Malware Scanner Finds 5% of Windows PCs Infected

BogenDorpher writes "According to statistics generated by Microsoft's new free malware scanning and scrubbing tool, Safety Scanner, one in every twenty Windows PCs are infected with malware. Microsoft's Safety Scanner was downloaded 420,000 times in just one week of availability and it cleaned up malware or signs of exploitation from more than 20,000 Windows PCs, according to statistics generated by Microsoft's Malware Protection Center. This resulted in an infection rate of nearly 5%." That seems an awfully low number, based on how quickly Windows machines are scanned for plunder after going online; though it's a few years old, here's a report that suggests (as of 2007, at least) a grace period of less than 10 seconds. That was just one instance, and an intentionally vulnerable machine, but have improvements in security software software, and in Windows itself, made things so much better since then?

Of those who actually asked for help

[betterunixthanunix]

So a significant number of computers that downloaded the malware removal tool had malware on them. How is that surprising? Unless the installation of this tool is uniformly distributed amongst Windows users, which TFA is not entirely clear on...

Re:Of those who actually asked for help

[kvvbassboy]

What? I would say that it's the other way around. I would guess that the actual infection rates are higher. I bet that many of the people who didn't download this tool are probably the same people who are running an expired version of McAfee on their Windows XP without any Service Packs applied.

Just recently, my parents were complaining about how their computer was behaving very slow and strangely. The number of malware, crapware and toolbars I had to uninstall via remote desktop using Teamspeak (we live on different continents) was enormous. Lol!

The end of the article notes...

[Sir_Sri]

"Safety Scanner, which replaced an older online-only tool, uses the same technology and detection signatures as Microsoft's free consumer-grade Security Essentials antivirus program and its Forefront Endpoint Protection product for enterprises."

considering that by now everyone should run SOME anti virus, of which MSE is a legally free option, and that something which uses MSE's signature database finds 5% of machines have been compromised I don't think says much about computer security as a whole. Obviously there are a lot of users who *still* don't have anti virus software, which isn't really news. But MS can't exactly go including free anti virus in their OS without screams of anti trust.

I don't use an anti-virus on Windows

[transporter_ii]

I don't run an anti-virus because it slows the PC down. I have a good system worked out. I have a KVM switch with Windows on one PC and Linux on the other PC. I use Windows for my programs that won't run on Linux, and Linux to get on the Net with. I keep the amount of important stuff to a minimum on Windows, so I can reinstall easily if needed.

My windows runs very fast even on a PC with mediocre specs, and I go for years without trouble on it, though I won't say I have never had any viruses.

Now my kids, the

Re:The end of the article notes...

[Samantha Wright]

Well. First you'd need some malware that actually runs on XP x64...

Re:The end of the article notes...

[lowlymarine]

Well at least that would finally make SOMETHING that runs on XP x64.

Re:

[tibit]

It isn't?!

Re:

[Sir_Sri]

There are programs that run on XP64 that don't work on XP32 or 7-32/64?

Even then, XPx64 isn't exactly accounting for that 5% of installed that have been compromised.

I think kaspersky and the paid version of AVG both supported XP 64 at one point. Whether or not you could find anything that does anymore is another matter.

Yes.

[artor3]

That was just one instance, and an intentionally vulnerable machine [four years ago], but have improvements in security software software, and in Windows itself, made things so much better since then?

Yes.

Is it really surprising that computers with service packs, hot fixes, virus scanners, and firewalls are significantly more secure than those without?

Of course, it's also worth noting that the real infection rate is probably at least a little bit higher. The people who don't download this particular scanner are the same ones who wouldn't download the aforementioned service packets, hot fixes, virus scanners, and firewalls. The unanswered, and perhaps unanswerable, question is how many such people are out there.

Exactly

[Giant Electronic Bra]

All this really 'proves' is that 95% of the people who are smart enough to download a free AV program didn't have an infection. Lets see, who uses those? Oh, I know! People who take precautions... When do they do it? BEFORE they get infected, lol.

While it is an interesting datapoint to hobknob about, this actually says ZILCH about Windows infection rate, except it probably can't possibly be LESS than 5%.

Re:

[Anonymous Coward]

You can't draw that conclusion, either. You say that the people who download virus scanners are the smart ones who take precautions. That makes sense. But another big group that downloads virus scanners is the people who have reason to believe they have a virus. For all we know, 5% could be artificially LARGE because of that.

We just can't draw these sorts of conclusions from this study.

Re:

[dhavleak]

All this really 'proves' is that 95% of the people who are smart enough to download a free AV program....

