How prevalent is malware on Windows PCs?

How prevalent is malware on Windows PCs?

Summary: I read an alarming statistic recently: "Nearly half of personal computers in the U.S. are compromised by malware." Thankfully, that statement is not true. It is not even remotely accurate. So how did it get onto the mainstream media, and what's the real number?

SHARE:
242

What percentage of PCs in the United States are infected with malware? If you’ve been following the mainstream press recently, you might have read an alarming statistic: “Nearly half of personal computers in the U.S. are compromised by malware.”

That statement is an outright fabrication. It is not true. It is not even remotely accurate, based on objective data. The actual number varies, depending on where you are in the world, but for Windows users who have automatic updates turned on, the worldwide average is somewhere between 1% and 2%. In my opinion, if you practice the basics of online security, the likelihood that your Windows PC is infected by malware is a tiny fraction of 1%.

And yet that alarming and bogus 50% number was stated as if it were a fact in a feature story last week at CNNMoney.com. That story has so far been recommended by 371 people on Facebook. The same “fact” was repeated in a variety of other online sources, including thestreet.com, CNBC.com, businessweek.com, businessinsider.com, and boston.com, to name just a few.

It hit my radar when I saw the number quoted in a tweet from Mark Russinovich, a Technical Fellow at Microsoft and one of the smartest people I know.

My first reaction was “Oh really?” My second reaction was to do some research.

It took me less than 15 minutes to knock down this story, which is just the latest example of a depressing truism: If you give the mainstream press a computer story, you can usually count on them to get it wrong. If you give them a sexy press release with a provocative number, you can cinch the deal.

This case starts with a press release from Staples, dated April 5, 2011. Here’s the part that sucked in that CNN staff writer:

A common misconception uncovered in the IT IQ survey is that we falsely presume our computers are well-protected from the viruses, spyware, and other malware that put our personal information at risk and decrease performance. 83 percent of the survey respondents stated that they are somewhat or very confident their computer is free of malware. Yet, nearly half of personal computers in the U.S. are compromised by malware.*

That asterisk was in the original. It leads to this footnote at the bottom of the press release:

*According to findings released by PandaLabs in February 2011.

There’s no link to that study, but it took only seconds to find the original report from Panda Security:

According to data gathered by the free online antivirus Panda ActiveScan, 50 percent of scanned computers were infected with malware, mostly Trojans.

So, the sample consists of people from around the world who were suspicious that their computers were infected and went to an online virus scanner? That’s a far cry from “nearly half of all computers in the U.S.” (Amusingly, a commenter on the Panda blog points out that the sample is “highly flawed,” and a response from Panda Security acknowledges that fact: “[T]he data are taken from our online scanner ActiveScan. … Some people may think that the result is biased because some of those users suspect that they could be infected, which in fact is true.”)

Update 19-Apr: In response to this post, a spokeperson for Panda Security just contacted me. The company has edited the misleading headline on the press release to more accurately reflect its contents. The original headline read "In January, 50 percent of computers worldwide were infected with some type of computer threat." The revised headline reads: "In January, 50 percent of computers scanned by Panda ActiveScan worldwide were infected with some type of computer threat."

So why does Panda want to publish such an alarming and yet admittedly incorrect number? Because they’re trying to scare the crap out of you so they can sell antivirus software. Why does Staples want so spread that frightening but bogus statistic? Because they’re trying to scare the crap out of you so they can sell their EasyTech services. The original press release isn’t even subtle about it: “Our certified EasyTech associates are highly trained with expertise in diagnostics, repair, virus/malware removal and data back up solutions to name a few.”

The best numbers I’ve seen from an independent source (i.e., one that isn’t trying to sell a security product) are in Microsoft’s annual Security Intelligence Report. The Malware Trends section of the most recent report contains telemetry data drawn from more than 600 million Windows computers worldwide by a number of different Microsoft security tools and services, including the Malicious Software Removal Tool (which is included with automatic Windows updates every month), the free Microsoft Security Essentials and Windows Defender programs, and Microsoft’s enterprise security software.

According to the most recent data, covering a one-year period that ended in mid-2010, the five worst locations in the world (in terms of active malware infections that had to be cleaned) were Turkey, Spain, Korea, Taiwan, and Brazil. The infection rates for those regions varied from quarter to quarter, but they ranged from 30 to 60 infections per 1000 computers—worldwide, the number is roughly 10 infections cleaned per 1000 PCs. That’s about 1% on average, and about 6% in the worst cases. Update: Although the MSRT doesn't remove every species of malware, it covers every widespread family—more than 150 in all—so I expect its figures to be representative of general infection rates.

