Forgot your password?
typodupeerror
Security Windows Technology

Windows XP PCs Breed Rootkit Infections 245

Posted by samzenpus
from the update-please dept.
CWmike writes "Machines running the decade-old Windows XP make up a huge reservoir of infected PCs that can spread malware to other systems, a Czech antivirus company said. Windows XP computers are infected with rootkits out of proportion to the operating system's market share, according to data released Thursday by Avast Software, which surveyed more than 600,000 Windows PCs. While XP now accounts for about 58% of all Windows systems in use, 74% of the rootkit infections found by Avast were on XP machines. Avast attributed the infection disparity between XP and Windows 7 to a pair of factors: The widespread use of pirated copies of the former and the latter's better security. Vlcek assumed that many of the people running XP SP2, which Microsoft stopped supporting with security patches a year ago, have declined to update to the still-supported SP3 because they are running counterfeits."
This discussion has been archived. No new comments can be posted.

Windows XP PCs Breed Rootkit Infections

Comments Filter:
  • water still wet (Score:5, Insightful)

    by smash (1351) on Sunday July 31, 2011 @11:47AM (#36939378) Homepage Journal
    Is this really a surprise?
    • Re:water still wet (Score:5, Interesting)

      by Lennie (16154) on Sunday July 31, 2011 @11:55AM (#36939410) Homepage

      I've actually seem stories with other numbers as well, where most of the new malware for windows is coming out for Windows 7; Windows XP already has enough malware and people don't seem to be writing any new ones. The old ones already work fine I guess.

      • The other day, I was looking at yet another hyperbolic report from Symantec that 60,000 new malware variants are released per day. Among the many reasons I find this claim dubious is that it's pretty damned obvious that most malware infections are on old Windows XP installations, which is significantly less secure than newer versions of Windows, especially if they're not being updated regularly. And in those circumstances, why would anyone be wasting time and effort writing new malware, when old malware can

      • Re:water still wet (Score:5, Informative)

        by hairyfeet (841228) <bassbeast1968@NOspaM.gmail.com> on Sunday July 31, 2011 @01:14PM (#36939952) Journal

        The difference is if UAC is active and you are using a Chromium based or IE so that you have low rights mode (WTF Firefox? it has been FOUR YEARS already, get on the ball!) it is actually pretty damned hard to infect Windows 7 without getting the user actively involved. Of course getting the average user to help you install malware is trivially easy, even after all these years of MSFT trying to warn people not just to run any old thing they find on the net. But as someone who fixes machines 6 days a week I can tell you that the infection rate once I got most of my customers to switch to 7 went waaaay down. And Windows 7 doesn't really take much more than XP I have several family members on late model P4s with 1Gb of RAM that Win 7 is running just fine on. They don't have Aero but who cares.

        But I have to agree about TFA and pirated Windows. Ballmer, in yet another proof of his incompetence killed the $50 Windows 7 HP upgrade which frankly was the best weapon against piracy I'd ever seen. Guys that had been running pirated Windows for years went legit thanks to that affordable upgrade path. But now that it is gone I'm seeing "Xp Pro Corp SP3 Razr1911 Edition" machines again alongside the pirated Windows 7 machines on Craigslist. you can always spot the pirated versions BTW, as they ALWAYS use the most expensive SKU. When you have a PC that isn't worth $120 running a $200+ copy of Windows Ultimate? yeah its pirated.

        The thing is while the pirates know about Autopatcher and WSUS Offline the folks they are selling these machines to don't and since they won't pass WGA (the Windows 7 hack lasted for awhile but I'm now seeing folks that bought PCs with Win 7 off of CL coming in with WGA warnings) most are simply disabling Windows Updates. Folks don't know nor realize it is off and just think their PC is slowing down because "it is getting older" instead of the truth, it is has more viruses than a Bangkok Whore.

        • Microsoft makes the majority of their money from OEM and business. The number of people buying boxed copies of windows is pretty small in proportion. If they would just give it away (or for a small fee) to consumers they would get a lot of good Karma AND cut down on people trying to steal it.

          They can EASILY afford it.

          It would be a good business decision.

        • Re:water still wet (Score:4, Informative)

          by LordLimecat (1103839) on Sunday July 31, 2011 @08:37PM (#36942566)

          The difference is if UAC is active and you are using a Chromium based or IE so that you have low rights mode (WTF Firefox? it has been FOUR YEARS already, get on the ball!) it is actually pretty damned hard to infect Windows 7 without getting the user actively involved.