This is a malware removal tool for people who already think they have a virus. See the Microsoft Safety Scanner [microsoft.com] main page. The very first words on that page are Do you think your PC has a virus? Not to mention it expires 10 days after download. Clearly not an AV for 'smart' people.

....except it probably can't possibly be LESS than 5%

Considering MSS is for people who think they already have a virus, I think the only conclusion you can draw is that slashdot headlines are some of the most worthless pieces of shit on the internet (and that's saying soemthing)

Re:

[jhoegl]

I find that saying an unprotected computer connected to the internet does not follow todays current norm.
People have routers, or windows firewall (default), or both.
To say a windows machine is vulnerable today is ignorant of the knowledge of hacking.
As long as they have a firewall and dont open ports, they should be fine.

Basic hacking requirement... you have to have an open port and a service on that port that has an exploit of some type.
This is why website hacks, browser exploits, emails to get peopl

Re:

[Anonymous Coward]

Exactly, it wasn't AV that killed worms, it was the NAT routers which became standard PC equipment for non-techies between ~2002-2004.

On the LAN side Windows can still be pwned as easily as before, you basically have instant shell access to any networked Windows machines.

Re:

[recoiledsnake]

On the LAN side Windows can still be pwned as easily as before, you basically have instant shell access to any networked Windows machines.

[citation needed], even if it is with the default firewall turned off, for Vista and Windows 7.

Re:

[jhoegl]

Why was I modded down?

Re:Yes.

[Penguinoflight]

Don't forget about those who have viruses but the malware removal tool was unable to either detect or remove them. If you can't churn out a virus that can beat the standard set by microsoft you're in the wrong business.

Re:

[geniice]

Not really. Malware aims a low hanging fruit and people taking active steps to protect their system are in all probability not worth the hassle (and downloading a onetime scanner is pretty active). The tool is also new so malwear writers probably haven't reacted to any great extent yet.

Re:

[Opportunist]

I'd wager the former, these people usually know how to circumvent new security features before they hit the street if they meddle with their business.

The question is always, how much impact will a new security tool have on their business. If it's only a few "clued" people they use, they usually don't bother to find a way around it. If you look at contemporary malware and know a bit about security, it's actually boring. No "0day", no sophisticated self encryption, nothing really new and exciting. It's busine

Re:

[TheLink]

There's already a better paradigm on some phones. Basically the application declares upfront want sort of sandbox/permissions it needs to run. And if that is OK according to the system's settings, the OS will run the app while enforcing the sandbox.

Because the permissions are declared explicitly, it should be much easier for an "expert", or even someone with "common sense" to certify that the sandbox makes sense for the app, and maybe even digitally sign the app and its request.

So an organization (or "The

Re:

[St.Creed]

Sandboxing is a great concept and lots of people have proposed it. If I could restrict a program's access to just its own homedirectory and a designated datastorage location that would already be an amazing improvement.

datum

[tverbeek]

I fixed one this afternoon: my parent's WinXP computer. Adjust your stats accordingly.

Bad sampling techniques ...

[MacTO]

Maybe the number is accurate, maybe it isn't. But the one thing that strikes me is that this is not an entirely random survey since there are too many factors that can affect the sampling. Examples: people who do not update their software (including but not limited to this scanner) are probably more likely to have an infected machine, making the number low. Yet institutional PCs that are professionally managed (and are likely to use third party solutions) are probably less likely less likely to be infected, making the number high. So that 5%, as good or as bad as it may sound to you, is actually just a number thrown around by the marketing department.

"as of 2007"

[QuasiSteve]

Honestly? "as of 2007"? In computer terms, that's several lifetimes.

Not only that, but just because the news article linked to has 2007 at the top, doesn't mean the findings were from 2007. The news article in which the author "just read an incredible scary article" links to said incredible scary article - http://news.bbc.co.uk/2/hi/programmes/click_online/4423733.stm [bbc.co.uk] - from 2005. So not only was the news article writer 2 years behind the times, you're now suggesting that we should believe that you find it incredulous that things may have improved in 6 years' time?

In that time Windows 7 and Vista have been released - both with far better security models out of the box. Even Windows XP saw a reasonable update with SP3.

Then again, by April 2005, SP2 was also distributed and guess what it enabled by default? Windows Firewall. The worm in the original article, Sasser, would not have gotten very far.

Then again, Sasser would not even have been on the system if they bothered to install the update that fixed the hole that Sasser would eventually exploit.

It's just not a very convincing example to begin with, and certainly not one you should be citing 6 years later.

Re:

[Deathlizard]

On the one hand, pulling out the dead horse that is "X seconds to XP infection" and beating on it in 2011 is a new low. Even for Slashdot. On the other hand, I wouldn't be caught dead with Windows XP in this day and age even with all the patches.

