Slashdot Mirror
Malware Scanner Finds 5% of Windows PCs Infected
BogenDorpher writes "According to statistics generated by Microsoft's new free malware scanning and scrubbing tool, Safety Scanner, one in every twenty Windows PCs are infected with malware. Microsoft's Safety Scanner was downloaded 420,000 times in just one week of availability and it cleaned up malware or signs of exploitation from more than 20,000 Windows PCs, according to statistics generated by Microsoft's Malware Protection Center. This resulted in an infection rate of nearly 5%." That seems an awfully low number, based on how quickly Windows machines are scanned for plunder after going online; though it's a few years old, here's a report that suggests (as of 2007, at least) a grace period of less than 10 seconds. That was just one instance, and an intentionally vulnerable machine, but have improvements in security software software, and in Windows itself, made things so much better since then?
So a significant number of computers that downloaded the malware removal tool had malware on them. How is that surprising? Unless the installation of this tool is uniformly distributed amongst Windows users, which TFA is not entirely clear on...
Palm trees and 8
"Safety Scanner, which replaced an older online-only tool, uses the same technology and detection signatures as Microsoft's free consumer-grade Security Essentials antivirus program and its Forefront Endpoint Protection product for enterprises."
considering that by now everyone should run SOME anti virus, of which MSE is a legally free option, and that something which uses MSE's signature database finds 5% of machines have been compromised I don't think says much about computer security as a whole. Obviously there are a lot of users who *still* don't have anti virus software, which isn't really news. But MS can't exactly go including free anti virus in their OS without screams of anti trust.
That was just one instance, and an intentionally vulnerable machine [four years ago], but have improvements in security software software, and in Windows itself, made things so much better since then?
Yes.
Is it really surprising that computers with service packs, hot fixes, virus scanners, and firewalls are significantly more secure than those without?
Of course, it's also worth noting that the real infection rate is probably at least a little bit higher. The people who don't download this particular scanner are the same ones who wouldn't download the aforementioned service packets, hot fixes, virus scanners, and firewalls. The unanswered, and perhaps unanswerable, question is how many such people are out there.
Maybe the number is accurate, maybe it isn't. But the one thing that strikes me is that this is not an entirely random survey since there are too many factors that can affect the sampling. Examples: people who do not update their software (including but not limited to this scanner) are probably more likely to have an infected machine, making the number low. Yet institutional PCs that are professionally managed (and are likely to use third party solutions) are probably less likely less likely to be infected, making the number high. So that 5%, as good or as bad as it may sound to you, is actually just a number thrown around by the marketing department.
Pretty much, yeah.
http://alternatives.rzero.com/
All this really 'proves' is that 95% of the people who are smart enough to download a free AV program didn't have an infection. Lets see, who uses those? Oh, I know! People who take precautions... When do they do it? BEFORE they get infected, lol.
While it is an interesting datapoint to hobknob about, this actually says ZILCH about Windows infection rate, except it probably can't possibly be LESS than 5%.
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
Honestly? "as of 2007"? In computer terms, that's several lifetimes.
Not only that, but just because the news article linked to has 2007 at the top, doesn't mean the findings were from 2007. The news article in which the author "just read an incredible scary article" links to said incredible scary article - http://news.bbc.co.uk/2/hi/programmes/click_online/4423733.stm - from 2005. So not only was the news article writer 2 years behind the times, you're now suggesting that we should believe that you find it incredulous that things may have improved in 6 years' time?
In that time Windows 7 and Vista have been released - both with far better security models out of the box. Even Windows XP saw a reasonable update with SP3.
Then again, by April 2005, SP2 was also distributed and guess what it enabled by default? Windows Firewall. The worm in the original article, Sasser, would not have gotten very far.
Then again, Sasser would not even have been on the system if they bothered to install the update that fixed the hole that Sasser would eventually exploit.
It's just not a very convincing example to begin with, and certainly not one you should be citing 6 years later.
We don't have enough information to estimate the infection rate. For one thing, we don't know how good the scanner is. If it misses a lot malware, the infection rate may be much higher. We also don't know what kind of sample the downloads comprise. If only people who think they have an infection are downloading it, then the sample is biased high and the real infection rate may be much lower. Since it only detected infections in 5% of cases, either the scanner is very bad or people are downloading it as a precaution, not once they think they have an infection. If they're downloading it as a precaution, that probably means they are particularly security conscious, in which case the sample is probably biased toward a low infection rate. Overall, it looks like without more information the percentage of machines found to be infected by this scanner tells us very little.
