excellent.

And if there are any MSFT devs here? Please for the love of all that is good and decent in the world don't fuck shit up for Win 8 okay? you FINALLY after all these damned years came up with a kick ass UI that lets those with years of experience work faster while still letting those like my dad that are clueless find things easily. It is intuitive, it is nice, it runs great and is stable. So look, I know you guys have a tradition of borking the OS after a good release, but just....just don't, okay?

If you want a killer feature for Win 8 old Hairyfeet will give you one, make something like Homegroup so those like my dad can simply connect their work and home PCs without knowing more than "clicky clicky" and a password/dongle combo. Just have it save an encrypted token onto any flash stick so they can bring it home and plug it in, answer a few questions, and have access to their files from work. That would be kick ass and easily worth paying to upgrade to Windows 8 WITHOUT borking everything. So please, you have a good thing here, don't fuck it up!

Re:And this is a surprise?

[Mordok-DestroyerOfWo]

A drunk driver smashing his car whether it be a Pinto (XP), a Gremlin (Vista), or a Toyota (7) is still at fault even if the basic design of the car may lead to more serious consequences. There is no service pack for sheer idiocy and short of a walled garden stupid people will always find a way to get themselves infected.

Re:And this is a surprise?

[rhook]

Windows Vista/7 are already known to be much more secure than MacOS.

http://blogs.computerworld.com/15605/hacker_pwn2own_organizer_windows_7_is_safer_than_snow_leopard

http://www.pcworld.com/article/189760/hacking_impresario_windows_safer_than_mac.html

http://news.cnet.com/8301-27080_3-10444561-245.html

Re:And this is a surprise?

[TheCouchPotatoFamine]

This is nonsensical. But to extend your analogy, it's as if microsoft's vehicle has no brakes. nothing to stop the user from smashing into anything after they've touched the gas. You act like it's just perfectly normal that drive-by downloads from IE aren't avoidable by a bit of proper engineering from the "car maker".

While it's possible for user to be misguided, the majority of errors come from the computer being complicit in allowing bad actions to happen merely so that a fringe of "convenience" can let users operate without having to remember their passwords, for instance.

Marketing wins over engineering, and THAT'S why you have crap OS's and apps that have exploits attached, like burrs. Walled gardens from single corporations aside, communities SHOULD run app-repositories of trusted code and that's obvious. Bad engineering, both technical and social...

Re:And this is a surprise?

[smash]

There's no reason codecs (or ANY SOFTWARE) installed on linux or any other OS can't own the user's data or operating system either.

There are three ways people get owned: remote exploits (count the number on 7 vs linux in the past 2 years - they're not so far apart), application exploits (again, count em) and user stupidity (no solution, other than sandboxing the user to contain the damage).

Even with a sandboxed app, it still has access to all of the data you have in the sandbox. If you've downloaded and installed a "virus scanner" and enabled it to access your entire filesystem, you're fucked.

Re:And this is a surprise?

[smash]

Give them root access / log them in as root for a fair comparison to the typical windows user's setup and see how long that lasts.

Re:And this is a surprise?

[HermMunster]

Win7 was supposed to be something that had technologies at the heart of it to protect users. Serious protection. I've seen a spike in my shop of Win7 infections, especially 64bit. And, on top of that these guys have been owning the machines, literally taking over and disabling the whole puzzle in order to stay active on the computer. It's really amazing.

Win7 has been owned by these malware authors and I only expect it to get worse. Getting rid of the malware always leaves damage, such as disabled features, missing shortcuts, hidden user folders (they hide the users data so they think it's been deleted). One today in particular has all the start menu program shortcuts deleted and the user's folders hidden so they looked like they were missing. The permissions were altered to deny the owner access to their own folders (plus hidden folders like "AppData", and "Local Settings", etc). The start menu items (folders for the installed programs) were there without icons to represent what they were (just the names), and the shortcuts were deleted completely so you can't put them back.

After installing Malwarebytes and then running scans (while in safe mode) where I removed a ton of malware, after rebooting into normal mode I watched the malware remove the shortcut for Malwarebytes off the desktop and from the start menu entries.

Windows 7 is getting owned.

Re:And this is a surprise?

[clang_jangle]

The day you guys come up with something apart from "Blame the operator" is the day Microsoft has a chance of making a secure OS.

I don't care much for Microsoft, but there is no such thing as a secure OS. Users can be secure of they know what they need to know, but no OS is "secure" in the hands of the average user. Sad but true...

Re:And this is a surprise?