Malware authors know the insides of XP so well that you have to do so many things to make a secure windows XP build that it isn't worth the time, Especially since you can install Win 7 64bit and its pretty much secure out of the box. It's much harder to root due to

Re:

[yuhong]

Yep, I think it is well known now that installing XP RTM and connecting it directly to the Internet without patching is not safe.

Re:

[VortexCortex]

In that time Windows 7 and Vista have been released - both with far better security models out of the box. Even Windows XP saw a reasonable update with SP3.

With great new code-bases comes great vulnerability.

I just "removed" (and by remove I mean re-format re-flash BIOS and reinstall Windows) a bit of malware (Banker Rootkit Variant) that exploits a Java vulnerability via applet (JRE was up to date, but the old exploitable versions are still there, and can be targeted -- remove them now), then installs a rootkit via kernel driver -- Somehow miraculously bypassing the fact that drivers must be signed on 64bit MS OSes -- Oh, it's not that special it just disa

Re:

[Sigma 7]

p.s. this is why anyone with half a clue disables any and all browser plugins.

Wishful thinking.

The common setting you see in browsers is an all-or-nothing deal, which constrains you to visiting text only sites until you open the menu to open a preferences menu to change the setting (that affects all plugins rather than just untrusted ones.)

It took Google Chrome several attempts to get it right. First, they added plugin blocking in some menu. Then they added a button in the address bar that allows unblocking plugins. Then, the bug where that button unblocked plugins for multiple tab

Many still stuck in 2007

[dbIII]

"as of 2007"? In computer terms, that's several lifetimes.

Wrong.
There are plenty of MS Windows XP machines that have not been patched since 2007. Also how many Microsoft based machines have you seen with spreadsheets etc newer than MS Office 2003?

Observation gives the indication

[dbIII]

it does not mean that the XP machines have gone unpatched since 2007.

No, what does tell me and should tell you is simple observation. Many XP machines in homes do not have automatic updates turned on and have never been updated after the day they were purchased. There are also a vast number of cracked copies of XP out there which have never been updated because the users are worried that an attempt to download updates will identify their XP as copies instead of purchased software.

Re:

[seanvaandering]

I was in that boat as well - and yes, a bootlegged copy of XP Pro was "good enough" - but after M$ decided to add WGA to the required security updates, everyone with half a brain knew where this was going, and I never updated again. Eventually, I reported my copy to Microsoft as illegal and got a shiny new product key for the discount price of $199 which was cheaper than going to the store and buying an OEM version (so it pays to pirate?).

The WGA update I can confirm does validate product keys (it is wha

Re:

[dbIII]

What has changed recently is the XP validation doesn't work without SP3 and IE8 which doesn't come with it - thus the honest that have actually purchased XP are punished and have to muck about in safe mode with no networking to install those from burnt CDROM (or USB if they have the right driver) before they can validate and actually use the thing they paid for. No three days or three hours or three minutes grace either - you cannot use it long enough to actually download the stuff to get validation to wor

Re:

[mgblst]

I count every install of Vista as an infection.

Or.. "Scanner finds 95% Windows PCs not infected"?

[NotQuiteReal]

Same thing, right?

I don't know anyone who actually runs this.

[osssmkatz]

While I am glad that the online safety scanner can now clean infections, and will probably consider it in the future, it isn't a very widely used tool because of the windows live branding, rather than as a Microsoft product. Trend Micro Housecall has been around for longer. I wish more antivirus's would scan for lack of service packs or security vulnerabilities.

information is insufficient

[belmolis]

We don't have enough information to estimate the infection rate. For one thing, we don't know how good the scanner is. If it misses a lot malware, the infection rate may be much higher. We also don't know what kind of sample the downloads comprise. If only people who think they have an infection are downloading it, then the sample is biased high and the real infection rate may be much lower. Since it only detected infections in 5% of cases, either the scanner is very bad or people are downloading it as a precaution, not once they think they have an infection. If they're downloading it as a precaution, that probably means they are particularly security conscious, in which case the sample is probably biased toward a low infection rate. Overall, it looks like without more information the percentage of machines found to be infected by this scanner tells us very little.

Re:

[Anubis IV]

Well said! I was about to make similar comments, but I see that you already did so, and far better than I would have. My first thought was that this was an indication that people who are security conscious still have an infection rate of 5%, but it could easily go other ways, depending on the biases, such as the ones you mentioned.

NAT to the rescue!

[ka9dgx]

The IP6 folks hate NAT, but it's the only thing that's saving personal computing at the moment. Because random inbound connections don't has through NAT devices, any home PC behind one is MUCH safer than one directly on the internet. It sucks in terms of the end to end utility of the internet, but it's the tradeoff most users are willing to make for reasonable safety.

