Malware Scanner Finds 5% of Windows PCs Infected

BogenDorpher writes "According to statistics generated by Microsoft's new free malware scanning and scrubbing tool, Safety Scanner, one in every twenty Windows PCs are infected with malware. Microsoft's Safety Scanner was downloaded 420,000 times in just one week of availability and it cleaned up malware or signs of exploitation from more than 20,000 Windows PCs, according to statistics generated by Microsoft's Malware Protection Center. This resulted in an infection rate of nearly 5%." That seems an awfully low number, based on how quickly Windows machines are scanned for plunder after going online; though it's a few years old, here's a report that suggests (as of 2007, at least) a grace period of less than 10 seconds. That was just one instance, and an intentionally vulnerable machine, but have improvements in security software software, and in Windows itself, made things so much better since then?

Security has improved

[Anonymous Coward]

Most of the malware now is either socially engineered or exploiting third party software (Flash and PDF, I'm looking at you!). Frankly, every OS is vulnerable to those two and finally even Apple noted they're starting to get that problem on Macs.

Exactly

[Giant Electronic Bra]

All this really 'proves' is that 95% of the people who are smart enough to download a free AV program didn't have an infection. Lets see, who uses those? Oh, I know! People who take precautions... When do they do it? BEFORE they get infected, lol.

While it is an interesting datapoint to hobknob about, this actually says ZILCH about Windows infection rate, except it probably can't possibly be LESS than 5%.

Re:NAT to the rescue!

[WuphonsReach]

Outbound-only IP6 firewalls will offer the same level of security as NAT. With a few other advantages as well.

What will remain to be seen is whether the firewall devices can be:

- Properly configured or come with sane defaults.
- Fail in a safe manner rather then suddenly just allowing every connection through.
- Can't be switched to completely transparent by attack software.

It will be interesting in a few years as IPv6 finally takes off. I think the 3rd option is going to be the interesting one. In a IPv4 NAT'd network, the attacker has to (a) know the internal IPs and (b) add an inbound port forward to the NAT device. In the IPv6 firewall scenario, because the devices inside the network already have routeable addresses, if they can open up the firewall then they win.

The saving grace will probably be the sheer size of the address pool in a local network. Unless you sniff the traffic (or look at DNS or ARP), knowledge of active IP addresses is hard to come by via scanning. Scanning a 2^64 range for active hosts will take a few years, which will slow down any worms that attempt to spread in that manner.

A few years, as in enumerating 2^64 addresses and processing 1 million per second means you need about 585,000 years. There are ways to fine that down such as only searching the list of valid MAC addresses, which cuts the size down to 2^40 to 2^48. And you could fine that down even more by only looking for popular MAC addresses, which would probably make it 2^36 to 2^40 roughly. Scanning 2^32 @ 1 million / second takes about 80 minutes, 2^36 is 19 hours, 2^40 is 305 hours. Of course, attempting to scan 1 million hosts per second would bury most boxes and would probably require 10Gbps to pull off.

Compare that to today's networks where the local network segment usually only has 256 to 4096 possible addresses. Multiple orders of magnitude easier to scan.

Re:"as of 2007"

[VortexCortex]

In that time Windows 7 and Vista have been released - both with far better security models out of the box. Even Windows XP saw a reasonable update with SP3.

With great new code-bases comes great vulnerability.

I just "removed" (and by remove I mean re-format re-flash BIOS and reinstall Windows) a bit of malware (Banker Rootkit Variant) that exploits a Java vulnerability via applet (JRE was up to date, but the old exploitable versions are still there, and can be targeted -- remove them now), then installs a rootkit via kernel driver -- Somehow miraculously bypassing the fact that drivers must be signed on 64bit MS OSes -- Oh, it's not that special it just disabled UAC first via the registry (ran a .reg -- Yes, seriously, WTF MS), then enabled "debugging mode" which disables the signed driver checks (I know, right?), then it installs a new root certificate authority in the web browser and updates the hosts file so that when you connect to several banking websites it can intercept the traffic with no security warnings in the browser -- Hint: always view the cert before you enter you credentials.

You can tell me that the brand spanking new batch of code is "more secure" than some other batch of code only after they've both been in use for the same period of time, and I can compare the numbers. "More Secure" can not be claimed until it is proven.

IMHO, Why throw out XP64/32? (sp3 is basically just an update roll up, not a whole new codebase -- 1045 days left, BTW) They were finally getting a lot of the bugs hammered out. If we did that with Linux / Unix every couple of years they would be a security clusterfuck too. (scares me that Torvalds is thinking of retiring the 2.6 kernel to move to 2.8 or 3.0...)

Re:Somehow..

[wesleyjconnor]

What browser are you using 'bit of an expert'? I haven't run antivirus for 10 years and i've never been infected, I torrent things daily and i've seen some of the seediest burrows of the web. Navigating the web is a sixth sense grown over years of use, same as any skill. You know a good torrent just by looking at it, you know a dodgy website as the first image loads. You have been doing this so long you don't even SEE the ads in a page. Amateur hour is over.