[smash]

Yes, sure. However my point is that both machines were specifically targeted (i.e., here's a mac, here's a windows box, try and own them both - at a hacking convention). In the real world, the market share of OS X is not worth bothering with, when you can get 85-90% of desktops by targeting windows. The effort expended is not worth the potential return.

Thus, although in theory, on the test bench windows is more secure - in reality, there are a lot more Windows boxes getting owned, simply because the volume of expoits out there being developed, and the prevelance of them on the internet is much greater.

Look, i'm not disagreeing with the results you presented. I'm merely suggesting that in the real world you're a lot less likely to stumble across a trojan/exploit for your OS X box, because Windows is the focus of so much more exploit development.

Ditto for those still running, say Windows 98 or OS/2. No one codes exploits for it any more because its market share is so close to zero - yet its architectures is FAR less secure than Windows XP or 7.

Re:And this is a surprise?

[DigiShaman]

they had conficker on 1500 servers and 20000 workstations.

This. They're fucking worthless. The entire IT staff responsible (and possibly both the CIO and CFO for not providing proper funding) for maintaining security should be FIRED as of yesterday! Look, it's real simple to keep a malware free network. I do this every day as a sysadmin and consultant. Obviously that group needed to be spoon fed. Let's start shall we?

1. Provide both education and a scheduled employee orientation on do's and don'ts of proper computing usage. Also remain on the lookout for signs of social engineering and scams attempting to get the user to install malware (fake AVs and bogus FedEx e-mails come to mind) .

2. Ensure all domain users have only local non-administrative access to the computers. If a local scanner or printer requires admin access, it's a shit product and should be returned ASAP. Do not compromise on this front.

3. Implement a firewall with built-in gateway anti-virus and content filtering. SonicWALL is a good choice, but they're other solutions available too.

4. Implement workstation and server anti-virus agents to all machines.

5. Manage and monitor workstations security updates. WSUS is great for this. If you're stuck in development that requires IE6, virtualize or re-write the application for that fucker. But above all, do **NOT** let an application hold you back from rolling out security updates. If hiring a project manager and migrating away from IE6 costs millions of dollars, so be it, to bad. Take your beatings and lick the financial wounds later. It's for their own good anyways.

And pardon the foul language, but Trump needs to walk in that bank and start yelling "YOU'RE FIRED!!!" to get the message across.

Re:And this is a surprise?

[Runaway1956]

My point was, Windows users routinely run as Admin and grant Admin rights to anything that asks. Few Linux users run as root, and those seem to be a little more careful about the things they install and run.

"trusted source" in my distro of Linux means that the repository itself has a signed key, which I trust. With three exceptions, my machine does indeed have "signed" code. The exceptions came from sources that I've learned to trust over the years.

Random example here: https://help.ubuntu.com/community/add-apt-repository

As you can see, that particular version of Ubuntu is more than 1 1/2 years old. So - we've had "signing" for a little while now . . .

Re:And this is a surprise?

[hawkinspeter]

Linux just skips the whole binaries through the web browser thing which trains users in the worst possible behaviour for avoiding malware.

The software repositories are signed so Linux does validate that software is coming from where you think it's coming from.

Re:And this is a surprise?

[IRWolfie-]

just because they are not infected does not mean they are functional.

Re:And this is a surprise?

[somersault]

Security through obscurity is nothing more than an illusion.

I always find this funny. Passwords, PINs, encryption/decryption keys, hardware tokens etc are all just forms of security through obscurity, too.. they just are a bit more obscure than running an an obscure OS when you use combinations of them, or pick a really good random password, etc.

Sensationalist article much?

[ferongr]

TFA: As ComputerWorld reports, during the second half of 2010, the data shows that 32bit Windows 7 computers were infected at an average rate of 4 PCs per 1,000, compared to 3 PCs per 1,000 that took place during the first half of 2010.

A difference of 1 thousandth is beyond statistical significance. How did this entry even get to the frontpage? It boggles the mind.

Re:Sensationalist article much?

[John+Hasler]

That is not a difference of one thousandth. It is a difference of 33%.

Re:Sensationalist article much?

[stms]

What boggles my mind is that Microsoft can announce "3 or 4 in 1000 computers running Windows are infected" and think anyone will believe them.

Re:RTFA

[snowraver1]

I have a HARD time believing that only 14 in 1000 windows XP machines are infected.

Except

[Dunbal]

Microsoft calculated the infection rates using its Malicious Software Removal Tool (MSRT) by detecting and deleting selected malware such as fake antivirus programs, worms, viruses, and trojans.

One VERY important point is that Microsoft's Malicious Software Removal Tool considers certain programs which can be used to bypass Windows Activation as "malware", which is probably skewing the results.