Re:NAT to the rescue!

[WuphonsReach]

Outbound-only IP6 firewalls will offer the same level of security as NAT. With a few other advantages as well.

What will remain to be seen is whether the firewall devices can be:

- Properly configured or come with sane defaults.
- Fail in a safe manner rather then suddenly just allowing every connection through.
- Can't be switched to completely transparent by attack software.

It will be interesting in a few years as IPv6 finally takes off. I think the 3rd option is going to be the interesting one. In a IPv4 NAT'd network, the attacker has to (a) know the internal IPs and (b) add an inbound port forward to the NAT device. In the IPv6 firewall scenario, because the devices inside the network already have routeable addresses, if they can open up the firewall then they win.

The saving grace will probably be the sheer size of the address pool in a local network. Unless you sniff the traffic (or look at DNS or ARP), knowledge of active IP addresses is hard to come by via scanning. Scanning a 2^64 range for active hosts will take a few years, which will slow down any worms that attempt to spread in that manner.

A few years, as in enumerating 2^64 addresses and processing 1 million per second means you need about 585,000 years. There are ways to fine that down such as only searching the list of valid MAC addresses, which cuts the size down to 2^40 to 2^48. And you could fine that down even more by only looking for popular MAC addresses, which would probably make it 2^36 to 2^40 roughly. Scanning 2^32 @ 1 million / second takes about 80 minutes, 2^36 is 19 hours, 2^40 is 305 hours. Of course, attempting to scan 1 million hosts per second would bury most boxes and would probably require 10Gbps to pull off.

Compare that to today's networks where the local network segment usually only has 256 to 4096 possible addresses. Multiple orders of magnitude easier to scan.

Re:

[WuphonsReach]

Collections of active IP addresses will be readily available tomorrow, just as rainbow tables and collections of active email addresses are today.

That depends. I suggest reading RFC 5157 [ietf.org].

Machines that serve up public services (web servers, FTP, or anything that appears in a public DNS record) will still be heavily attacked. But machines configured via DHCP (where the assigned addresses are not sequential) or which are using the privacy addresses will be harder to find through guessing.

And in the ca

Re:

[Anonymous Coward]

NAT is NOT security. If you want security, the most basic setup is called a stateful firewall. You may want to read about it.

http://en.wikipedia.org/wiki/Stateful_firewall [wikipedia.org]

Even better, close down all services that you do not need listening. Application level firewall is another good idea.

If your security is NAT alone, then it's a sad state of affairs. NAT masks security, nothing more..

PS. For the all NAT-lovers, there exists an IPv6-NAT too. So saying that IPv6 == cannot have NAT is wrong. On Linux, steteful

Re:

[ka9dgx]

I know that NAT doesn't help security against an advanced persistent threat, but it does scrape off the top 99% of all attacks, which is a big plus.

A stateful firewall can scape off another 99%

Locking down each service with AppArmor can scrape off another 99%

Which means you'll still have no effective security against an advanced persistent threat... you'll only be stopping 99.9999%, not all of it.

Capability based security might give you another 99%, which is good, but not enough.

Re:

[Opportunist]

NAT is not security, but it's as close to security as many people will get.

Sure, there are FAR superior ways. But let's aim low, because that's what malware writers do, too. And as long as enough people can be infected even though NAT would kill the attack vector, NAT is a security feature. This will change when too many people use it and the attack vector ceases to work, but 'til then, it's a simple way for people to gain at least a bit of security.

Re:

[VortexCortex]

I wonder if all these dropped unsolicited packets I'm seeing bounce off my firewall/NAT are what's causing my bandwidth usage measurements to be so much less than my ISPs capped bandwidth meter is showing... As for "end to end" blockages -- If you don't know how to port-forward, enable UPnP -- everything supports it these days, even ports of old games like Doom. However, being behind an ISPs NAT is unbearable -- that's why ip6 is needed, so that we don't end up behind an un-configurable ISP NAT router.

Re:

[0123456]

As for "end to end" blockages -- If you don't know how to port-forward, enable UPnP -- everything supports it these days, even ports of old games like Doom.

Never, ever, ever enable UPnP if you care about security. Allowing random applications to open up random ports is just asking to be pwned.

Re:

[GravityStar]

Explain this to me; why is UPnP so insecure? UPnP can only be switched on by a random application if that application has access to the LAN. That application is then _already_ running locally on one of the machines on the network. It can _already_ connect to random machines/ports. If that application now wants to exploit a vulnerability on one of the machines connected to the LAN, it can do it directly, no need to configure any port forwarding to let yet something else in.