The IP6 folks hate NAT, but it's the only thing that's saving personal computing at the moment. Because random inbound connections don't has through NAT devices, any home PC behind one is MUCH safer than one directly on the internet. It sucks in terms of the end to end utility of the internet, but it's the tradeoff most users are willing to make for reasonable safety.
> though it's a few years old, here's a report that suggests (as of 2007, at least) a grace period of less than 10 seconds.
These numbers mean nothing. Just like statistics about domestic abuse ("1 women in 3 is victim of abuse"), that kind of thing cannot be measured so someone comes up with a pseudo-scientific number and everybody keeps repeating this stuff ad nauseam like Rush Limbaugh on election week.
Individual malware is having way too much exposure in the media for its actual damage. In an era where legitimate companies such as Facebook or Google are cornering the market on privacy violation and shameless data-mining, nobody gives a sh*t about Uncle Joe's private information. Credit card numbers are traded by the thousands and it is not cost-effective to try to harvest valuable information from individual PC - financial institutions and service providers (PSN!) are a much better target.
The name of the game is now large-scale deployment and a botnet that does not protect its nodes does not live long enough to justify an article on Wikipedia. Actually for home users I would even argue that being part of a botnet can be a good thing - the operators know what malware is serious and they have a financial stake in maintaining a healthy network of zombies; they will keep the basement wannabes away. On a global scale they are the one with the best interest for home PC security - much more than most PC owner themselves. It's like joining a gang when you go to jail for a long time - be part of the swarm and the odds that you end up becoming a silent farter are much lower.
lucm, indeed.
Even if it isn't actually MalWare, the name "Safety Scanner" is as suspect as "Windows Recovery" or "MAC Defender".
I would have thought Microsoft's marketing department (arguably one of the greatest marketing departments in Info Tech), could have come up with something less dodgy than "Safety Scanner".
Maybe the people who were inclined to download and install "Safety Scanner" are the same people who are inclined to download and install "Windows Recovery". Making the estimate of 5% high.
Conversely, maybe the people using "Safety Scanner" were more conscientious about Computer Security and were seeking out extra protection. Making the estimate of 5% low.
Ran this thing on a server that lives in the closet. It complained that my custom hosts file was very suspicious. It also didn't like the VNC client.
So this machine was infested with malware? I don't think so!
Yet another scareware scanner!
One big thing has happened since 2007: Windows has started shipping with the Windows Firewall turned on by default and blocking inbound requests. Since network-spreading worms were the primary contagion factor back in 2007, this made a huge impact all by itself. Also, the growing prevalence of dynamic NAT in households (usually from the wireless routers that everyone has these days) also contributes to this.
For your security, this post has been encrypted with ROT-13, twice.
No, what does tell me and should tell you is simple observation. Many XP machines in homes do not have automatic updates turned on and have never been updated after the day they were purchased. There are also a vast number of cracked copies of XP out there which have never been updated because the users are worried that an attempt to download updates will identify their XP as copies instead of purchased software.
Those "Windows machines get attacked in 10 seconds" type things are utter rubbish. It was quoted at a recent security conference I went to and I interrupted the speaker about it as it's a blatantly false claim.
I have an unpatched Windows 2000 machine behind a cheap Netgear router. It's never once been attacked and it sits on the Internet 24/7 sending weather data to an FTP site. It doesn't get used for anything else and it's been up for four years now. The hard drive is too small to install the service packs (the machine is a P133 from 1996).
Furthermore, I don't know what ISP these people are using but I get a couple of port scans a day (at most) coming into my router. I'm on a static IP too.
It's my opinion that the 10-second claim (or 4 minutes, as in the one I heard at that security conference) was made up by a security vendor in order to hawk their products. The claim has then been spread over the years, Chinese Whispers style, until it's accepted as a truth.
It's interesting to note that the number of infected pc's is exactly 5% of the computers that had that tool installed. Not 5% of all machines as the article implies.
Slow night on slashdot?
- Dan.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
These are likely not so bad without exposure to Adobe and Java.
