funsec mailing list archives

Re: Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog

From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Fri, 11 Jan 2008 14:36:44 -0500

On Jan 10, 2008 11:34 PM, Jeff Williams <Jeff.Williams () microsoft com> wrote:

We blogged about it the first month we added it.  We've continued to update as new versions come out but I don't have 
the numbers handy right now as I'm at home.  In September we removed Nuwar from 274,372 machines during the first 9 
days MSRT was available.  What's more interesting in my opinion is that this volume is significantly lower than Zlob 
and Renos which, in the same period, clocked in removals from around 660k unique computers (each) yet folks don't 
talk about those families nearly as much as Nuwar.

MSRT runs on between 350 million and 400 million systems which, I think, is about 1 in 3 Windows systems.  If you try 
to extrapolate out from there to get a total size keep in mind that there will be a couple of skews to the data in 
the sense that MSRT does not run on older platforms, Nuwar may be more effective on one platform than it is on 
another, there are likely geographic distribution considerations with Nuwar that don't align with the geographic 
distribution pattern of different versions of Windows and people who run MSRT are also generally applying security 
updates given that the primary distribution method for MSRT is through WU/AU (or, more to the point, people not 
running MSRT probably also are not applying updates).


Thanks for the information Jeff! :-)

I didn't know there were that many computers out there..

The numbers still don't add up, so I guess that the Oct-Dec MSRT have
millions of Nuwar removals then?

I guess the top priority of malware authors and bot herders is now
disabling MSRT as well as Windows Update. I guess one could track the
spread of bots in the future by seeing the number of computers that
used to run MSRT each month and taking notice if the number drops
significantly..

thanks again for the numbers!

-JP
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog Dude VanWinkle (Jan 05)
- Re: Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog Nick FitzGerald (Jan 05)
  - Re: Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog Dude VanWinkle (Jan 06)
    - Message not available
    - RE: Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog Nick FitzGerald (Jan 11)
    - Re: RE: Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog Gadi Evron (Jan 11)
    - Message not available
    - Re: Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog Dude VanWinkle (Jan 11)