I haven't yet read any realistic ar

Re:

[GravityStar]

Besides, It's a part of the atmosphere... flayed and mounted on Lexan hanging from my wall (with lots of carefully routed wires and a few pretty lights that blink intermittently) -- I find wallputers more interesting/functional at than most paintings, plus it's easier to clean, takes up less space and promotes a cozy cyber-punk feel.

Your ideas are intriguing to me and I wish to subscribe to your newsletter.

Re:

[FrootLoops]

but it's the tradeoff most users are willing to make for reasonable safety.

I'd bet almost nobody consciously chooses NAT for security. They choose it because the numbers are running out, pure and simple.

Not serious

[lucm]

> though it's a few years old, here's a report that suggests (as of 2007, at least) a grace period of less than 10 seconds.

These numbers mean nothing. Just like statistics about domestic abuse ("1 women in 3 is victim of abuse"), that kind of thing cannot be measured so someone comes up with a pseudo-scientific number and everybody keeps repeating this stuff ad nauseam like Rush Limbaugh on election week.

Individual malware is having way too much exposure in the media for its actual damage. In an era where legitimate companies such as Facebook or Google are cornering the market on privacy violation and shameless data-mining, nobody gives a sh*t about Uncle Joe's private information. Credit card numbers are traded by the thousands and it is not cost-effective to try to harvest valuable information from individual PC - financial institutions and service providers (PSN!) are a much better target.

The name of the game is now large-scale deployment and a botnet that does not protect its nodes does not live long enough to justify an article on Wikipedia. Actually for home users I would even argue that being part of a botnet can be a good thing - the operators know what malware is serious and they have a financial stake in maintaining a healthy network of zombies; they will keep the basement wannabes away. On a global scale they are the one with the best interest for home PC security - much more than most PC owner themselves. It's like joining a gang when you go to jail for a long time - be part of the swarm and the odds that you end up becoming a silent farter are much lower.

Mod Parent "Funny"

[nukenerd]

Actually for home users I would even argue that being part of a botnet can be a good thing - the operators know what malware is serious and they have a financial stake in maintaining a healthy network of zombies

My title says it all.

The name "Safety Scanner" sounds like Malware

[Salvo]

Even if it isn't actually MalWare, the name "Safety Scanner" is as suspect as "Windows Recovery" or "MAC Defender".
I would have thought Microsoft's marketing department (arguably one of the greatest marketing departments in Info Tech), could have come up with something less dodgy than "Safety Scanner".

Maybe the people who were inclined to download and install "Safety Scanner" are the same people who are inclined to download and install "Windows Recovery". Making the estimate of 5% high.

Conversely, maybe the people using "Safety Scanner" were more conscientious about Computer Security and were seeking out extra protection. Making the estimate of 5% low.

Malware? Scareware?

[sillivalley]

Ran this thing on a server that lives in the closet. It complained that my custom hosts file was very suspicious. It also didn't like the VNC client.

So this machine was infested with malware? I don't think so!

Yet another scareware scanner!

Re:

[QuasiSteve]

It complained that my custom hosts file was very suspicious.

And it is. I mean, don't you think that the line
65.55.175.254 www.google.com
is suspicious?

It also didn't like the VNC client.

As well it shouldn't. Do you recall installing a VNC client? I don't recall you installing a VNC client. So why is there a VNC client on your system?

So this machine was infested with malware? I don't think so!

Yet another scareware scanner!

No, just a scanner that does what it's supposed to.. report irregularities.

Just becau

Re:

[QuasiSteve]

Your entire post, which seems to be entirely about the hosts file, can be summarized by your summary:

P.S.=> Yes - Sure: Malware can use them to IT'S advantage, but then again, so can you!

All one needs to do is swap your statement and it should be obvious why malware scanners report these things;
P.S.=> Yes - Sure: You can use them to YOUR advantage, but then again, so can malware!

Malware scanners are incapable of knowing whether it was you, or a disgruntled employee, or a piece of malware, or the align

Re:Malware? Scareware?

[Blakey Rat]

VNC can legitimately be used as spyware in the classic sense. When someone remotely logs in, the local computer shows no indication that activity is being observed by someone else. (Contrast with Microsoft's Remote Desktop, where logging in remotely kicks the local user off and locks their screen.)

It's exactly the kind of thing this tool is supposed to be scanning for. What makes you think it's a false report? The scanner has no way of knowing whether you installed it, or someone else did behind your back.

10 seconds, back in 2007...not true now, though.

