Windows XP is a Rootkit Spawning Pool

Three-quarters of all rootkit infections are on Windows XP machines, and it's not because XP is so ubiquitous.

If you're still dragging your feet on moving to Windows 7, consider this: a report from the Czech antivirus firm Avast notes that three in four PCs infected with rootkits are running Windows XP, and it's not because so many people use the aging operating system.

Avast, one of the better antivirus vendors out there (testing report in PDF format here), has published the results of a six-month study of more than 630,000 rootkit samples and found that 74 percent of infections were on Windows XP machines, while 17 percent were on Vista machines and just 12 percent of infected machines ran Windows 7.

However, the installed base of the operating systems doesn't line up with rates of infection. Avast found 49 percent of the users of its avast! antivirus program were running XP, 38 percent ran Windows 7 and the 13 percent used Vista. So even though half of its customers are using XP, they account for three-quarters of all rootkit infections.

The reason is fairly clear: rootkits are highly intelligent pieces of malware that can hide from the user, operating system and kernel, making them extremely hard to spot and remote. Windows Vista introduced a new, more secure kernel, and Windows 7 built upon that improved kernel.

That said, there are still some rootkits targeting 64-bit Windows 7, including a new one called TDL-4, that was called "pretty much indestructible."

In an interview with Computerworld, Ondrej Vlcek, CTO of Avast, offered up a second theory on why XP is so heavily infected. With Windows Service Pack 3, Microsoft implemented stricter anti-counterfeiting measures through the Windows Genuine Advantage program.

Vlcek noted that a third of Avast users running XP are still on Service Pack 2, which didn't have the WGA program, but support for XP SP2 ended a year ago. As in, no more patches and bug fixes. So if a security hole emerges for SP2, it doesn't get plugged.

He speculated users were hesitant to upgrade to Service Pack 3 because they were running an illicit copy of Windows XP and didn't want to get nailed by WGA. So they are running an OS that's both out of date and no longer getting any more security fixes.

If that is indeed the case, that there are people using a now-insecure pirated version of Windows XP and are getting a rootkit infection, I have no sympathy for you.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)