Slashdot Mirror
Windows XP PCs Breed Rootkit Infections
CWmike writes "Machines running the decade-old Windows XP make up a huge reservoir of infected PCs that can spread malware to other systems, a Czech antivirus company said. Windows XP computers are infected with rootkits out of proportion to the operating system's market share, according to data released Thursday by Avast Software, which surveyed more than 600,000 Windows PCs. While XP now accounts for about 58% of all Windows systems in use, 74% of the rootkit infections found by Avast were on XP machines. Avast attributed the infection disparity between XP and Windows 7 to a pair of factors: The widespread use of pirated copies of the former and the latter's better security. Vlcek assumed that many of the people running XP SP2, which Microsoft stopped supporting with security patches a year ago, have declined to update to the still-supported SP3 because they are running counterfeits."
The memory-demands for SP3 have increased a lot - Where SP2 runs well with 512MB, you need at least 800MB for SP3 to run basic software like IE and Office smoothly. Though this is not official, I have seen too many cases with unresponsive PCs after the upgrade. A good reason to revert back to SP2 if people don't know how or dare to upgrade hardware nor want to spend another €300,- to €500,- on a new computer.
The difference is if UAC is active and you are using a Chromium based or IE so that you have low rights mode (WTF Firefox? it has been FOUR YEARS already, get on the ball!) it is actually pretty damned hard to infect Windows 7 without getting the user actively involved. Of course getting the average user to help you install malware is trivially easy, even after all these years of MSFT trying to warn people not just to run any old thing they find on the net. But as someone who fixes machines 6 days a week I can tell you that the infection rate once I got most of my customers to switch to 7 went waaaay down. And Windows 7 doesn't really take much more than XP I have several family members on late model P4s with 1Gb of RAM that Win 7 is running just fine on. They don't have Aero but who cares.
But I have to agree about TFA and pirated Windows. Ballmer, in yet another proof of his incompetence killed the $50 Windows 7 HP upgrade which frankly was the best weapon against piracy I'd ever seen. Guys that had been running pirated Windows for years went legit thanks to that affordable upgrade path. But now that it is gone I'm seeing "Xp Pro Corp SP3 Razr1911 Edition" machines again alongside the pirated Windows 7 machines on Craigslist. you can always spot the pirated versions BTW, as they ALWAYS use the most expensive SKU. When you have a PC that isn't worth $120 running a $200+ copy of Windows Ultimate? yeah its pirated.
The thing is while the pirates know about Autopatcher and WSUS Offline the folks they are selling these machines to don't and since they won't pass WGA (the Windows 7 hack lasted for awhile but I'm now seeing folks that bought PCs with Win 7 off of CL coming in with WGA warnings) most are simply disabling Windows Updates. Folks don't know nor realize it is off and just think their PC is slowing down because "it is getting older" instead of the truth, it is has more viruses than a Bangkok Whore.
ACs don't waste your time replying, your posts are never seen by me.
I was running SP2 until a couple months ago because Windows Update failed to update me to SP3. It turns out that if you had upgraded Internet Explorer to some version under SP2 (IE8?), it would not upgrade to SP3 because doing so would break the downgrade process (you could upgrade to SP3 flawlessly, but if you tried to downgrade back to SP2 it would break) unless you first downgraded IE before upgrading to SP3. Therefore, SP3 would not be listed in Windows Update, and it would not tell you that it was hiding the upgrade, or why. Utterly idiotic. I assume a lot of people are still running SP2 not because their using an unlicensed version, but precisely because, like me, they have a legit installation, but just don't know SP3 was out and being hidden from them, with Windows Update cheerfully telling them every week that their system is perfectly up to date.
"Convictions are more dangerous enemies of truth than lies."
The difference is if UAC is active and you are using a Chromium based or IE so that you have low rights mode (WTF Firefox? it has been FOUR YEARS already, get on the ball!) it is actually pretty damned hard to infect Windows 7 without getting the user actively involved.
Thats not entirely accurate. UAC is generally avoided by detecting whether the user has admin rights, and if so, rooting the machine; if not, installing a virus that launches on user login, stored to %appdata%. This can perform the role of "User-mode rootkit" (if you dont believe such a thing exists, google "n00bkit"), effectively locking down such things as task manager, registry editor, etc, at least for the current user (I dont believe UAC is tripped when writing to HKCU registry hive)-- and on MOST home machines, there is only one user, and users are not aware of how to remove such infections in such a scenario.
As for Chrome and IE, IE has some protection from its sandbox mode, but you still have to deal with the fact that MOST infections seem to stem from out of date plugins-- Java, Quicktime, Reader, Flash-- which effectively load external DLLs outside of the controls and protections of the browser. If you have a Java vulnerability which allows arbitrary code and privelege escalation, it matters not whether you use IE or Chrome or XP or seven (except insofar as ASLR, DEP, etc mitigate the flaw).
Chrome DOES have the benefit that it automatically updates its PDF and SWF plugins, which mitigates that attack vector by quite a bit; but a 0-day flash exploit will infect you just as easily regardless of browser.
UAC DOES, of course, make it about a zillion times easier to remove the virus, as a non-escalated virus install cannot infect the MBR, patch the kernel or system drivers, etc, and is easily removed by launching a startup editor with elevated permissions.