Un-patched and often pirated versions of Windows XP are a main target for rootkits infections, according to the AVAST Virus Lab.
The anti-virus software company catalogued over 630,000 samples during a six-month study and found that 74 per cent of infections originated from Windows XP machines, compared to 17 per cent for Vista and only 12 per cent from Windows 7 machines.
While Windows XP may be old, it is still the most common operating system around the globe with 49 per cent of avast! antivirus users having it on their computers compared to the 38 per cent with Windows 7 and the 13 per cent with Vista.
“One issue with Windows XP is the high number of pirated versions, especially as users are often unable to properly update them because the software can’t be validated by the Microsoft update,” said Przemyslaw Gmerek, the AVAST expert on rootkits and lead researcher.
Rootkits actively hide their presence from administrators by subverting standard operating system functionality or other applications as they access to software and data.
“Because of the way they attack – and stay concealed – deep in the operation system, rootkits are a perfect weapon for stealing private data,” Gmerek explained.
More recent operating systems like Windows 7 are more resilient to rootkits, and adding UAC, Patchguard and Driver Signing to the latest Windows versions has helped but not provided fail-proof security.
Cybercriminals are continuing to fine-tune their attack strategy with the Master Boot Record (MBR) remaining their preferred target for even the newest TDL4 rootkit variants.
Rootkits infecting via the MBR were responsible for over 62 per cent all rootkit infections, the study found, while driver infections made up only 27 per cent of the total.
The Alureon(TDL4/TDL3) family was found to be responsible for 74 per cent of rootkit infections.
“People need to keep an antivirus software installed and updated, regardless of where they got their operating system,” Gmerek said.
“If they suspect there is an issue, they can scan their computers a rootkit removal tool such as aswMBR.”
The AVAST Virus Lab say their avast! software is the only AV solution to provide on-access detection of rootkits as they try to install themselves in addition to boot-time and on-demand scanning.
A team of AVAST software specialists including Gmerek will attend the upcoming Blackhat/Def Con events in Las Vegas at the beginning of August.