Let us be honest for once.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I think lack of information can make a biased output about infection rate. So infected rate that is proved by this scanner gives us a little part of whole scenario. http://www.pranon.com/
Wonder how many wine (www.winehq.org) users are infected, as users.
http://wiki.winehq.org/FAQ#head-3cb8f054b33a63be30f98a1b6225d74e305a0459
http://www.google.com/search?q=wine+virus
How would you know? A sufficiently full-featured 0day exploit/rootkit payload could have compromised the system without you ever noticing, exchanging information with the outside world using data steganographically encoded into banner ad traffic at the network driver level. Better break out the kernel debugger. :D
Emotions! In your brain!
It used to be true, back before everyone used a home router that acted as a firewall. I remember a couple of times years back when I installed Windows XP, connected up the cable/ADSL modem to get a service pack in, and the system was infected before the service pack had finished downloading. Back then infection was often via exploting the many explotable services windows runs, which was only possible when there was no firewall (The Windows one wasn't enabled by default back then, and in any case makes exceptions for those exploitable services!). Today, as most users have a firewall even if they don't know what one is, the main vector is the web - either malicious websites, or exploits served up as ad-banners.
I'm a bit of an expert. Professional IT technician, confident in using all versions of windows, linux and OSX. I code. I've done a bit of cracking myself - nothing major, but I know how exploits work. I'm careful. I don't get dodgy executable code from disreputable sites. I've got a good firewall, a squid proxy configured with a long blacklist of ad-servers.
.exe files... thus making it impossible to run them. In the end I had to use a command prompt to launch firefox and notepad, find a .reg file online that would reset the associations, paste it into notepad and use that to fix the association. I'm still not sure I found all the damage.
I still got infected yesterday with the loathed fake-antivirus (The author is actually known, but in Ukraine). Sneaky thing managed to trick me by taking the filename SkypeUpdate.exe - so when it popped up with the permission request from windows, I just thought it was Skype running another update and clicked ok.
Took me twenty minutes to kill the thing. Finding and deleting the executable was easy enough, but it has the niftily evil trick of making itsself the default file association for
And also herd immunity: you're less likely to get infected if everyone else is exempt from being capable of infecting you. Firewalling routers really don't get enough love for their role in reducing the internet's trash density.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
Bingo! As someone who fixes these things every week while there are still plenty of Adobe exploits I've noticed since Win 7 came out they simply haven't been using OS exploits like they used to, now they run social engineering because it is always easier to take control if the user helps you and by appealing to their greed, desire, or fear it really ain't hard to get them to go along.
The big attack vectors i'm seeing day after day, in no particular order, is: 1.- The "you want teh hot lesbos? you need to run our Iz_not_Viruz_iz_codec.exe to play teh vidz!" 2.- The "ZOMg you got teh viruz! To fix run our Iz_not_Viruz_iz_cleanerz.exe to get rid of it ZOMG!" 3.-The "Use the new Limewire (Iz_not_Viruz_iz_Limewirez) to download teh latest Titney_Spearz.mp3.exe tunez today!" and 4.-"Hey my BFF sent me a funny cat video! It says I should run Iz_not_Viruz_iz_LOLCatz to see teh kittiez!"
As you will notice with ALL of the above you simply don't have to bother with an exploit for ANY of those, as the user IS the exploit and is the weakest link. The last major "WTF?" that MSFT had, the "Hey lets run everybody as admin!" officially died with Vista and since 7 doesn't bug the crap out of folks with "Cancel/allow?" boxes every three seconds UAC has been left on and along with low rights mode in IE and Chromium based is doing a good job, as we saw by the numbers released the other week where there are only 4 per 1000 7 machines infected VS 14 for XP.
But as long as you have people willing to ignore or even turn off their AV (as I had the other week with a customer and the "Iz_Not_Bug_Iz_Limewire") because a malware writer waved a cookie in front of them then frankly I don't see what else can be done besides what MSFT is already doing with the free MSRT and MSE. And as we have seen with first MacDefender and now MacGuard (which doesn't even need the password anymore) on OSX and the nasty Android trojan apps it doesn't matter whether you are on an alternative OS or not, all that matters is whether or not the bad guys want in bad enough to do the work and whether you have any users who'll run "Iz_Not_Bug_Iz" style apps. sadly I've found that WAAAY too many are more than happy to do just that.
ACs don't waste your time replying, your posts are never seen by me.