          Thats not entirely accurate. UAC is generally avoided by detecting whether the user has admin rights, and if so, rooting the machine; if not, installing a virus that launches on user login, stored to %appdata%. This can perform the role of "User-mode rootkit" (if you dont believe such a thing exists, google "n00bkit"), effectively locking down such things as task manager, registry editor, etc, at least for the current user (I dont believe UAC is tripped when writing to HKCU registry hive)-- and on MOST home machines, there is only one user, and users are not aware of how to remove such infections in such a scenario.

          As for Chrome and IE, IE has some protection from its sandbox mode, but you still have to deal with the fact that MOST infections seem to stem from out of date plugins-- Java, Quicktime, Reader, Flash-- which effectively load external DLLs outside of the controls and protections of the browser. If you have a Java vulnerability which allows arbitrary code and privelege escalation, it matters not whether you use IE or Chrome or XP or seven (except insofar as ASLR, DEP, etc mitigate the flaw).

          Chrome DOES have the benefit that it automatically updates its PDF and SWF plugins, which mitigates that attack vector by quite a bit; but a 0-day flash exploit will infect you just as easily regardless of browser.

          UAC DOES, of course, make it about a zillion times easier to remove the virus, as a non-escalated virus install cannot infect the MBR, patch the kernel or system drivers, etc, and is easily removed by launching a startup editor with elevated permissions.

    • Check the old /. threads.
      How many times have you seen the claim that "if Linux had the same marketshare as Windows ..."? Marketshare was identified as the deciding factor in what "mal-ware" was written.

      Now this seems to contradict those claims.

      • There's better evidence that contradicts that claim.

        This article could be interpreted to mean that there isn't a one-to-one correspondence between the popularity of an operating system: that malware authors tend to jump on the bandwagon, for instance. (I was trying to come up with a good way to describe the model mathematically, but the flashbacks to calculus were making my hands shake.)

    • I think we should hang a trillion rootable XP virtual machines on the web. The virus will be so busy infecting all these decoys that it won't be able to find the real machines. We can constantly reset these virtual machines back to clean so they won't be propagating the infection, just chewing up the time of the computers sending out the viruses.

      problem solved :-)

      • by rts008 (812749)

        Yeah, right.
        And when your trillion PC botnet decides to phone home and shuts down the whole internet, then what?

        Even on the backbone of the net, there is NOT infinite bandwidth.

  • by Anonymous Coward on Sunday July 31, 2011 @11:59AM (#36939446)

    so rootkit authors can focus on Windows 7

    • Or reinstall... (Score:3, Insightful)

      by Tatarize (682683)

      The claims above are likely more due to the length of time of the install than anything to do with the OS itself. I've had my current install of windows for like four years. Nobody with Windows 7 can say that about their OS. And a lot of times spyware ridden machines just stay that way. I demand they look at the data from "time since install" and tell me that that isn't just directly correlated and explains away most of the XP dataset.

  • by lseltzer (311306) on Sunday July 31, 2011 @12:00PM (#36939456)
    Just so it's clear to everyone, you don't need a "genuine" version of Windows to download and install critical updates. And honestly, SP3 is over 3 years old. It's hard to hold Microsoft or even Windows XP accountable for users refusing to upgrade.
    • by CastrTroy (595695) on Sunday July 31, 2011 @12:05PM (#36939476) Homepage
      Well to be fair, if you install windows XP from a recovery image or from an original CD you have from the original version, your computer could probably be pwned before you even have the time to download the service packs.
      • by Osgeld (1900440)

        yea if your connected directly to the internet like your cablemodem direct into PC or dialup, otherwise no it wont

      • by roc97007 (608802)

        That's why you download the admin version of the service packs *first* and burn them onto CD. Although admittedly most people wouldn't think to do that.

      • by ShakaUVM (157947)

        >>Well to be fair, if you install windows XP from a recovery image or from an original CD you have from the original version, your computer could probably be pwned before you even have the time to download the service packs.

        I once watched a friend of mine get extremely frustrated as he kept reinstalling XP over and over, only to have it get owned before the patching finished.

        I finally took pity on him and put a hardware firewall between his computer and the internet... after, I think, the third time i

      • by westlake (615356)

        Well to be fair, if you install windows XP from a recovery image or from an original CD you have from the original version, your computer could probably be pwned before you even have the time to download the service packs.

