A recent study conducted by Czech antivirus vendor Avast Software claims a disproportionate percentage of PCs infected with rootkits are running Windows XP. XP accounts for around 58% of all Windows systems in use, but 74% of the rootkit infections found by Avast were on XP machines. This compares with Windows 7, which runs on 31% of all Windows PCs, but only accounted for 12% of rootkit-infected machines.
So is Windows XP particularly vulnerable to
Windows XP remains in general use for a variety of reasons. To begin with, it’s a stable OS, and that’s always a plus with IT administrators, while its successor (Vista) has never received rave reviews for performance or enterprise security. The economic downturn has also made many organizations question the need to upgrade.
When should enterprises upgrade to a new OS rather than continue to support and patch an older but stable version? The best way to answer this is to work backwards from the retirement date for your version of Windows.
However, XP has been around for more than 10 years now, giving malicious hackers plenty of time to work out how to successfully infect the OS with rootkits, which of course are malicious programs or sets of commands hidden within OS file systems as to avoid standard methods of detection. Also, 10 years ago computer users were far less aware of the dangers of connecting and exchanging information over the Internet. One reason the infection rate may still be high is there is widespread use of XP Service Pack 2, which is no longer officially supported by Microsoft, as well as pirated copies. Even though monthly security patches and service packs are available for illegal copies, those using them tend not to install updates to avoid detection.
Windows 7, the 64-bit version in particular, is certainly a more secure OS than any of its predecessors, but when should enterprises upgrade to a new OS rather than continue to support and patch an older but stable version? The best way to answer this is to work backwards from the retirement date for your version of Windows: That is the date Microsoft will stop officially providing support and patches. Microsoft provides support for its consumer operating systems for five years after their general availability (GA) date, while business versions are supported for 10 years, with the last five years classed as extended support.
As an enterprise, you cannot afford to run an unsupported OS, but with knowledge of the retirement date for your OSes you can implement an upgrade plan well in advance. Personally, I never like to upgrade until I can review the comments and experiences of others, and ensure any major problems have been fixed. You might also build this into your timetable. Unless your current OS is particularly vulnerable (you’re running Vista, for example) or the new version is noticeably more secure, there is generally no incentive to upgrade ahead of your planned timetable. This situation can change, however, if a new threat emerges that renders your current systems vulnerable to repeated attacks, and the time and resources required to protect and repeatedly clean them makes an early upgrade more economical, assuming of course the newer version is immune from the new threat.
Problems can arise if you are running legacy systems or fragile assets. Fragile assets are applications and services that regularly cause problems whenever changes are made and require disproportionate amounts of support. Both legacy and fragile applications need to have development programs in place to resolve issues that either make them fragile or unable to run on newer OSes. Without such an upgrade program in place, the cost of maintaining them will continue to consume even greater amounts of your IT budget.
Just upgrading to a new OS won’t make your network more secure if it is already riddled with malware and rootkits. Wherever possible, machines being upgraded should have their hard drives completely wiped clean so malware isn’t inadvertently transferred to the new OS. Of course, all data should be backed up off the machines and virus checked before upgrading to the new OS.
If you suspect your system has been compromised and want to take an in-depth look at exactly what is running on your machines, you might want to check out ESET's free SysInspector utility. If you suspect any of your machines are infected with an MBR-based rootkit, you can scrub them with one of several free rootkit detectors, including Avast's aswMBR and Sophos' Anti-Rootkit. If you take these precautions, you will be in a position to take advantage of the new OS knowing you’re starting from a rootkit-free position.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.
This was first published in October 2011