What browser are you using 'bit of an expert'? I haven't run antivirus for 10 years and i've never been infected, I torrent things daily and i've seen some of the seediest burrows of the web. Navigating the web is a sixth sense grown over years of use, same as any skill. You know a good torrent just by looking at it, you know a dodgy website as the first image loads. You have been doing this so long you don't even SEE the ads in a page. Amateur hour is over.
http://www.awfullybigmoustache.com
Though it doesn't name it in TFA, I'm betting that this also has something to do with the Malicious Software Removal Tool that is a part of normal Windows updates. This is downloaded and installed and run by default if you let Windows Update do its thing without manually configuring which update to install and which to ignore.
If you had bothered to read just the first 2 paragraphs of the computerworld article linked to you would have noticed this:
Microsoft cited that statistic and others from data generated by its new Safety Scanner, a free malware scanning and scrubbing tool that re-launched May 12.
And if you follow the link to the actual software, Microsoft Safety Scanner, this is the introduction:
Microsoft Safety Scanner
Do you think your PC has a virus?
The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.
Note: The Microsoft Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again.
The Microsoft Safety Scanner is not a replacement for using an antivirus software program that provides ongoing protection.
So no, this is *not* based on reporting back from MSRT. This is reporting from a tool which is labelled as a diagnostics one-off tool (works for 10 days) for users who think that their computers *may* be infected. Drawing any conclusion about infection rates from a self selected population is stupid if not outright dishonest. Timothy who wrote the hit-paragraph about the time2pwn of an unpatched XP box is most certainly being deliberately dishonest as a slashdot editor should be able to display a minimum of common consideration.
As usual the headlines are skewed by editors trying to drum up clicks and thus advertising revenue. The *text* of the original article is actually fair to the point that this is a self-selection and never claims what is in the headline. The CW editor obviously took a little liberty on the title. The title used at the front page and on slashdot is even more skewed with no basis at all, not in the article and not in reality.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
And only valid for 10 days. No updates, have to re-download the whole thing to have the new definitions. It's *bigger* than most AV software...
What the heck MS ????
Maybe it was not intended to be "AV software"? From the front page of Microsoft Safety Scanner (emphasis mine):
The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.
...
The Microsoft Safety Scanner is not a replacement for using an antivirus software program that provides ongoing protection.
For real-time protection that helps to guard your home or small business PCs against viruses, spyware, and other malicious software, download Microsoft Security Essentials.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Not quite. I run firefox, but no adblock - instead I use the squid proxy and it's blacklist, which I update every time I see some ads slip through. In this case my defences were compromised: I was away from home, using a public wifi hotspot, and thus running proxy-less.
I don't run an anti-virus because it slows the PC down. I have a good system worked out. I have a KVM switch with Windows on one PC and Linux on the other PC. I use Windows for my programs that won't run on Linux, and Linux to get on the Net with. I keep the amount of important stuff to a minimum on Windows, so I can reinstall easily if needed.
My windows runs very fast even on a PC with mediocre specs, and I go for years without trouble on it, though I won't say I have never had any viruses.
Now my kids, they can touch a Windows machine and, between facebook and free mp3 downloaders, have a virus on it in five minutes. I cringe when I see them on my windows machine.
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
Almost a decade ago I watched as a blaster variant compromised a XP machine BEFORE THE INSTALL HAD COMPLETED. Microsoft in their infinite wisdom thought it would be cool to enable remote procedure call before you even get a desktop up. (I guess unattended setup scripts weren't enough?) Had to re-install disconnected, patch it, then setup networking. I had no machine at the time to make a patched install disc. None of that would have been a problem if I could have installed my firewall software before windows starting RPC.
Ahh... don't you just love smell of a fresh straw-man in the morning.
Are you deliberately denying reality or just giving us a personal demonstration of the Dunning-Kruger effect?
Did you even check the links in TFS? Here's the one from Information Week in 2007 which describes one such experiment. The unpatched XP PC stayed clean for all of 8 seconds connected without firewalls to the internet. Then Sasser and other bad stuff started installing itself on the PC. GP's assertion is valid - an unpatched XP PC can be compromised in less than 10 seconds without a firewall.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
If the grace period from going on line to infection is only 10 seconds, how does one build a Windows machine that is secured with the latest patches - given that you need to be on line to get the patches from Microsoft?