        Microsoft will gladly ship you SP3 on CD. Order Windows XP Service Pack 3 on a CD [microsoft.com] The offer is available globally, and has been from the beginning.

        You could, of course, simply download the service pack and install XP off-line.

    • by sunfly (1248694)

      Microsoft makes it hard for genuine users.

      Pirates download the latest update very easily.

      If your one of the millions of legitimate users out there that just want to replace a failed hard drive in an old pc, or grab one of the millions of off lease pc's on the market that usually come sans hard drive, you will likely use an old install CD. This makes it a real pain to get all the service packs installed.

      MS really should have the latest fully patched XP ISO downloadable right from their web site. It is not

    • Just so it's clear to everyone, you don't need a "genuine" version of Windows to download and install critical updates.

      That depends on where you are. In Germany, Microsoft has run warning dialogs that security updates may break your installation if you use an illegal copy. Microsoft has integrated WGA with the update process, making people using illegal copies uneasy about using the update process. There have even been conflicted statements about whether critical updates are available to everyone. Apparentl

    • The memory-demands for SP3 have increased a lot - Where SP2 runs well with 512MB, you need at least 800MB for SP3 to run basic software like IE and Office smoothly. Though this is not official, I have seen too many cases with unresponsive PCs after the upgrade. A good reason to revert back to SP2 if people don't know how or dare to upgrade hardware nor want to spend another €300,- to €500,- on a new computer.
    • by roc97007 (608802)

      Shrug. I don't happen to have a spare $139 and Windows XP runs my applications just fine. It's important to remember, the OS isn't the application. The OS runs applications.

  • Standardising on a non-free operating system thus encouraging people to download rootkitted warez.
    Most people worldwide genuinely can't pay $250+ [amazon.com] for an operating system.
    • Most people worldwide genuinely can't pay $250+ for an operating system.

      I can find Windows 7 Home Premium x64 [newegg.com] for $95, a much more affordable amount than $250. If you have one of the few PCs that can only run 32 bit OSes, that one is $5 more.

      • Does Newegg.com ship internationally? [newegg.com]

        Newegg.com does not currently ship internationally; we only deliver to locations within the United States and to Puerto Rico.

      • by Jaktar (975138)

        The only "problem" with that version is that it's for system builders. This could be a problem if someone needs support (and if they're still running XP, they just might need a little help doing upgrades).

        • The only "problem" with that version is that it's for system builders.

          In fact, it might even be copyright infringement to buy and install that version on your own computer. Microsoft says [microsoft.com] OEM software is for computers you plan to sell at arm's length, not for computers you plan to use.

        • One issue with OEM licenses - they are not transferable. If you buy an expensive retail license, you can move (not copy) it to another machine. FWIW
      • $95 is a more realistic price for Windows 7 for most users willing and able to pay for software. However, even in wealthy parts of the world, people who think it's reasonable to buy computer hardware often don't think it's reasonable to buy software, since it's so easy to get bootleg software. In much of the world, "legit" proprietary software is practically unheard of, and since you want bootleg Windows XP to run bootleg Microsoft Office or bootleg Starcraft, you don't have any interest in Fedora or Ubuntu

    • Most people genuinely don't have to pay that much for the operating system, thanks to bundling agreements and volume licensing. I bought my current laptop with Ubuntu preinstalled on it. I saved $30 off the cost of the exact same laptop, with the exact same spec, with Windows 7 Home Premium x64 preinstalled. Ergo, the Windows tax is net only $30. Yes, I would have had to deal with the preinstalled crap that comes with it, but it's a Dell, and it's in their business line of products (Vostro v130, if you feel

    • by MacTO (1161105)

      If everyone jumped onto the free operating system bandwagon overnight, you would have the very same problem. Only it would come in the form of "Hello Kitty Ubuntu: a cute computer for cute girls" or "Machobuntu: the rugged OS for the tough guy." (Sorry about the stereotypes, but grandma said she'd root my box if I poked fun at the elderly yet again.)

      Then there are other attack vectors. The basic problem is that most people don't have the ability to verify the authenticity of the stuff that they install.

  • Well better plan for windows 7 to go long term as the NEW GUI in windows 8 make it vista / ME 2. And seeing how good windows 7 is Big business may just stick to it for a long time like they did with windows XP.

