Vulnerabilities / Threats
8/1/2011
01:29 PM
50%
50%

Counterfeit Windows XP Breeding Malware

Security firm finds that 74% of all rootkit infections can be traced to Windows XP machines.

Black Hat
Beware Windows XP, as 74% of rootkit infections can be traced to PCs running that operating system. By comparison, only 17% of rootkit infections were spotted running on Vista, and 12% on Windows 7.

That finding comes from Avast--a free antivirus software developer based in Prague--and is based on a six-month study the company conducted of 630,000 malware samples encountered by its users.

Interestingly, the prevalence of rootkits running on Windows XP, which debuted in 2001, is greater than the operating system's actual market share, which for Avast users was 49%, compared with Windows 7 (38%) and Vista (13%).

Attackers favor rootkits because they can surreptitiously be used to gain admin-level access to a PC, then silently install additional files and steal data. "Because of the way they attack--and stay concealed--deep in the operating system, rootkits are a perfect weapon for stealing private data," said Przemyslaw Gmerek, Avast's lead researcher, in a statement. He plans to detail his rootkit research in full, this week at the Black Hat USA conference, a UBM TechWeb event, in Las Vegas.

Most often, rootkits attack the master boot record (in 62% of attacks), followed by driver infections (27%). In terms of specific rootkits, Avast said that Alureon botnet--aka the TDL3 and TDL4 rootkit family--accounted for nearly three-quarters of all rootkit infections.

What, however, makes Windows XP such a rootkit magnet? "One issue with Windows XP is the high number of pirated versions, especially as users are often unable to properly update them because the software can't be validated by the Microsoft update," said Gmerek. As a result, he said, numerous Windows XP users aren't using the latest version--SP3--but rather earlier versions, such as SP2, which Microsoft ceased supporting--as well as patching--in July 2010. (Microsoft has said that it will cease supporting Windows XP SP3 in April 2014.)

Attackers also favor Windows XP because even SP3 lacks some of the anti-rootkit and other security features that Microsoft has added to more recent operating systems, including user account control, PatchGuard, and driver signing.

Since Windows XP, Microsoft has continued to boost the security of its operating systems and applications, although developer uptake of the enhancements can lag. Earlier this year, notably, Microsoft called on developers to implement more secure lifecycle software practices, as well as to better avail themselves of newer Microsoft-built mitigation technologies, including data execution prevention (to prevent attackers from executing arbitrary code) and address space layout randomization (to make it difficult for malware to locate known files on a PC that may contain vulnerabilities).

Read our report on how to guard your systems from a SQL attack. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Verdumont Monte
50%
50%
Verdumont Monte,
User Rank: Apprentice
10/11/2012 | 9:01:06 PM
re: Counterfeit Windows XP Breeding Malware
Who knew that using pirated software is bad.. [Pun intended]
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: So...are we supposed to be the elves or the reindeer?
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.