Thursday, December 13, 2007 8:30 AM PST
Matt Egan, PC Advisor

Malware researchers at Prevx have highlighted what they are calling a 'massive growth' in the number of PCs harboring rootkit infections.

More than 725,000 PCs were scanned using the Prevx CSI malware scanner over a two-month period. Of the around 291,000 users who scanned their PCs during October 2007, some form of spyware or malware was found on one in six.

PCWorld

One in six with rootkits? Sounds too high a figure to me. Why use rootkits when the older infection technology works so well on most under-protected PCs?

What do you think?

This may or may not be a good representation of actuality found in the security forums.

It's hard to tell. I know in my travels I certainly don't run into that much root kit activity.

I do know the word strikes panic in users minds, and rightly so. As good as the security community has become at detecting them, users must heed the warnings about being proactive in their defenses and not thinking that 'It won't happen to me'.

Those who get infected certainly should weigh the option of saving data and reformatting the OS, because that is the only 100% way to know your system is clean(which I recommend in most cases). That is course barring the out-there chances of some new fangled type of rootkit.

I keep checking for bad stuff, but I know I could slip up some day.

I have not had to reformat my PC since I bought it 18 months ago. When I do reformat, I plan on splitting the drives so that I can isolate the OS on it's own drive.

I figure that's one good way to keep my data safer. I also backup onto an external drive.

What would you recommend for the average joe?

I feel it's pretty difficult to get infected if you surf with common sense, keeping away from dodgy sites, cracked warez sites and you don't open any odd emails.

Doing those things alone with reduce your chances by 80%.

Look at me, no anti-spyware, freeware AVG av, SiteAdvisor, WinPatrol, MVPS hosts file and IE-SPYADs along with SpywareBlaster. And my Norton fw.

Nothing to suck up any CPUs, nothing 'active' save for AVG as it checks incoming emails. I've not had anything permeate the system or even attempt to in 5 years or so when my lil bro got infected with the Love worm I think it was and his machine was spewing out emails left and right.
Norton was on the box at that time and it stopped all the emails before I even tried to open them. Once I realized that my surfing habits combined with the obviously not too common sense of not opening every email that falls into my inbox just didn't warrant all sorts of intrusive software, I dumped it all.

I was running SpySweeper, Ad-Aware w\Adwatch, Spybot S&D w\TeaTimer, scanning for nasties every nite.

Common sense is what really works the best and unfortunately is the hardest thing to teach. Rather, it seems to be the hardest thing to learn.

And as for the average Joe, who can't quite prevent himself from getting infected, load up on as much as your system can handle, make frequent back ups and restore points, use IE7 and maybe even set yourself on a limited user account.

Rootkits are not "infection technology". Infection occurs using the usual methods as before (activex, exploits, trojans, social engineering etc), rooktits don't make it easier to infect systems.

The difference is now that the payload also includes rootkits which just make it harder to detect the infection once they occur.

It used to be that when an antivirus/antispyware missed a certain sample, it didn't matter as much, because once the AV got updated it would eventually detect the infection by signatures.

With rootkits in the mix, once the rootkit took hold, it would be invisible to the scanner because the rootkit had already took hold and controls the OS and hides it from the scanner (though scanners are adding some anti-rootkit technology). - Altought the scanner worked fine detecting rootkit samples that hasn't executed yet of course.

I find it interesting that antispyware guys are reporting increased use of rootkit-like technology by adware. You would think that combining rootkits and adware makes no sense, since the former wants to remain stealthy, while the later by definition has to make itself known such that even the rank newbie knows it's there.

Then again it makes sense, since adware probably has the shortest surivival time since it just announces itself and the user starts running off to try to remove it. Rootkit technology just makes it harder to remove....

I do not want to comment on the 1 in 6 figure though.

Interesting thread over at DSLR boards