XP remains fertile breeding ground for cyber infection

75% of rootkits hit Windows XP; pirated versions provide perfect target for attackers

PRAGUE, Czech Republic, July 28, 2011 – The AVAST Virus Lab has identified un-patched and often pirated versions of Windows XP as the main vector for rootkits infections. Data from a six-month study catalogued over 630,000 samples and found that 74% of infections originated from Windows XP machines, compared to 17% for Vista and only 12% from Windows 7 machines.

While Windows XP may be old, it is still the most common operating system around the globe with 49% of avast! antivirus users having it on their computers compared to the 38% with Windows 7 and the 13% with Vista.

Rootkit infections and choice of operating system

Rootkits actively hide their presence from administrators by subverting standard operating system functionality or other applications as they access to software and data.

“One issue with Windows XP is the high number of pirated versions, especially as users are often unable to properly update them because the software can’t be validated by the Microsoft update,” said Przemyslaw Gmerek, the AVAST expert on rootkits and lead researcher. “Because of the way they attack – and stay concealed – deep in the operation system, rootkits are a perfect weapon for stealing private data.”

More recent operating systems like Windows 7 are more resilient to rootkits - but not immune. Including innovations like UAC, Patchguard and Driver Signing in the latest Windows versions has helped, but not provided fail-proof security. Cybercriminals are continuing to fine-tune their attack strategy with the Master Boot Record (MBR) remaining their favorite target for even the newest TDL4 rootkit variants.

The study found that rootkits infecting via the MBR were responsible for over 62% all rootkit infections. Driver infections made up only 27% of the total. The clear leader in rootkit infection were the Alureon(TDL4/TDL3) family, responsible for 74% of infections.

“People need to keep an antivirus software installed and updated – regardless of where they got their operating system,” pointed out Mr. Gmerek. “And, if they suspect there is an issue, they can scan their computers with a rootkit removal tool such as aswMBR.

avast! is the only AV solution to provide on-access detection of rootkits as they try to install themselves in addition to boot-time and on-demand scanning. These anti-rootkit features are included in all free and paid versions of avast!.

As the rootkit specialist at AVAST Software, Mr. Gmerek will be attending the upcoming Blackhat/Def Con events in Las Vegas on August 3-7, 2011. He and the AVAST Virus Lab team would also like the opportunity to brief the press ahead of the public release of his full rootkit research whitepaper. Mr. Gmerek has never before given a briefing to the US media and the session offers insight and detailed statistics around the global infection rates, sources and technological direction of rootkit creators.