[Shoten]

One big thing has happened since 2007: Windows has started shipping with the Windows Firewall turned on by default and blocking inbound requests. Since network-spreading worms were the primary contagion factor back in 2007, this made a huge impact all by itself. Also, the growing prevalence of dynamic NAT in households (usually from the wireless routers that everyone has these days) also contributes to this.

10 seconds - a load of horse manure!

[Retron]

Those "Windows machines get attacked in 10 seconds" type things are utter rubbish. It was quoted at a recent security conference I went to and I interrupted the speaker about it as it's a blatantly false claim.

I have an unpatched Windows 2000 machine behind a cheap Netgear router. It's never once been attacked and it sits on the Internet 24/7 sending weather data to an FTP site. It doesn't get used for anything else and it's been up for four years now. The hard drive is too small to install the service p

Re:

[yuhong]

I have an unpatched Windows 2000 machine behind a cheap Netgear router.

That is because it is behind a router that is an NAT, blocking the attack.

Re:

[Opportunist]

10-20 seconds was a pretty accurate infection frame for an unpatched Windows XP-SP1 machine directly connected to the internet in 2007. I've tried it myself. And considering how frequently people update their machines, I'm still convinced hooking a WinXP-SP1 machine to the net unfiltered will result in an infection within seconds.

It is NOT true for newer OSs or XP with SP2 or higher. So technically, what he got wrong was the time. A windows machine got infected in 10 seconds. It's not true anymore (for more

Ignoring 3rd party crapware

[Khyber]

These are likely not so bad without exposure to Adobe and Java.

Let us be honest for once.

Re:

[WuphonsReach]

These are likely not so bad without exposure to Adobe and Java.

Let us be honest for once.

And Flash and Javascript.

(And the biggest issue with PDF, Flash and Java plugins are that they use a non-standard update mechanism instead of being built into Windows Updates. And both Oracle and Adobe are horrid about trying to install add-ons like browser toolbars, or constantly changing their update methods. Which leads to users never updating these key pieces of software, thus getting pwn'd a few years down

Re:

[Blakey Rat]

(Flash is Adobe.)

The biggest issue with Flash's updater is that it doesn't even attempt to check for an update until the computer is rebooted. I'm sure this works for a lot of people, but I basically never reboot my computers-- god knows how many unpatched Flash vulnerabilities I have! Hell, it may be zero. I won't know until I reboot.

It's actually safer to run Chrome, which has its own internal copy of Flash and an updater that... actually works correctly. Of course, then even the problem is you still need

Information insufficiency

[Asmahuq]

I think lack of information can make a biased output about infection rate. So infected rate that is proved by this scanner gives us a little part of whole scenario. http://www.pranon.com/ [pranon.com]

Wonder how many wine users are infected

[G3ckoG33k]

Wonder how many wine (www.winehq.org) users are infected, as users.

http://wiki.winehq.org/FAQ#head-3cb8f054b33a63be30f98a1b6225d74e305a0459 [winehq.org]

http://www.google.com/search?q=wine+virus [google.com]

Re:

[Opportunist]

Funny enough, quite a bit of malware does actually run on Wine. Tells you something about its compatibility. ;)

100%!

[purpledinoz]

I would argue that 100% of Windows machines are loaded with malware, called Windows.

Re:

[Opportunist]

Windows is no malware.

Malware usually gets updated near instantly the moment its maker encounters a problem with it.

67MB ?

[Hamsterdan]

And only valid for 10 days. No updates, have to re-download the whole thing to have the new definitions. It's *bigger* than most AV software...

What the heck MS ????

Re:

[benjymouse]

And only valid for 10 days. No updates, have to re-download the whole thing to have the new definitions. It's *bigger* than most AV software...

What the heck MS ????

Maybe it was not intended to be "AV software"? From the front page of Microsoft Safety Scanner (emphasis mine):

The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.

...

The Microsoft Safety Scanner is not a replacement for using an antivirus software program that provides ongoing protection.

For real-time protection that helps to guard your home or small business PCs against viruses, spyware, and other malicious software, download Microsoft Security Essentials.

Re:

[WuphonsReach]

Maybe it was not intended to be "AV software"? From the front page of Microsoft Safety Scanner (emphasis mine):

Equivalent tools from other sources do the job in about 1/8th the size.

(MBAM clocks in at around a 7.5MB download, and the database updates are only a few megabytes.)

Its backwards

[nurb432]

5% of windows machines are NOT infected with something.

selection bias

[thePowerOfGrayskull]

The sample is of necessity limited to users who knew about this tool and downloaded it. I suspect that group to be more security aware than most, and more likely to have a clean system to start with.

