July 29, 2011, 9:56 AM — The stubborn popularity of Windows XP is offering an easy target for the creators of rootkit malware, according to antivirus company Avast. Three quarters of all rootkits it found in a new study were on XP machines.
Forty-nine percent of Avast's considerable user base still runs Windows XP, itself an interesting statistic nearly two years after Windows 7 was launched, but it is its obvious vulnerability in the face of advanced rootkits such as TDL-3/4 (aka 'Alureon') that offers the clearest reminder of its obsolescence.
In the company's six-month study of 630,000 infections, not only were a disproportionate 74% of all rootkits found on XP PCs, 74% of these infections were connected to TDL. Overwhelmingly, this malware sits on the master boot record of a PC, which makes it hard to spot and get rid of using conventional tools once it has bypassed security.
TDL-4 is the malware connected to the over-hyped but still dangerous TDSS bot that had some headline writers describing it in exaggerated terms some weeks ago as the "indestructible botnet".
The problem for XP remains, as Avast points out, is that it lacks some of the basic protection mechanisms that later versions of Windows come with, including Patchguard and driver signing, which make life harder for rootkits. (Note: rootkit writers have recently tried to outwit this layer of protection.)
Making matters worse, "One issue with Windows XP is the high number of pirated versions, especially as users are often unable to properly update them because the software can't be validated by the Microsoft update," said Avast researcher, Przemyslaw Gmerek.
Countering this combination of issues on XP is not easy although Avast does offer a free tool for scanning the MBR for infections. This won't always work, however. Only weeks ago Microsoft warned of a new rootkit that it said would require a complete OS reinstall.
Alternatively, as Microsoft would like users to think about doing, ditch XP altogether.
The last date for extended support has been set as 8 April 2014 so that leaves at least three years of rootkit exposure for determined users. If the number of pirated XP copies is as significant as Avast suggests, however, even that date will be meaningless to users for whom security seems to be a marginal concern.