Microsoft Malware Protection team blogged their observation rootkits:
- How big is the rootkit problem? Of all infections reported from client machines, low-level rootkits represent about 7% of infections.
- Worst of the worst In terms of the most prevalent rootkits we see in the wild, the Alureon family wins hands-down, accounting for more than 60% of total rootkit reports.
- Rootkits in their natual habitat
Here are the most popular locations we see hidden rootkit binaries living on the hard disk: Rank Location Example
1 %system%drivers c:windowssystem32drivers
2 user temp c:UsersusernameAppDataLocalTemp
3 %system% c:windowssystem32
4 system drive root c:
5 windows temp c:windowstemp
6 %windows% c:windows
7 install folder location installer was run from
- Hidden file types
In terms of the type of file being hidden on user’s computers, drivers come out on top. Since most rootkits use a kernel-mode driver, this is not surprising. Type % of rootkit threats
- Kernel-health screening
Currently the most common technique for a rootkit to get active and start hiding on a computer is to modify the Windows OS kernel. When we examine the kernel on computers running our full antimalware client to look for signs of tampering by rootkits, we notice that a disconcerting number of computers are not running with a healthy kernel. That’s about 1 in 100 computers. Digging into the results, we see that a lot of software is modifying the Windows kernel for various reasons. While much of this software is not specifically malicious, modifying the kernel can lead to system instability as well as make it easier for rootkits to hide.
- An unspoiled landscape
- Parting thoughts
Keep real-time protection enabled
Run 64-bit Windows