Windows XP + DOCSIS 2

[Nemo's Night Sky]

Almost a decade ago I watched as a blaster variant compromised a XP machine BEFORE THE INSTALL HAD COMPLETED. Microsoft in their infinite wisdom thought it would be cool to enable remote procedure call before you even get a desktop up. (I guess unattended setup scripts weren't enough?) Had to re-install disconnected, patch it, then setup networking. I had no machine at the time to make a patched install disc. None of that would have been a problem if I could have installed my firewall software before window

How to build a Windows machine in 10 seconds?

[ZipK]

If the grace period from going on line to infection is only 10 seconds, how does one build a Windows machine that is secured with the latest patches - given that you need to be on line to get the patches from Microsoft?

Re:

[tverbeek]

Pretty much, yeah.

Re:

[Hylandr]

It's interesting to note that the number of infected pc's is exactly 5% of the computers that had that tool installed. Not 5% of all machines as the article implies.

Slow night on slashdot?

- Dan.

Re:

[dwywit]

Combofix FTW. Although it wouldn't remove a "Windows Risks Prevention" I encountered last week. It took rkill, a registry patch, and MBAM to remove it for good.
 
This was a machine "protected" by Bullguard.

Re:

[Pseudonym Authority]

I prefer to use Common Sense 2012 edition, and not download that hot_sex_underage.avi.exe on LimeWire or winrar-pro-full-crack-keygen.exe from The Pirate Bay, use Foxit Reader\Sumatra for casual PDF reading, and enable loading plugins on demand for Opera.

Re:

[SuricouRaven]

I'm a bit of an expert. Professional IT technician, confident in using all versions of windows, linux and OSX. I code. I've done a bit of cracking myself - nothing major, but I know how exploits work. I'm careful. I don't get dodgy executable code from disreputable sites. I've got a good firewall, a squid proxy configured with a long blacklist of ad-servers.

I still got infected yesterday with the loathed fake-antivirus (The author is actually known, but in Ukraine). Sneaky thing managed to trick me by taki

Re:

[wesleyjconnor]

What browser are you using 'bit of an expert'? I haven't run antivirus for 10 years and i've never been infected, I torrent things daily and i've seen some of the seediest burrows of the web. Navigating the web is a sixth sense grown over years of use, same as any skill. You know a good torrent just by looking at it, you know a dodgy website as the first image loads. You have been doing this so long you don't even SEE the ads in a page. Amateur hour is over.

Re:

[St.Creed]

I was bitten last year because a major website for my profession ran a twitter feed and someone managed to inject malicious code into that, and Chrome happily executed it, I just saw my PDFreader start up, then close again (thank you, Adobe). And I was infected right there.

Using my PC as springboard the hackers managed to plant another infected php-file on one of the sites I run. Good fun all around and it took me a while to find and clean everything. I've since switched to a non-standard PDF-reader that do

Re:

[hawkinspeter]

That sounds like the problem is with windows not having proper package management. On linux, you'd be getting the updates through the package manager, so you'd immediately know that SkypeUpdate.exe was fake.

Do you run firefox with adblock and noscript? That's probably the best way to defeat 99.9% of accidental infections.

Re:

[SuricouRaven]

Not quite. I run firefox, but no adblock - instead I use the squid proxy and it's blacklist, which I update every time I see some ads slip through. In this case my defences were compromised: I was away from home, using a public wifi hotspot, and thus running proxy-less.

Re:

[StayFrosty]

When encountering the .exe file association thing I usually make a copy of regedit32.exe and name it regedit32.com or regedit32.bat. Since execution is based on the 3 letter extension the program will run fine. Then I can fix the file association problem. You can do this for combofix or whatever as well to get it to run as well.

Re:

[MysteriousPreacher]

...do you verify that all of the ads on that site you are visiting are from reliable sources? Doubleclick, Dailymail...

This may indeed be the one situation in which The Daily Mail could be considered a reliable source.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[mcgrew]

It's improved, yes, but is still abysmal. If a bug is found in Mac or Linux, patches are put out as quickly as possible. MS waits for "patch tuesday" at the earliest. The latest IE hole affecting all versions won't be patched until August.

MS doesn't care about security itself, it only cares about the perception. And yes, Macromedia and Adobe are as bad or even worse.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Securityemo]

How would you know? A sufficiently full-featured 0day exploit/rootkit payload could have compromised the system without you ever noticing, exchanging information with the outside world using data steganographically encoded into banner ad traffic at the network driver level. Better break out the kernel debugger. :D

Re:

[Opportunist]

Now, now, now... a bit less melodrama please.

