Windows XP a Major Rootkit Target, Study Finds

Dennis Faas's picture

According to new research, three in every four computers with a particular nasty form of malware are running Windows XP.

The report was compiled by Avast Software. The study looked at operating system rootkits in particular. Rootkits are by definition extremely stealthy software that cannot be detected by most forms of anti-virus or anti-malware protection, and thus are very difficult to remove.

There are several ways in which a rootkit can operate stealthily.

One way is to disguise malicious files by compromising the file management system, such as Windows Explorer. In this way, the operating system doesn't recognize anything is wrong, though it's possible that a stealthy rootkit is monitoring the user for sensitive information and relaying that information to a third party (for example).

Another is to use a "bootkit" approach, which means that the rootkit begins operating the moment the computer is switched on, and before the operating system itself has begun running. In this case, the operating system and anti-virus or anti-malware programs are unable to detect or remove the program because infection has already been established.

Windows XP Particularly Vulnerable

According to Avast, which looked at 600,000 Windows machines belonging to its customers, 74 per cent of those with a rootkit infection were running XP; that compares to 38 per cent of all machines. It's worth noting that of the machines Avast looked at, 49 per cent were running XP, so the system was overrepresented in the study.

Around one-third of those XP users are running editions other than Service Pack 3, which is the only one still supported by Microsoft and receiving security updates. Avast believes that may be because many are running counterfeit copies and fear being caught out if they upgrade to service pack 3. (Source:

Windows 7 64-Bit Most Resilient

The company also noted that the 64-bit edition of Windows 7 is particularly resistant to rootkits as it includes additional security tools that run between the operating system kernel, which is the centre of an operating system, and the drivers, which connect the system to software applications and hardware devices.

However, some of the machines it looked at did have such infections, and rootkit developers appear determined to target even newer and better-protected machines.

Indeed, a rootkit was used to set up a network of infected machines known as TDL4 that some analysts have described as indestructible. That's possibly an overstatement, though it does look to be considerably harder to track and destroy that many botnets. (Source:

Rate this article: 
No votes yet