If you use Windows and you have automatic updates turned on, you’re in that sample. If you’re even moderately cautious about how you use the Internet, your risk of infection is probably well below the midpoint of that sample.

Obviously, the rate of malware infection is unknown (and probably considerably higher) for people who refuse to update their computers. But those people are unlikely to pay a tech at Staples to clean up their PC.

I'll leave the last word with Russinovich. When I pointed out the flaws in the study to him, responded, via Twitter: "Wow, typical mainstream press idiocy."

Exactly.

Topics: Hardware, CXO, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

242 comments
Log in or register to join the discussion
  • RE: How prevalent is malware on Windows PCs?

    There was a time--oh, say when Outlook Express got in a message claiming to have a background sound file to be played and said to itself "Hmmm, this sound file is executable. I should run it" when things were "a little worse" than they are now.

    Or when you could get a file with a malicious Window Definition resource onto a Mac (including one that came on a magazine CD which I evaded by being months behind reading the magazine).

    But now, not so much. (The recent flurry of Excel bearing bad Adobe things helped the faulty news spread, of course.)
    John Baxter
    • RE: How prevalent is malware on Windows PCs?

      during the past two months, my desktop has been hit by at least 24 Malwares, my wife's laptop 20. Most of these came from facebook.

      Lester Prehlm
      lprehm
      • RE: How prevalent is malware on Windows PCs?

        @lprehm@... Your fault. Set your Facebook security up a little and quit using it like a 9 year old.
        BigJohnLg
      • Stop clicking on everything!

        @lprehm@... That's all the advice I can give you, because that's just crazy.
        lostarchitect
      • Lester seems to be more like the average PC user...

        @lprehm@...
        than not. Believe it or not, there are people who don't work in IT who own a computer. I clean a dozen PCs a month, and it's just something I do as a courtesy for friends and family. People who have kids are especially prone to needing their PC cleaned on a monthly basis at a minimum.
        jasonp9
      • RE: How prevalent is malware on Windows PCs?

        @jasonp...

        Clearly you don't work in IT, or at least not one that does it's job. With very little effort you could set up the children with their own accounts that wouldn't be able to infect the PC. It works for everyone I've done it for. Infections are very rare these days and are almost always user error. If you were doing your job you wouldn't be cleaning "dozens of PCs a month".
        LiquidLearner
      • RE: How prevalent is malware on Windows PCs?

        @jasonp@... [i] I clean a dozen PCs a month, and it's just something I do as a courtesy for friends and family.[/i]

        Standard user accounts.... use them. One administrator account that is only used when necessary is plenty. Along with a hardware firewall, and a decent anti-virus will save you a lot of those trips.

        Unless of course you get a good meal, and a case of beer out of it or something. Then just keep doing what you're doing.
        Badgered
      • RE: How prevalent is malware on Windows PCs?

        @lprehm@...
        If in the last 2 months you and your wife have had 44 malwares (first of all how do you even know it came from facebook or are you assuming or using false logic to come to the conclusion). I suggest you and your wife take a long hard look at your history and see where you and people in your household have been surfing to.

        More than likely you were already infected a long time ago and your zombie machines are now gathering additional friends.

        Unless one of you have been visiting "special" sites for adults or looking for illegal software your chances of getting malware is 0.09%. Its actually very hard to accidentally go to a bad site these days.

        I routinely intentionally start up virtual machines and go searching for sites with malware to measure my own defenses. Browsers/firewalls have gotten so good its actually hard for me to find sites with good malware. Most of them are laughable now.
        rengek
      • You actually have to try to get Facebook viruses

        @lprehm@...
        and after you get one...
        tech_walker
      • Try using common sense and ...

        @lprehm@...
        An AV program. I use FB and experience no such problems. Its as simple as that.

        If your getting hit by that much malware then your doing something horribly wrong somewhere.
        Cayble
      • RE: How prevalent is malware on Windows PCs?

        jasonp@...
        Ya, I deal closely with hoards of the computer "unsavvy" and sorry to say that even the vast majority of them have known for some time now clicking on everything that comes your way is a no no.

