How prevalent is malware on Windows PCs?

What percentage of PCs in the United States are infected with malware? If you’ve been following the mainstream press recently, you might have read an alarming statistic: “Nearly half of personal computers in the U.S. are compromised by malware.”

That statement is an outright fabrication. It is not true. It is not even remotely accurate, based on objective data. The actual number varies, depending on where you are in the world, but for Windows users who have automatic updates turned on, the worldwide average is somewhere between 1% and 2%. In my opinion, if you practice the basics of online security, the likelihood that your Windows PC is infected by malware is a tiny fraction of 1%.

And yet that alarming and bogus 50% number was stated as if it were a fact in a feature story last week at CNNMoney.com. That story has so far been recommended by 371 people on Facebook. The same “fact” was repeated in a variety of other online sources, including thestreet.com, CNBC.com, businessweek.com, businessinsider.com, and boston.com, to name just a few.

It hit my radar when I saw the number quoted in a tweet from Mark Russinovich, a Technical Fellow at Microsoft and one of the smartest people I know.

My first reaction was “Oh really?” My second reaction was to do some research.

It took me less than 15 minutes to knock down this story, which is just the latest example of a depressing truism: If you give the mainstream press a computer story, you can usually count on them to get it wrong. If you give them a sexy press release with a provocative number, you can cinch the deal.

This case starts with a press release from Staples, dated April 5, 2011. Here’s the part that sucked in that CNN staff writer:

A common misconception uncovered in the IT IQ survey is that we falsely presume our computers are well-protected from the viruses, spyware, and other malware that put our personal information at risk and decrease performance. 83 percent of the survey respondents stated that they are somewhat or very confident their computer is free of malware. Yet, nearly half of personal computers in the U.S. are compromised by malware.*

That asterisk was in the original. It leads to this footnote at the bottom of the press release:

*According to findings released by PandaLabs in February 2011.

There’s no link to that study, but it took only seconds to find the original report from Panda Security:

According to data gathered by the free online antivirus Panda ActiveScan, 50 percent of scanned computers were infected with malware, mostly Trojans.

So, the sample consists of people from around the world who were suspicious that their computers were infected and went to an online virus scanner? That’s a far cry from “nearly half of all computers in the U.S.” (Amusingly, a commenter on the Panda blog points out that the sample is “highly flawed,” and a response from Panda Security acknowledges that fact: “[T]he data are taken from our online scanner ActiveScan. … Some people may think that the result is biased because some of those users suspect that they could be infected, which in fact is true.”)

Update 19-Apr: In response to this post, a spokeperson for Panda Security just contacted me. The company has edited the misleading headline on the press release to more accurately reflect its contents. The original headline read “In January, 50 percent of computers worldwide were infected with some type of computer threat.” The revised headline reads: “In January, 50 percent of computers scanned by Panda ActiveScan worldwide were infected with some type of computer threat.”

So why does Panda want to publish such an alarming and yet admittedly incorrect number? Because they’re trying to scare the crap out of you so they can sell antivirus software. Why does Staples want so spread that frightening but bogus statistic? Because they’re trying to scare the crap out of you so they can sell their EasyTech services. The original press release isn’t even subtle about it: “Our certified EasyTech associates are highly trained with expertise in diagnostics, repair, virus/malware removal and data back up solutions to name a few.”

The best numbers I’ve seen from an independent source (i.e., one that isn’t trying to sell a security product) are in Microsoft’s annual Security Intelligence Report. The Malware Trends section of the most recent report contains telemetry data drawn from more than 600 million Windows computers worldwide by a number of different Microsoft security tools and services, including the Malicious Software Removal Tool (which is included with automatic Windows updates every month), the free Microsoft Security Essentials and Windows Defender programs, and Microsoft’s enterprise security software.

According to the most recent data, covering a one-year period that ended in mid-2010, the five worst locations in the world (in terms of active malware infections that had to be cleaned) were Turkey, Spain, Korea, Taiwan, and Brazil. The infection rates for those regions varied from quarter to quarter, but they ranged from 30 to 60 infections per 1000 computers—worldwide, the number is roughly 10 infections cleaned per 1000 PCs. That’s about 1% on average, and about 6% in the worst cases. Update: Although the MSRT doesn’t remove every species of malware, it covers every widespread family—more than 150 in all—so I expect its figures to be representative of general infection rates.

If you use Windows and you have automatic updates turned on, you’re in that sample. If you’re even moderately cautious about how you use the Internet, your risk of infection is probably well below the midpoint of that sample.

Obviously, the rate of malware infection is unknown (and probably considerably higher) for people who refuse to update their computers. But those people are unlikely to pay a tech at Staples to clean up their PC.

I’ll leave the last word with Russinovich. When I pointed out the flaws in the study to him, responded, via Twitter: “Wow, typical mainstream press idiocy.”

Exactly.