Re:Except

[Brian+Recchia]

Almost everybody who pirates Windows 7 does so using Windows Loader which, once they started encrypting it, has never been targeted by MSRT.

Re:Except

[TheThiefMaster]

Have you disassembled that keygen/crack to see if it is safe? Convincing someone to run an arbitrary executable file that may or may not do what it claims is exactly the goal of malware authors, after all.

Re:what is malware?

[CannonballHead]

This. It's hard to criticize a company for users who are ignorant or stupid (the former is understandable; the latter isn't). Statistics that are generic like this COULD point to something... but they might not, too. For example, if I came up with a statistic that said that Ford cars were crashed 10% more often than Chevy cars ... well, *maybe* there's a defect in Ford cars. Or maybe more Ford drivers are insane. Who knows?

Unfortunately, we automatically go to "ah-ha, must be a defect" as a conclusion. Unless the company in question is Google. :)

Re:RTFA

[Penguinisto]

I have a HARD time believing that only 14 in 1000 windows XP machines are infected.

The reason why they came up with that number is in TFA:

"Microsoft calculated the infection rates using its Malicious Software Removal Tool (MSRT) by detecting and deleting selected malware such as fake antivirus programs, worms, viruses, and trojans."

In other words, they used their internal tool, which would certainly not catch all the bugaboos lurking in a given box.

Re:what is malware?

[cyber-vandal]

Norton Antivirus is a well recognised trojan offering 'to protect your machine from threats' but in reality siphoning money from your credit card once a year and bringing your machine to a standstill.

New OS

[hduff]

Same clueless users.

So newer is NOT better?

[metalmaster]

The article doesnt cover this, but im inclined to believe that malware authors have an easier time and higher infection rates when they target 3rd party software packages. As far as i know, the biggest thing to change from XP to Win7, from the user standpoint, is the more in your face security model. That makes the malware authors jump through extra hoops if they wanna get their code executed silently. However, attack a bug in a PDF reader or browser and things can be made to look like business as usual

Re:So newer is NOT better?

[metalmaster]

That was sort of addressed in transition from Vista to 7. Vista would throw up a UAC prompt if you looked at your monitor the wrong way. Windows 7 only does so when you sneeze

Re:people will say OK to anything

[0123456]

The problem is the expectation that users will know when to say yes to a UAC prompt. Until users start saying cancel to UAC prompts they don't fully understand, malware will only increase.

Have you ever seen a UAC prompt you do understand?

Normally it's along the lines of 'Do you want to allow TrojanHorse.exe to: Access local disk?' What the hell is that supposed to mean? Is it trying to write to a file in its own Program Files directory, or is it trying to overwrite Windows core DLLs and install a root-kit? If I can't tell, how can Joe Sixpack?

Re:RTFA

[MobileTatsu-NJG]

I have a HARD time believing that only 14 in 1000 windows XP machines are infected.

That's because you read a lot of sensationalist Slashdot headlines.

Re:UAC

[istartedi]

virus always represents itself as the original program you think it is

Then don't authorize the application. Authorize a secure hash of the application's executable, which is computed when it's loaded into memory. It shouldn't add that much time to application startup on modern hardware.

Re:people will say OK to anything

[kevinmenzel]

I understand that I'm being asked to trust the actions of "TrojanHorse.exe". Which is what UAC really does - tells the user that the application is about to do something that requires you trust the application. It doesn't tell you what that application is going to do, just asks "Hey, do you trust this? It's doing things which are outside the bounds of normal trust". So the question isn't "Can I understand the prompt" per se - because it's always a relatively simple question. More often it's a question of "Should I trust this program?". On the install end, most installers throw UAC, so it's not particularly helpful. But these days, most applications DON'T throw UAC during normal operation. So the utility of UAC is "Before I click yes to this, I should reevaluate that I trust this program, because it's asking for special permissions to do something".

Some programs are going to require admin access to do certain things. The programs that the average slashdot user might use are actually probably more likely to legitimately require elevation to run properly compared to the programs the average user SHOULD be using. So it's actually probably harder for us - given the prompt's lack of detail - to reevaluate that trust - but it's - generally speaking - more black and white in normal user land.

It's not perfect. UAC could give more details, and then us nerds could create websites saying "Oh, app such and such asking for x, y, but not z is probably reasonabl" and then users could check the list, and blindly follow it... but is that better for them? Another list to blindly follow?... I dunno. This is why ChromeOS and iOS and the like take off with users. Any admin type access is "omgbad". That will never be true on a system that you actually administrate.

