Windows XP PCs breed rootkit infections

Three-fourths of all rootkits on decade-old OS, says antivirus firm

Machines running the decade-old Windows XP make up a huge reservoir of infected PCs that can spread malware to other systems, a Czech antivirus company said today.

Windows XP computers are infected with rootkits out of proportion to the operating system's market share, according to data released Thursday by Avast Software, which surveyed more than 600,000 Windows PCs.

While XP now accounts for about 58% of all Windows systems in use, 74% of the rootkit infections found by Avast were on XP machines.

XP's share of the infection pie was much larger than Windows 7's, which accounted for only 12% of the malware-plagued machines -- even though the 2009 OS now powers 31% of all Windows PCs.

Rootkits have become an important part of the most sophisticated malware packages, particularly botnets, because they mask the infection from the user, the operating system and most security software. By installing a rootkit, the hacker insures the compromise goes undetected as long as possible, and that the PC remains available to the botnet's controller for nefarious chores, such as sending spam or spreading malware to other machines.

Avast attributed the infection disparity between XP and Windows 7 to a pair of factors: The widespread use of pirated copies of the former and the latter's better security.

"According to our stats, as many as a third of XP users are running SP2 [Service Pack 2] or earlier," said Ondrej Vlcek, the chief technology officer of AVAST, in an interview Thursday. "Millions of people are out of support and their machines are unpatched."

Vlcek assumed that many of the people running XP SP2, which Microsoft stopped supporting with security patches a year ago, have declined to update to the still-supported SP3 because they are running counterfeits.

Although Microsoft serves everyone, even pirates, its monthly security patches and service packs, most security experts believe that users of illegal copies are very hesitant to upgrade or even patch for fear that they'll trigger the black screen and anti-piracy nag notices that Microsoft slaps on screens when it deems a PC is running a counterfeit copy of Windows.

Windows XP accounts for a disproportionate share of rootkit infections, but Windows 7 is under-represented. (Data: Avast, Net Applications.)

Vlcek urged users running legal copies to upgrade to XP SP3. "Moving to SP3 is the most basic thing that should be done," he said.

Also in play, said Vlcek, is Windows 7's stronger security, especially the 64-bit version.

"The 64-bit version [of Windows 7] has some technologies that really make it much more difficult for rootkits to infect the computer," said Vlcek, calling out that version's kernel driver-signing feature as key to keeping rootkits off machines.

But that hasn't completely protected Windows 7 64-bit, as Vlcek acknowledged.

"The surprising part to me was that I thought the Windows 7 [number] would be even smaller," Vlcek said.

Rootkits able to infect 64-bit copies of Windows 7 remain relatively rare, but they're certainly not unknown: The first popped up in August 2010, and a massive botnet some have called "practically indestructible" last month used a variant of the same malware to install a 64-bit rootkit on Windows 7.

That malware, which goes by a number of names -- Alureon, TDL, Tidserv and most recently, TDL-4 -- is especially devious, as it installs the rootkit into the Master Boot Record (MBR). The MBR is the first sector -- sector 0 -- of the hard drive, where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks.

By subverting the MBR, the rootkit is even tougher to detect, since it's already in place by the time the OS and security software are loaded into memory.

Avast found that rootkits which infected the MBR were responsible for 62% all rootkit infections.

Users who suspect that their PC is infected with an MBR-based rootkit can scrub their machine with one of several free rootkit detectors, including Avast's "aswMBR" and Sophos' "Anti-Rootkit."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His e-mail address is

See more articles by Gregg Keizer .

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags operating systemssoftwareWindows

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?