U.S. takes the prize for most infected PCs

Microsoft's Security Intelligence Report paints disturbing picture of widespread botnets -- but do Redmond's counting methods reflect reality?

Microsoft has released its semi-annual summary of security problems, solutions, insights, and recommendations known as the Security Intelligence Report, which is a distillation of the experiences from Microsoft's Malware Protection Center, Security Response Center, and Security Engineering Center. The report covers January through June of 2010, and it holds all sorts of surprises.

In the first quarter of 2010, out of 600 million different PCs scanned worldwide, Microsoft found infections on more than 11 million PCs in the United States. (The statistics-takers determine the country of origin by the settings in Windows Control Panel's Location applet.) By the second quarter, that number fell 12.8 percent to 9.6 million.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

The United States had the highest number of infections of any country. Second was Brazil, third was China. That might be a surprising result, until you discover that Microsoft reported the United States, Brazil, and China as offending countries 1, 2, and 3 in the Security Intelligence Report for the last half of 2009 as well. There seems to me to be a bit of bias floating around.

Microsoft's infection statistics come from scans conducted by Microsoft Security Essentials, the closely related Microsoft Malicious Software Removal Tool, Microsoft Forefront Client Security, and a handful of lesser/obsolete products (Windows Defender and Live OneCare, to name two). Microsoft Security Essentials and MSRT are great tools, but they aren't infallible or universal. There's an inherent bias: PCs less likely to run Microsoft Security Essentials and/or MSRT (I won't mention Windows XP SP2 by name) will be under-represented in the results. That's a considerable bias because two-thirds of all Windows PCs still run Windows XP.

There are biases in the other direction, too. Countries that adopted Microsoft Security Essentials early on, such as the United States, China, and Brazil, probably have higher levels of reported infections simply because the measuring tools there have spread to a larger percentage of PCs.

This latest Security Intelligence Report focuses on botnets. But it doesn't try to count botnet infections the way other researchers count -- by, say, tallying the number of active botnet Command & Control locations or counting distinct IP addresses exhibiting botnet behavior. It simply counts the number of infected PCs detected by Microsoft Security Essentials and MSRT.

Every counting method has its limitations, and botnet zombie counters face problems galore. (The Damballa blog called "The Day Before Zero" gives many examples.) So before you take the numbers too seriously, remember you're looking at the results of Microsoft Security Essentials and MSRT scans, which don't necessarily reflect reality -- or, more charitably, reflect a certain ill-defined subset of reality.

The report shows that MSRT cleaned more than 2 million bots in the United States in both the first and second quarters of 2010. Out of every 1,000 PCs in the United States scanned by MSRT, 5.2 PCs were found to have bots.

Korea didn't fare as well; according to MSRT statistics, for every 1,000 PCs scanned by MSRT in Korea, 14.6 were infected by bots.

In the first half of 2010, the Rimecud bot family took top prize worldwide, with 3.6 million PCs cleaned by MSRT. Alureon came in second, with 2.5 million.

Earlier this week, I reported that Microsoft had just added ZeuS/Zbot detection and eradication to MSRT, following a Microsoft announcement to that effect. Imagine my surprise when I found in the Security Intelligence Report that Microsoft claims it discovered and cleaned 240,000 Zbot-infected PCs worldwide in the first half of 2010. That compares with an estimated 3.6 million ZeuS-infected PCs currently running rampant in North America. There's no indication why Microsoft would announce that Zbot detection is new, on the one hand, then publish historic removal statistics, on the other.

Conficker continues its reign as the No. 1 infection on corporate (domain-joined) PCs. The report says that more than 20 percent of all infected PCs connected to a domain were running Conficker.

The report gives an extensive list of actions your company can take to protect against malware of all types. Start on Microsoft's Protecting Your Organization page.

This article, "U.S. takes the prize for most infected PCs," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Copyright © 2010 IDG Communications, Inc.