(UAC has the benefit, btw - of not actually just being "Cancel or Allow" if the user faced with the prompt is a normal non-admin user. It requires elevation to an account with that access. So if Joe Sixpack has a son that knows computers - maybe Joe should be running as a non-admin account - but I'm not going to ask that every machine in the world has users shipped as non-admin accounts as default - because those users are also the admins of those machines, and will have the admin password anyway... so... it doesn't actually change anything in that scenario, it's just replacing "press ok" with "type Username/password and press OK" - which is frankly, the same thing.)

Re:UAC

[Man+On+Pink+Corner]

I'm a little unclear on how authorizing on a per-application basis, using a hashed ID as the other user mentioned above, would open up a significant attack surface. I agree that UAC works, and that it isn't easily circumvented... but still, I should have the ability to disable it on a per-application basis, and optionally for any processes spawned by that application.

Obviously that''s an insecure practice on my part and should be done only with care, but turning UAC off entirely really does expose a huge attack surface, and that's what I'm doing now, along with a few million other Windows users who might or might not understand the implications of what they're doing.

Re:RTFA

[hairyfeet]

Let this old PC repairman enlighten you as to why those numbers as so low on XP. It is because the data is collected using the Malicious Software Removal Tool, which any repair guy that has had one of the bazillion "Razr1911 WinXP Pro Corp SP2" boxes cross their desks know that they all have Windows Updates turned off (to keep from getting WGA'd) and are infected with more viruses than a Bangkok Whore.

I'd love to see the numbers of XP infections pre WGA and after, along with how many pirate versions are out there. Because while I can understand MSFT wanting to stop piracy (but IMNSHO they royally fucked up by getting rid of the Win 7 HP $50 upgrade, as that thing turned more pirates into legit users than I'd ever seen) but anyone who has worked repair for any length of time knows there are a shitload of pirate Windows out there and nearly all have updates off.

It isn't just the "Crazy Dave's house of whitebox" BTW, it is all those that decided they didn't want to pay for an upgrade that got their "smart PC friend" who has every Razr1911 version on a spindle, and there are even plenty out there that have legit keys that aren't being used because the guy they took it to has a Razr1911 automated install and simply never bothered to change the keys, or the box had XP Home and all they had was the Razr XP Pro. Finally you have all those pre Vista Cheapo Best Buy and other retail joints that have autoupdates turned OFF for some damned reason, probably to cut down on those "OMG my PC has a yellow thing in the right corner OMG!" support calls.

In the end I can tell you I probably get 3 minimum cross my desk a week that haven't ever seen an update, and most are infected all to hell. I see so damned many PCs missing tons of updates that I keep WSUS Offline on my network fully loaded with every update for every OS from Win2K Pro to Win 7 X64, just so I don't have to waste time and bandwidth on updating all these damned machines. MSRT might give you a tiny taste of what is going on, but since WGA I'd say its data really isn't worth much.

Re:RTFA

[hairyfeet]

While it IS true that WGA has been hacked, and Windows 7 BTW is easier to pirate than XP, the problem is while most pirates know how to do this the clueless users do NOT which is why the pirates simply turn off Windows Updates. I'm just now starting to see it with Windows 7, all those OEM hacks that came out with the RTM version is starting to fail left and right and people are going WTF?

But like I said killing the $50 HP upgrade was some kind of stupid, because that is what I kept seeing show up on formerly pirate boxes. Now I'm starting to see Windows 7 boxes with updates turned off because the pirates can't tell the guy that gave them $50 to put Windows 7 on "Yeah you'll have to hunt down WGA killer every couple of months BTW" so instead they just go in and kill updates.

Soon enough we'll see the Windows 7 botnets all made up of pirated machines just like I've been seeing with all the Razr1911 XP Pro boxes. BTW you know how you can spot a pirated Windows 7 at a glance? Even on the shitboxes they put Windows 7 Ultimate. I saw the same with XP Pro and Vista Ultimate, the pirates don't bother with the lower SKUs so it is ALWAYS the top one. Hell I even once had the owner of another shop ask me "Can you make our machines so they'll update to our server?" and when I asked him why he would want that he handed me a copy of "Razr1911 Vista Ultimate". And before anyone asks NO I did not call MSFT, they won't even give us any breaks at all for little shops so fuck them. I just laughed at the guy and walked away.

But MSFT is full of shit if they think they know ANYTHING about the number of pirate Windows out there, because in reality for every one that updates there are probably 1000 that don't. Hell even the junkers you find at yard sales and flea markets are all running hot Windows, it has gotten to the point that I pretty much assume its pirated unless I see the sticker. What MSFT doesn't realize is the user don't have to know shit about how to pirate, all it takes is 1, just 1, guy who "knows PCs" to spread pirated Windows copies far and wide. It ain't exactly brain surgery.