Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Since releasing the new Microsoft Security Intelligence Report Volume 12 (SIRv12) a few weeks ago, one of the top questions I have been asked is about the new malware infection rate data for Windows operating systems.
Figure 1: Infection rate (CCM) by operating system and service pack in the fourth quarter of 2011
Figure 2: Infection rate trends for currently and recently supported 32-bit version of Windows XP, Windows Vista, and Windows 7, third quarter 2010 (3Q10) - fourth quarter of 2011 (4Q11)
Why is Windows XP Service Pack 3’s malware infection rate lower than that of Windows Vista SP1?
There are likely several factors contributing to this trend, but I’ll try to provide an educated guess on some of the contributing factors.
Malware that used Autorun feature abuse to infect systems were especially successful on Windows XP based systems. About a year ago I wrote an article called Defending Against Autorun Attacks in which I outlined what Microsoft was doing to fight these threats and shared some of the preliminary results of these efforts. To summarize, Microsoft released security updates for Windows XP and Windows Vista that hardened the Autorun feature on these platforms the same way it is hardened on Windows 7 by default. Shortly after this security update was released we could see a precipitous decrease of Autorun related malware infections on Windows XP and Windows Vista systems.
Figure 3: Illustration of the decline in ‘Autorun' threats among Windows XP and Windows Vista systems as previously published on the Microsoft Malware Protection Center blog
The good news is that the malware infection rate on Windows XP Service Pack 3 (SP3) systems decreased from 10.9 systems found infected with malware for every 1,000 systems scanned with the Microsoft Malicious Software Removal Tool (MSRT) in the second quarter of 2011 to 8.6 in the fourth quarter; this is primarily due to the continued drop in infections of malware that employ Autorun feature abuse on Windows XP SP3 based systems. Examples of such families and how they have dropped include:
Another malware family that uses Autorun feature abuse is Win32/Conficker. New data released in SIR volume 12 provides some insight into how Conficker is using Autorun feature abuse on an operating system by operating system basis. As seen in figure 4, in the last quarter of 2011, Conficker was observed attacking Windows XP systems using Autorun feature abuse only 2% of the time. Although Conficker is the top threat in enterprise environments, it’s not in the top ten threats found on systems running in non-domain joined environments, like homes.
Figure 4. Blocked Conficker infection attempts by operating system
The factors I outlined here are certainly contributing to the reduced malware infection rate of Windows XP SP3 based systems in the last half of 2011. It’s also important to note that support for Windows Vista Service Pack 1 (SP1) was retired on July 12, 2011. This means that Windows Vista SP1 based systems no longer automatically receive security updates and helps explain why there is a sudden and sharp increase in the malware infection rate on that specific platform. Support for Windows XP SP2 was retired on July 13, 2010 and end of support for Windows XP is April 8, 2014.
Call to Action
Tim RainsDirector, Trustworthy Computing