Malware Scanner Finds 5% of Windows PCs Infected

BogenDorpher writes "According to statistics generated by Microsoft's new free malware scanning and scrubbing tool, Safety Scanner, one in every twenty Windows PCs are infected with malware. Microsoft's Safety Scanner was downloaded 420,000 times in just one week of availability and it cleaned up malware or signs of exploitation from more than 20,000 Windows PCs, according to statistics generated by Microsoft's Malware Protection Center. This resulted in an infection rate of nearly 5%." That seems an awfully low number, based on how quickly Windows machines are scanned for plunder after going online; though it's a few years old, here's a report that suggests (as of 2007, at least) a grace period of less than 10 seconds. That was just one instance, and an intentionally vulnerable machine, but have improvements in security software software, and in Windows itself, made things so much better since then?

Of those who actually asked for help

[betterunixthanunix]

So a significant number of computers that downloaded the malware removal tool had malware on them. How is that surprising? Unless the installation of this tool is uniformly distributed amongst Windows users, which TFA is not entirely clear on...

Re:Of those who actually asked for help

[kvvbassboy]

What? I would say that it's the other way around. I would guess that the actual infection rates are higher. I bet that many of the people who didn't download this tool are probably the same people who are running an expired version of McAfee on their Windows XP without any Service Packs applied.

Just recently, my parents were complaining about how their computer was behaving very slow and strangely. The number of malware, crapware and toolbars I had to uninstall via remote desktop using Teamspeak (we live on different continents) was enormous. Lol!

The end of the article notes...

[Sir_Sri]

"Safety Scanner, which replaced an older online-only tool, uses the same technology and detection signatures as Microsoft's free consumer-grade Security Essentials antivirus program and its Forefront Endpoint Protection product for enterprises."

considering that by now everyone should run SOME anti virus, of which MSE is a legally free option, and that something which uses MSE's signature database finds 5% of machines have been compromised I don't think says much about computer security as a whole. Obviously there are a lot of users who *still* don't have anti virus software, which isn't really news. But MS can't exactly go including free anti virus in their OS without screams of anti trust.

Re:The end of the article notes...

[Samantha+Wright]

Well. First you'd need some malware that actually runs on XP x64...

Re:The end of the article notes...

[lowlymarine]

Well at least that would finally make SOMETHING that runs on XP x64.

Yes.

[artor3]

That was just one instance, and an intentionally vulnerable machine [four years ago], but have improvements in security software software, and in Windows itself, made things so much better since then?

Yes.

Is it really surprising that computers with service packs, hot fixes, virus scanners, and firewalls are significantly more secure than those without?

Of course, it's also worth noting that the real infection rate is probably at least a little bit higher. The people who don't download this particular scanner are the same ones who wouldn't download the aforementioned service packets, hot fixes, virus scanners, and firewalls. The unanswered, and perhaps unanswerable, question is how many such people are out there.

Re:Yes.

[Penguinoflight]

Don't forget about those who have viruses but the malware removal tool was unable to either detect or remove them. If you can't churn out a virus that can beat the standard set by microsoft you're in the wrong business.

Exactly

[Giant+Electronic+Bra]

All this really 'proves' is that 95% of the people who are smart enough to download a free AV program didn't have an infection. Lets see, who uses those? Oh, I know! People who take precautions... When do they do it? BEFORE they get infected, lol.

While it is an interesting datapoint to hobknob about, this actually says ZILCH about Windows infection rate, except it probably can't possibly be LESS than 5%.

"as of 2007"

[QuasiSteve]

Honestly? "as of 2007"? In computer terms, that's several lifetimes.

Not only that, but just because the news article linked to has 2007 at the top, doesn't mean the findings were from 2007. The news article in which the author "just read an incredible scary article" links to said incredible scary article - http://news.bbc.co.uk/2/hi/programmes/click_online/4423733.stm - from 2005. So not only was the news article writer 2 years behind the times, you're now suggesting that we should believe that you find it incredulous that things may have improved in 6 years' time?

In that time Windows 7 and Vista have been released - both with far better security models out of the box. Even Windows XP saw a reasonable update with SP3.

Then again, by April 2005, SP2 was also distributed and guess what it enabled by default? Windows Firewall. The worm in the original article, Sasser, would not have gotten very far.

Then again, Sasser would not even have been on the system if they bothered to install the update that fixed the hole that Sasser would eventually exploit.

It's just not a very convincing example to begin with, and certainly not one you should be citing 6 years later.

information is insufficient

[belmolis]

We don't have enough information to estimate the infection rate. For one thing, we don't know how good the scanner is. If it misses a lot malware, the infection rate may be much higher. We also don't know what kind of sample the downloads comprise. If only people who think they have an infection are downloading it, then the sample is biased high and the real infection rate may be much lower. Since it only detected infections in 5% of cases, either the scanner is very bad or people are downloading it as a precaution, not once they think they have an infection. If they're downloading it as a precaution, that probably means they are particularly security conscious, in which case the sample is probably biased toward a low infection rate. Overall, it looks like without more information the percentage of machines found to be infected by this scanner tells us very little.

NAT to the rescue!

[ka9dgx]

The IP6 folks hate NAT, but it's the only thing that's saving personal computing at the moment. Because random inbound connections don't has through NAT devices, any home PC behind one is MUCH safer than one directly on the internet. It sucks in terms of the end to end utility of the internet, but it's the tradeoff most users are willing to make for reasonable safety.

Re:NAT to the rescue!

[WuphonsReach]

Outbound-only IP6 firewalls will offer the same level of security as NAT. With a few other advantages as well.

What will remain to be seen is whether the firewall devices can be:

- Properly configured or come with sane defaults.
- Fail in a safe manner rather then suddenly just allowing every connection through.
- Can't be switched to completely transparent by attack software.