  • by JohnSearle (923936) on Sunday July 31, 2011 @12:19PM (#36939580)
    Here's a few premises:
    1. The probability getting an infection increases with time.
    2. The average person probably does not format their system and give a clean install until the system becomes nearly unusable (it would cost them money and time).
    3. Windows XP has been in use for a long time.

    Given these, I would figure that another reason why there would be so many infected PCs with XP out there is that the XP installations have been in use for a lot longer than any of the newer OS installations. I would go as far as to guess that most people today would rather buy a new PC than get a professional to reinstall XP, meaning that these systems currently running XP would have been installed quite a number of years ago.

    Just a thought...
    • by mikael (484)

      And the system becomes unusable due to all the file logging going on. Whenever I upgrade the OS on my system, I always like to do an audit of where all the file space has gone. First of all, backup all project data, then remove them. Remove all download files (rpm's, zip's, exe's, bz2's, webpages) and personal files). With all those gone, there shouldn't be any considerable file space used, yet gigabytes of space were still used...

      As someone who's done rendering and animation, and used the file browser to p

    • by couchslug (175151)

      IME you are quite right. Bubba and LaQueefa run their machines until they stop working, which can be a very long time. They can't afford professional repair rates, so it's either have a local geek reload warez (because they lost the recovery media) or buy a new PC.

  • by caseih (160668) on Sunday July 31, 2011 @12:38PM (#36939712)

    It always bugs me to hear people use "counterfeit" when talking about illegally copied or distributed software. Do people not understand what these words mean? Apparently not, since we're still talking about "piracy" in a non-piracy sense.

    If someone in China were to dress up Linux to look like Windows and sell it as if it were MS Windows, that'd be counterfeit. But so-called "pirated" Windows XP installations are not counterfeit, obviously. I guess it's all about manipulating public thought. Is your copy of windows "genuine?" The thought is quite silly if you think about it. Of course it is genuine. It's windows isn't it? Legal copy? That's the real question. Genuine advantage indeed.

    • by bigtrike (904535)

      The CDs are made to look like the ones from Microsoft, complete with fake holograms. How is that not a counterfeit?

      • Most people in this group either have a copy with "Windoze" hand written in felt pen, or installed by someone else, who bought the machine second hand and installed it prior to ebaying it.

        As a happy Ubuntu user, I can't say for sure, but my guess is that Bill Gates does not label official MS CDs in felt tip pen.

  • by no-body (127863) on Sunday July 31, 2011 @12:47PM (#36939774)

    > Windows XP computers are infected with rootkits out of proportion to the operating system's market share

    This statement lacks considering time the OS are in use:

    XP 11 years - since 2001
    W7 2 years - since 2009

    So, with 2 years W7 gathered 12 % of infections having 31 % market share, that's 6 % infections/year
    and 11 years of XP gathered 74 % of infections having 58 % market share, that's 6.7 % infections/year

    Since market share started from 0, let's assume linear increase of market share since release and use W7 with 16.5 % and XP with 37 % average market share over time.

    W7 gets 6 % infections/year with 16.5 % market share and XP 6.7 % infections/year with 37 % market share.

    Which give factors for W7 0.37 and XP 0.18 infections/year/market share.

    W7 more secure? Fat chance!

  • The machines are longer online, so they had more time of being infected. They will be less likely to have users who are tech savy and want to run the latest. As they are less tech savy, they will know less on how to protect themselves.

  • If all PCs were fixed so they didn't catch or pass on viruses what would all the "security" companies do for a living? Maybe instead of spreading FUD they should just step up a gear. Since this survey has identified a nice big market (i.e. out of support/illegal and therefore un-upgradable O/S's) why don't they stop bleating and start creating products to satisfy this demand?
    • by Urkki (668283)

      Yeah! The vast potential of customers who don't like to pay for their software, that market is totally untapped!

      No, wait, I think the malware business has that market covered and monetized pretty good, actually. And some of those companies specialize in spreading their own anti-malware kits too. I think it'll be really hard to enter that market for legitimate anti-malware companies.

