funsec mailing list archives
Re: Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Fri, 11 Jan 2008 14:36:44 -0500
On Jan 10, 2008 11:34 PM, Jeff Williams <Jeff.Williams () microsoft com> wrote:
We blogged about it the first month we added it. We've continued to update as new versions come out but I don't have the numbers handy right now as I'm at home. In September we removed Nuwar from 274,372 machines during the first 9 days MSRT was available. What's more interesting in my opinion is that this volume is significantly lower than Zlob and Renos which, in the same period, clocked in removals from around 660k unique computers (each) yet folks don't talk about those families nearly as much as Nuwar. MSRT runs on between 350 million and 400 million systems which, I think, is about 1 in 3 Windows systems. If you try to extrapolate out from there to get a total size keep in mind that there will be a couple of skews to the data in the sense that MSRT does not run on older platforms, Nuwar may be more effective on one platform than it is on another, there are likely geographic distribution considerations with Nuwar that don't align with the geographic distribution pattern of different versions of Windows and people who run MSRT are also generally applying security updates given that the primary distribution method for MSRT is through WU/AU (or, more to the point, people not running MSRT probably also are not applying updates).
Thanks for the information Jeff! :-) I didn't know there were that many computers out there.. The numbers still don't add up, so I guess that the Oct-Dec MSRT have millions of Nuwar removals then? I guess the top priority of malware authors and bot herders is now disabling MSRT as well as Windows Update. I guess one could track the spread of bots in the future by seeing the number of computers that used to run MSRT each month and taking notice if the number drops significantly.. thanks again for the numbers! -JP _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog Dude VanWinkle (Jan 05)
- Re: Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog Nick FitzGerald (Jan 05)
- Re: Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog Dude VanWinkle (Jan 06)
- Message not available
- RE: Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog Nick FitzGerald (Jan 11)
- Re: RE: Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog Gadi Evron (Jan 11)
- Re: Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog Dude VanWinkle (Jan 06)
- Message not available
- Re: Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog Dude VanWinkle (Jan 11)
- Re: Nice RBN/Storm worm writup in חנוכה-X/X-Mas Blog Nick FitzGerald (Jan 05)