According to Microsoft's SIR report, a single piece of malware raised Windows 7's infection rate above XP for the first time. But this tells us about the vulnerabulity of Windows as a platform and not just Windows 7.

Does Windows 7 suddenly have a greater chance of malware infection than Windows XP, as some news stories suggested after reading Microsoft’s Q4 Security Intelligence Report (SIR) report last week? In fact, no. It’s trick of Microsoft’s statistics driven by an unusual piece of malware called 'Rotbrow'.

If you’ve never heard of it (and unless you’ve been infected you probably won’t), Rotbrow is an old but suddenly malicious ‘Browser Defender’ plug-in used to drop the nasty Russian 'Sefnit' (aka 'Mevade') bot Trojan. Seeded across the Internet in a number of forms including ‘BrowserProtect’, ‘Bitguard’, and the ‘Babylon toolbar’, those with longer memories will recognise it as a more advanced take on the old toolbar spyware cons that were popular a decade ago.

A few months ago, Websense reported that the gang behind Mevade was operating from Russia where infections were unusually low. It was also earlier blamed for an unusual traffic spike on Tor, whose anonymity system it adopted as a way of hiding its command and control traffic.

The graph that reveals its astonishing success in the second half of 2013 is on page 57 of the SIR, which shows a sudden inversion of the pattern of previous Microsoft SIRs in which more recent versions of Windows, such as Windows 7, are infected less often than older ones, such as XP.

Microsoft’s calculation in ‘computers cleaner per mile’ (CCM) showed that in the second half of 2013 XP had an infection rate of 24.2 per 1,000, lower than Vista’s 32.4 and slightly lower than Windows 7’s 25.9, driven in both cases by the rampaging Rotbrow, which took anti-virus firms by surprise by changing from benign (which it had been for around three years) into something malicious.

It looks like evidence that XP somehow resisted Rotbrow more effectively but it's nothing of the kind. A defining characteristic of Rotbrow is that it is gets on to PCs in a number of ways, including email attachments and P2P channels but a major tactic is to socially-engineer users into believing it is a security add-on they should consent to install.

Microsoft doesn’t break down how users became infected because they probably don’t know but because user intervention is required in a significant number of cases, it is not surprising that the more common Windows 7 is being hit as hard; as the dominant Windows platform its users probably see more benefit in installing a browser security plug-in than XP users, many of whom, one might infer from the fact they are using a decade-old OS, are less bothered about security.

What this stat doesn’t indicate is that Windows 7 users are more vulnerable to infection than XP users simply because they are using Windows 7, or that Windows XP is somehow more secure. It is a measure of the success of one piece of malware at one moment in time, not malware as a whole. As for Vista’s unusually high rate, that could be driven by the same factors but it’s hard to draw many conclusions from an OS whose market share hovers around 3 percent and features a User Account Control (UAC) design so deficient that users have a reputation for ignoring any warnings it throws up.

What would be dangerous is to use one unusual malware event to come to the incorrect conclusion that XP is not as vulnerable as has been claimed. We know that all versions of Windows are vulnerable to malware but XP more so because as well as an obsolete security design it is older and has a longer history of known security vulnerabilities. Many of these have never been patched by users which explains a significant amount of its low security rating.

But the significance of Rotbrow is more interesting and contains a clear warning; all versions of Windows are incredibly vulnerable to threats that come out of nowhere and that users and security firms don't anticipate.The problem is that these once unusual events seem to be becoming more common.




Find your next job with techworld jobs