While possible, most malware these days is no better than the average business software: It does what's necessary to get the job done, and nothing above. In other words, while possible to do what you describe, the overhead would be enormous. Most malware is happy when it has every base covered that keeps it out of the view of a normal on-access scanner, it will have a few rootkit-like tricks up its sleeve, but nobody (as far as I can see) bothered to mask traffic

Re:Security has improved

[SuricouRaven]

It used to be true, back before everyone used a home router that acted as a firewall. I remember a couple of times years back when I installed Windows XP, connected up the cable/ADSL modem to get a service pack in, and the system was infected before the service pack had finished downloading. Back then infection was often via exploting the many explotable services windows runs, which was only possible when there was no firewall (The Windows one wasn't enabled by default back then, and in any case makes exceptions for those exploitable services!). Today, as most users have a firewall even if they don't know what one is, the main vector is the web - either malicious websites, or exploits served up as ad-banners.

Re:

[Samantha Wright]

And also herd immunity: you're less likely to get infected if everyone else is exempt from being capable of infecting you. Firewalling routers really don't get enough love for their role in reducing the internet's trash density.

Re:

[Opportunist]

While the vector you describe gains momentum, the main vector is still the user: Click here for dancing bunnies and a nude pic of $hot_celebrity.

Re:

[Opportunist]

It was true, back in the time when XP had a remotely exploitable security hole (pre-SP2). Connect a XP-SP1 machine to the net without a router or something else blocking incoming connections and it will be hijacked in less than 30 seconds.

But the meme should have died no later than XP-SP3...

Re:

[AliasMarlowe]

Ahh... don't you just love smell of a fresh straw-man in the morning.

Are you deliberately denying reality or just giving us a personal demonstration of the Dunning-Kruger effect [wikipedia.org]?

Did you even check the links in TFS? Here's the one from Information Week [informationweek.com] in 2007 which describes one such experiment. The unpatched XP PC stayed clean for all of 8 seconds connected without firewalls to the internet. Then Sasser and other bad stuff started installing itself on the PC. GP's assertion is valid - an unpatched XP PC can be compromised in less than 10 seconds without a firewall.

Re:

[makomk]

Standard Microsoft reputation management response to malware discussions.

Have you read the discussions here on /. and elsewhere about the latest Mac OS X malware? Apparently it's all the user's fault for deliberately installing malicious software and anyone blaming Apple in any way is spreading FUD.

The day Microsoft stops trying to deflect blame with this tired old furphy, and starts taking Human Factors science seriously, is the day Windows starts becoming secure.

They've at least put some effort into this since the XP era. At this point, they're probably a lot better than Apple, who still seem to think that letting untrusted websites automatically download and launch installer packages, and then giving the site significant control over what th

Re:

[Opportunist]

Windows is as secure as any system out there. There is exactly only one reason left why Windows is still the most attacked system out there: Market share. Simple as that.

Malware is a business. It's not the pimple faced geeks of the 80s who want to stroke their e-peen and gain nerdpoints with their peers. It's business. And businesses develop software for the biggest market, it's as simple as that. Wait for MacOS to gain share and watch the malware come.

Because it does not matter anymore how secure a system

Re:

[kevinmenzel]

Because there is a guaranteed timeline for how long the product will remain serviced, and that was available knowledge when you bought the damn prodcut. AND it was EXTENDED past the original announced date.

Stop complaining about XP security. The Windows model has and likely always will be a series of paid upgrades in order to gain not only the latest features but also the latest security updates after a certain point. It's not like that was a recent change to their business model, that's how it's always bee

Re:

[benjymouse]

Though it doesn't name it in TFA, I'm betting that this also has something to do with the Malicious Software Removal Tool [microsoft.com] that is a part of normal Windows updates. This is downloaded and installed and run by default if you let Windows Update do its thing without manually configuring which update to install and which to ignore.

If you had bothered to read just the first 2 paragraphs of the computerworld article linked to you would have noticed this:

Microsoft cited that statistic and others from data generated by its new Safety Scanner, a free malware scanning and scrubbing tool that re-launched May 12.

And if you follow the link to the actual software, Microsoft Safety Scanner, this is the introduction:

Microsoft Safety Scanner

Do you think your PC has a virus?

The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.

Note: The Microsoft Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again.

The Microsoft Safety Scanner is not a replacement for using an antivirus software program that provides ongoing protection.

So no, this is *not* based on reporting back from MSRT. This is reporting from a tool which is labelled as a diagnostics one-off tool (works for 10 days) for users who think that their computers *may* be infected. Drawing any conclusion about infection rates from a self selected populat

Re:

[Opportunist]

Also a flawed sample. Who calls you to repair their machine? People who have a problem with it and cannot fix it themselves. This means that you have customers who are not too computer savvy who actually SEE a problem in their machine. The chance that malware is the root or at least a contributing factor is quite high, don't you think?