Antimalware Team Releases MSRT White Paper

Hello there. I'm writing to you from the Microsoft TechEd conference in Boston. This event attracts over 10,000 attendees interested in learning about current and future Microsoft products. It's also a great place for getting feedback from our customers and we'll share some of that feedback next week.

Yesterday, the Microsoft Antimalware team released a new white paper entitled "Windows Malicious Software Removal Tool: Progress Made, Trends Observed". The paper highlights Microsoft's uniquely broad understanding of the malware landscape, illustrating how the tool has removed 16 million pieces of malicious software from 5.7 million unique computers from January 2005 to March 2006. On average, the tool has removed at least one instance of malicious software from every 311 computers it has run on. A core objective of Microsoft's release of the tool is reducing the impact of malicious software on Windows customers and the report describes how removals of 41 of the 61 malware families have decreased with 21 of those families exhibiting a decrease by more than 75%.

The report goes onto highlight several trends related to malicious software categories, such as backdoor Trojans (including bots) and rootkits. For example, of the 5.7 million unique computers from which the tool has removed malware, a backdoor Trojan was present in 62% of the cases. We have noticed that there has been some confusion over this statistic so, to be clear, keep in mind that this percentage is of the population of infected computers. In other words, when the tool does find an instance of malware per every 311 computers, there is a 62% chance it will be a backdoor Trojan. This statistic does not mean that the tool has removed a backdoor Trojan from 62% of the computers the tool has run on.

What does this mean for our customers?  Our goal is to provide our customers and partners with an accurate understanding of the types of threats that exist so they can take appropriate action to ensure that they are protected.  It also means that we’re able to use this data, and data gathered from other resources, to continually evolve our understanding of the malware environment and to continually improving the way we respond to customers when faced with malicious threats.  

We hope that you find the data and guidance provided by the paper interesting and actionable. Any feedback is welcome and will be taken into consideration for future threat reports produced by the Microsoft Antimalware team.  

-Matt

PS Below find a picture of some of the antimalware team at TechEd. From left to right: Adam Overton (Group Program Manager), Mike Chan (Senior Product Manager), Matt Braverman (Program Manager), Jason Joyce (Program Manager), and Sterling Reasor (Program Manager).

Comments

  • Anonymous
    June 13, 2006
    Keep up the great work!
  • Anonymous
    June 14, 2006
    So What's up with Window Defender Xp version i really like this software are there any good news for beta 2 user?
  • Anonymous
    June 14, 2006
    The comment has been removed
  • Anonymous
    June 15, 2006
    When is the next beta of Window Defender coming out for Window XP. Is it before or after they release Window Vista RC1.
  • Anonymous
    June 20, 2006
    The comment has been removed
  • Anonymous
    June 20, 2006
    Raw statistics naturally exist but, due to the magnitude and complexity of the data, it is not practical to make them available broadly verbatim. If you have specific questions / goals in what you're trying do understand, please send me a mail at mattbrav@microsoft.com.

    With respect to the "Computers" note, there is no discrepancy. The 5.7 million figure is the number of unique computers across all families. As there will be computers infected with more than one family, it makes sense that the sum of the statistics in Figure 5 is greater than 5.7 million.
  • Anonymous
    June 21, 2006
    The comment has been removed
  • Anonymous
    June 22, 2006
    There's a minor statistical error on page 10 of the whitepaper.  "Using the data in Figure 4, we can determine that the average number of unique malware variants removed per computer is 1.59. In other words, the tool is slightly more likely to remove more than one malware variant per computer than just one variant."  The first does not imply the second.  In fact, in 67.3% of cases where malware was removed, only one variant was removed.  In this situation, you have a heavily weighted distribution, and thus the average and the median do not coincide.

    All in all, though, it is a well written paper.

    --Toby Ovod-Everett