        Properly set up AV and anti spyware block all but the most uncommon forms so the people who own the dozen PC's a month you clean out are still being stupid to the degree of even well below the typical uneducated masses.
        Cayble
      • a lot of scanners have pretty broad definitions of malware

        @lprehm@... <br><br>many virus/malware scanners classify everything as a threat in summaries. this includes cookies with the POTENTIAL to track. i use both a Norton security suite and MalWare bytes and unless i delve in to actually look at the details i really don't know what they are. all i see is a line that says X number of security threats have been removed. among these are cookies my bank leaves and other sites i pay utility bills on and some of the sites where i shop. it also seems the definition of a Trojan is pretty broad anymore.<br><br>as to Facebook- i preach to my friends and family who use it that all those cute little games and innocent apps grant access to your FB info in spite of what your security settings are. i also recommend never clicking on links when you get FB notifications in emails. i recommend opening a browser, navigating to FB that way and logging in them checking notifications and requests from your home page. people have become pretty good a spoofing FB notifications and so many people i know who get infected get a friend request from someone they don't know and immediately click the link to see who this person is. the malware writers do steal real identities of FB members so those people often don't know their IDs are being used for ill things.<br><br>and you said "hit" which means what? that malware successfully installed on your PC or it was thwarted? the former means you have issues likely associated with poor practices of some sort. the latter means you have been protected. this article doesn't say bad stuff isn't out there- it says people and software are getting better at protecting their computers.
        jhand47201
      • RE: How prevalent is malware on Windows PCs?

        this is a very useful blog for the upcoming businesses . the points that are listed are grea . For any business goal setting and developing
        a plan are very essential and are the basis for the success.i will be applying these tips in my business . thank you.<a href="http://www.chatrium.com/chatrium_emporium/">sukhumvit hotels</a>
        Amanda123456
    • RE: How prevalent is malware on Windows PCs?

      @John Baxter - Ed is such a whiner! If windows can only be secured by IT professionals that does not make it a secure OS! That 50% cited is because 80% of Windows OS users are NOT IT professionals and don't know how to figure out firewalls, etc.

      Make the OS secure for dummies, like Mac OSX. Then, and only then, will the number of malware infected Windows boxes drop.

      Mac boxes have the 2% Ed quoted. Not Windows.
      The Danger is Microsoft
      • RE: How prevalent is malware on Windows PCs?

        @The Danger is Microsoft OSX is security through obscurity and that does not make it more secure.
        jatbains
      • RE: How prevalent is malware on Windows PCs?

        @The Danger is Microsoft <br>Windows is fantastic, but....<br><br>The Danger Is Microsoft has an indirect point. Isn't it about time the Windows OS at least featured a "Sandboxed mode" (i.e. limited simplicity like OSX) ? Perhaps an activated built-in Windows Steadystate feature? When you are installing something permanently or manually making an actual system change, it should prompt for a password (like sudo). In this way, unauthorised programs that makes permanent registry/system changes (i.e. viruses), would be undone with a simple reboot.<br><br>Any takers?
        12312332123
      • RE: How prevalent is malware on Windows PCs?

        @Traxxion
        Windows does have a "sandboxed mode". It's called setting up a normal user account. That account must approve any changes or application installs by entering the administrator password before the change can be completed...Just like SUDO. One thing that helps tremendously is to set up a Windows Home Server to back up all the PCs in the house. That way, if I get hit by malware or my machine gets flakey after installing a new application, I can just do a restore from the day before and it's all gone. Don't have to worry about how well my AV software cleaned it out .
        DT2
  • RE: How prevalent is malware on Windows PCs?

    While I agree with the analysis that the statement is exaggerated, it does not change the fact that 98% of the PC's which do not use windows update and perhaps the 50% which does not have antivirus are susceptible to easy exploitation. So if the infection rates are 6% tops, let say we are lucky - Lucius (http://luciusonsecurity.blogspot.com)
    lucius_lobo
    • RE: How prevalent is malware on Windows PCs?

      @lucius_lobo@...
      Once again here is a number with no source, where did you get the this 'fact' from? "98% of PCs do not use Windows Update" That's what got us into this in the frist place.
      pllamonica9
      • RE: How prevalent is malware on Windows PCs?

        @pllamonica@... <br><br>To be fair, he said "98% of [b]the[/b] PCs <b>which</b> do not use Windows Update"<br><br>The 98% still sounds like something he pulled out of a small, dark place, however.
        Hallowed are the Ori