  • by osu-neko (2604) on Sunday July 31, 2011 @01:32PM (#36940046)
    I was running SP2 until a couple months ago because Windows Update failed to update me to SP3. It turns out that if you had upgraded Internet Explorer to some version under SP2 (IE8?), it would not upgrade to SP3 because doing so would break the downgrade process (you could upgrade to SP3 flawlessly, but if you tried to downgrade back to SP2 it would break) unless you first downgraded IE before upgrading to SP3. Therefore, SP3 would not be listed in Windows Update, and it would not tell you that it was hiding the upgrade, or why. Utterly idiotic. I assume a lot of people are still running SP2 not because their using an unlicensed version, but precisely because, like me, they have a legit installation, but just don't know SP3 was out and being hidden from them, with Windows Update cheerfully telling them every week that their system is perfectly up to date.
  • Interesting ... (Score:2, Interesting)

    by garry_g (106621)

    ... so in spite of the (supposed) improved security of Win7 and the (in comparison) short time it has been around, a quarter of all infections are on Win7?
    While it is understandable that the decade old OS is easier to attack, this is definitely no good track record for Win7 ...

    • Guess you should read the article.
      "XP's share of the infection pie was much larger than Windows 7's, which accounted for only 12% of the malware-plagued machines -- even though the 2009 OS now powers 31% of all Windows PCs."

      There are move versions of Win than XP and 7.

  • One major contributing factor for infected XP machines to stay infected is that users don't get installation CDs any longer.

    Microsoft changed the license years ago so buyers of brand new PCs really don't have any choice, if they want to reinstall their machines, other than taking them back to the shop (and spend $$$) or install a pirated version.

    • by erroneus (253617)

      Fantastic spin. I believe you though. The fact that install CDs are not provided with new machines is likely to be a tremendous contributing factor. All the people I know who have software problems on their computers (and as the regional volunteer "friend support" [because friends don't let friends go to BestBuy!]) also invariably fail to create restore media from their hidden and space-wasting partitions. (Most recently, a person I know with a Sony Viao (yeah, I know... sony) has been getting constant

  • by roc97007 (608802)

    So everyone go out right now and pay the $139 for Windows Home Premium. I'll wait...

    (This should cause a measurable bump in the economy. Any moment now...)

    • No bump. Microsoft's base business model is fixed costs with variable income. Once their fixed costs are paid off, the rest is almost pure profit that goes to the nearest (often foreign) tax haven.

      That sucking sound isn't the economy being inflated -- it's the sound of money being 'renditioned'.

  • by asdf7890 (1518587) on Sunday July 31, 2011 @02:18PM (#36940350)
    Could there be some confirmation bias that is clouding the true meaning of the collected stats?

    It may not just be that the the remaining XP users are less careful/knowledgable/what-ever on average so aren't fully patched with service packs and so forth either by choice or ignorance. A lot of those XP installs have been around a long time, so have had a much longer period (compared to the average Windows 7 or Vista install) in which they could have been exposed to malware.

    Many of the installs not properly patched up with security updates could be a symptom of this, rather than a cause, as there are plenty of examples of malware that block some or all updates from being installed (either accidentally due to the damage they do while hacking their way in, or deliberately as a self preservation measure).
  • The widespread use of pirated copies of the former and the latter's better security.

    I attribute it mainly to the fact that Windows 7 by defaultt at least includes a basic AV software (Windows Defender) whereas Windows XP has none.

    And don't mention UAC, please - most people either ignore it and answer YES to all its alerts or disable it altogether right after the installation.

    And no, "pirated" versions of Windows XP (most of them are just a VLK version with a valid serial key included) have nothing to do with Windows XP security or lack of it.

  • We'll have to look at Win7 once it's been in the wild as long as XP.

  • According to gstats Windows 7 has already taken the majority of marketshare in the US. [statcounter.com]Only 1 out of 4 are still running XP. In comparison, most of China is heavily XP based [statcounter.com] with IE 6 being their default browser [statcounter.com] with 85% running pirated versions of XP which of course is totally different than a corporate locked down XP machine running IE 8, fully patched, with anti virus software you see in developed nations.

    I would say it is not XP is the problem more than unpatched decade old computers in 3rd world countri

  • by societyofrobots (1396043) on Sunday July 31, 2011 @09:48PM (#36942956)

    "Vlcek assumed that many of the people running XP SP2, which Microsoft stopped supporting with security patches a year ago, have declined to update to the still-supported SP3 because they are running counterfeits."
    I, and many others I know in a forum I frequent, won't upgrade to SP3 as it breaks USB. It's a known bug (for many years) that USB becomes significantly slower in SP3 (it's not known what hardware configurations can avoid the bug). This causes problems with data transfer speeds.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...