Microsoft Malware Protection Blog: Some Observations on Rootkits

Microsoft Malware Protection team blogged their observation rootkits:

  • How big is the rootkit problem? Of all infections reported from client machines, low-level rootkits represent about 7% of infections.
  • Worst of the worst In terms of the most prevalent rootkits we see in the wild, the Alureon family wins hands-down, accounting for more than 60% of total rootkit reports.
  • Rootkits in their natual habitat
    Here are the most popular locations we see hidden rootkit binaries living on the hard disk: Rank    Location    Example
    1    %system%drivers    c:windowssystem32drivers
    2    user temp    c:UsersusernameAppDataLocalTemp
    3    %system%    c:windowssystem32
    4    system drive root    c:
    5    windows temp    c:windowstemp
    6    %windows%    c:windows
    7    install folder    location installer was run from
  • Hidden file types
    In terms of the type of file being hidden on user’s computers, drivers come out on top. Since most rootkits use a kernel-mode driver, this is not surprising. Type    % of rootkit threats
    SYS    59%
    EXE    40%
    DLL    1%
  • Kernel-health screening
    Currently the most common technique for a rootkit to get active and start hiding on a computer is to modify the Windows OS kernel. When we examine the kernel on computers running our full antimalware client to look for signs of tampering by rootkits, we notice that a disconcerting number of computers are not running with a healthy kernel.  That’s about 1 in 100 computers. Digging into the results, we see that a lot of software is modifying the Windows kernel for various reasons. While much of this software is not specifically malicious, modifying the kernel can lead to system instability as well as make it easier for rootkits to hide.
  • An unspoiled landscape
  • Parting thoughts
    Keep real-time protection enabled
    Run 64-bit Windows

Complete details in

Leave a Reply