It will be interesting in a few years as IPv6 finally takes off. I think the 3rd option is going to be the interesting one. In a IPv4 NAT'd network, the attacker has to (a) know the internal IPs and (b) add an inbound port forward to the NAT device. In the IPv6 firewall scenario, because the devices inside the network already have routeable addresses, if they can open up the firewall then they win.

The saving grace will probably be the sheer size of the address pool in a local network. Unless you sniff the traffic (or look at DNS or ARP), knowledge of active IP addresses is hard to come by via scanning. Scanning a 2^64 range for active hosts will take a few years, which will slow down any worms that attempt to spread in that manner.

A few years, as in enumerating 2^64 addresses and processing 1 million per second means you need about 585,000 years. There are ways to fine that down such as only searching the list of valid MAC addresses, which cuts the size down to 2^40 to 2^48. And you could fine that down even more by only looking for popular MAC addresses, which would probably make it 2^36 to 2^40 roughly. Scanning 2^32 @ 1 million / second takes about 80 minutes, 2^36 is 19 hours, 2^40 is 305 hours. Of course, attempting to scan 1 million hosts per second would bury most boxes and would probably require 10Gbps to pull off.

Compare that to today's networks where the local network segment usually only has 256 to 4096 possible addresses. Multiple orders of magnitude easier to scan.

Malware? Scareware?

[sillivalley]

Ran this thing on a server that lives in the closet. It complained that my custom hosts file was very suspicious. It also didn't like the VNC client.

So this machine was infested with malware? I don't think so!

Yet another scareware scanner!

Re:Malware? Scareware?

[Blakey+Rat]

VNC can legitimately be used as spyware in the classic sense. When someone remotely logs in, the local computer shows no indication that activity is being observed by someone else. (Contrast with Microsoft's Remote Desktop, where logging in remotely kicks the local user off and locks their screen.)

It's exactly the kind of thing this tool is supposed to be scanning for. What makes you think it's a false report? The scanner has no way of knowing whether you installed it, or someone else did behind your back.

10 seconds, back in 2007...not true now, though.

[Shoten]

One big thing has happened since 2007: Windows has started shipping with the Windows Firewall turned on by default and blocking inbound requests. Since network-spreading worms were the primary contagion factor back in 2007, this made a huge impact all by itself. Also, the growing prevalence of dynamic NAT in households (usually from the wireless routers that everyone has these days) also contributes to this.

Ignoring 3rd party crapware

[Khyber]

These are likely not so bad without exposure to Adobe and Java.

Let us be honest for once.

Re:Security has improved

[SuricouRaven]

It used to be true, back before everyone used a home router that acted as a firewall. I remember a couple of times years back when I installed Windows XP, connected up the cable/ADSL modem to get a service pack in, and the system was infected before the service pack had finished downloading. Back then infection was often via exploting the many explotable services windows runs, which was only possible when there was no firewall (The Windows one wasn't enabled by default back then, and in any case makes exceptions for those exploitable services!). Today, as most users have a firewall even if they don't know what one is, the main vector is the web - either malicious websites, or exploits served up as ad-banners.

Re:Security has improved

[hairyfeet]

Bingo! As someone who fixes these things every week while there are still plenty of Adobe exploits I've noticed since Win 7 came out they simply haven't been using OS exploits like they used to, now they run social engineering because it is always easier to take control if the user helps you and by appealing to their greed, desire, or fear it really ain't hard to get them to go along.

The big attack vectors i'm seeing day after day, in no particular order, is: 1.- The "you want teh hot lesbos? you need to run our Iz_not_Viruz_iz_codec.exe to play teh vidz!" 2.- The "ZOMg you got teh viruz! To fix run our Iz_not_Viruz_iz_cleanerz.exe to get rid of it ZOMG!" 3.-The "Use the new Limewire (Iz_not_Viruz_iz_Limewirez) to download teh latest Titney_Spearz.mp3.exe tunez today!" and 4.-"Hey my BFF sent me a funny cat video! It says I should run Iz_not_Viruz_iz_LOLCatz to see teh kittiez!"

As you will notice with ALL of the above you simply don't have to bother with an exploit for ANY of those, as the user IS the exploit and is the weakest link. The last major "WTF?" that MSFT had, the "Hey lets run everybody as admin!" officially died with Vista and since 7 doesn't bug the crap out of folks with "Cancel/allow?" boxes every three seconds UAC has been left on and along with low rights mode in IE and Chromium based is doing a good job, as we saw by the numbers released the other week where there are only 4 per 1000 7 machines infected VS 14 for XP.

But as long as you have people willing to ignore or even turn off their AV (as I had the other week with a customer and the "Iz_Not_Bug_Iz_Limewire") because a malware writer waved a cookie in front of them then frankly I don't see what else can be done besides what MSFT is already doing with the free MSRT and MSE. And as we have seen with first MacDefender and now MacGuard (which doesn't even need the password anymore) on OSX and the nasty Android trojan apps it doesn't matter whether you are on an alternative OS or not, all that matters is whether or not the bad guys want in bad enough to do the work and whether you have any users who'll run "Iz_Not_Bug_Iz" style apps. sadly I've found that WAAAY too many are more than happy to do just that.

Re:Somehow..

[wesleyjconnor]

What browser are you using 'bit of an expert'? I haven't run antivirus for 10 years and i've never been infected, I torrent things daily and i've seen some of the seediest burrows of the web. Navigating the web is a sixth sense grown over years of use, same as any skill. You know a good torrent just by looking at it, you know a dodgy website as the first image loads. You have been doing this so long you don't even SEE the ads in a page. Amateur hour is over.