Windows malware: are you safer today than you were 10 years ago?

Windows malware: are you safer today than you were 10 years ago?

Summary: In 2002, after a series of widespread, high-profile, and highly embarrassing Windows-related security incidents, Bill Gates wrote his now famous "Trustworthy Computing" memo. So what's happened in the intervening 10 years? Plenty. Take a trip with me down bad memory lane...


They don’t make malware like they used to.

That’s not a setup for a joke—it’s a fact. As I was researching some recent columns on malware outbreaks for PCs and Macs, I found myself reading old articles about computer security from the beginning of the 21st Century. Some of those articles and the threats they describe seem downright quaint in retrospect, while others were positively prescient.

During my research, I bookmarked a lot of web pages and made copious notes about threats that gave IT professionals ulcers and PC support staffs headaches in their time. And it struck me that the cat-and-mouse game between malware authors and their targets has evolved dramatically during that time.

In depth: Ten years of Windows malware and Microsoft's security response

Take a trip down bad memory lane and revisit some of the worst offenders of the last decade. from primitive but effective early efforts like Blaster (2003) and Zlob (2005), to more deadly modern threats like the Zeus botnet and the Alureon (aka TDL4/TDSS) rootkit. During that same time, Microsoft was introducing its Patch Tuesday update program, the Malicious Software Removal Tool, and a variety of legal and technical efforts that effectively neutralized some threats.

My timeline puts the bad guys’ work and Microsoft’s response into perspective. Here, for example, are the telltale marker of the Blaster worm and the XP SP2 Security Center, side by side:

My decision to go back 10 years is no accident. One of the watershed events in the ongoing battle between the white hats and black hats of PC security happened exactly a decade ago.

In January 2002, after a series of widespread, high-profile, and highly embarrassing security incidents that affected Windows customers and Microsoft itself, Bill Gates wrote his now famous “Trustworthy Computing” memo. Although it was viewed with some skepticism at the time, it really did represent a turning point for Microsoft and for Windows users.

Until that point, security was literally an afterthought. As a result of the Trustworthy Computing initiative, Microsoft introduced a massive change in the way it develops software. The Security Development Lifecycle has paid off hugely over the last 10 years and has been widely praised and copied.

The bad guys and their products have changed during the same time. At the beginning of the century, the most noteworthy attacks were calculated to wreak havoc and garner worldwide attention. Over the past 10 years, malware authors have gotten more skilled at monetizing their work, and they’ve also learned the benefits of stealth.

In addition to building a more disciplined process for writing secure code, Microsoft has improved its update infrastructure and worked closely with outside security experts and third-party developers to improve the way their products work. Over time, Microsoft has built its own antivirus and network intrusion software; now that the 2001 antitrust agreement has officially ended, that software will finally appear in Windows itself.

Microsoft’s record on security is far from perfect. In Windows XP, for example, it introduced an effective firewall and then chose to leave it turned off by default. That mistake was corrected in XP Service Pack 2. One of the most brutally effective vectors for malware over the past four years has been a feature called AutoRun, which made every USB flash drive a delivery vehicle for the Conficker worm. AutoRun was disabled in Windows 7 by default, but Windows XP and Vista users had to wait until 2011 for a Critical update that blocked that dangerous vector.

There is no question that you are more secure using a modern version of Windows than you were in 2002 using the initial release of Windows XP. At the same time, attackers are more sophisticated and more focused on financial gain.

To learn how we got here, please continue reading: Ten years of Windows malware and Microsoft's security response

Topics: Microsoft, Malware, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Linux?!

    Once again, consider this post my topical application of troll repellent.

    Linux is a very useful operating system, and Linux users are unquestionably safer than Windows users if only because malware authors won't bother with a target that small.

    The trouble is, business networks worldwide run on Windows, and consumer PCs are still dominated by Windows. This post reflects that reality.

    Anyway, if you want to post an off-topic comment about Linux, please reply to this post and leave the rest of the Talkbacks to actual discussion of what's in this post.

    Ed Bott
    • Keeping Talking Ed

      You might believe you own propaganda

      "because malware authors won't bother with a target that small"

      Just because you don't write books on Linux (or any other OS or S/W stack), it doesn't mean to say it's not a multi-billion dollar industry.
      Alan Smithie
      • You might believe you own propaganda, too .

        [i]Just because you don't write books on Linux (or any other OS or S/W stack), it doesn't mean to say it's not a multi-billion dollar industry.[/i]

        I haven't heard about Linux being on 90% of the worlds' computers.

        Lamborghini has 90 million in revenue, Ferrari much more. a billion dollar industry right there. But I never really pass any of them on the road, so not sure how many are out there, if at all. I wonder - If i was to target a particular brand of car, should I go with those, or maybe Chevy?

        Which one would I have a btter chance of getting my hands on?
        William Farrel
        • Sure sure (a year later)

          Over a year from your post, I still find it so laughable that there are ignorant people like you who doesn't understand Linux has wider userbase than what Microsoft has. On consumer computer markets Linux has over two times the market share what Microsoft has.

          Internet servers, Intranet servers, embedded systems, super computers etc are dominated by Linux.

          There is no single one malware existing for Linux what has caused even faintly the same epidemics what Microsoft customers has suffered, and that while Linux has been dominating every key position last 10 years.

          Why Windows is targeted? Because it is popular? That is BS.
          Windows was targeted because it was A HOLE covered by tin and people thought it was a tin bucket with a small hole in it.

          Look history, after Windows Vista the malware amount for Windows has dramatically dropped. Why? Welcome UAC. Welcome enforced user accounts. Welcome enforced security where NT operating system was re-written removing IE and other crap in project MinWin. The NT operating system size (executable code) was re-sized from 1.5GB to 40MB. They needed to remove all dependencies to up to get NT more secure. Linux has never had such a terrible design as Linus and other hackers has kept it clean from idiots who would have thought it is a good idea to make the web browser libraries part of a operating system so a hole in those libraries were executed by OS in highest permission.

      • Mr. Farrel...

        Linux runs all of the biggest stock exchanges, most of the biggest bank back ends, most of the largest insurance companies back ends.

        That's a multi-trillion dollar target. Yet, Linux keeps on keeping on. If Mr. Bot is right, and the 'Bad Guys' are in it for the money, then Linux is where the big money is. Why aren't they targeting Linux then?

        Oh, and your figure for Computers is for desktop PC's only, and it's too high. Windows Desktop share is around 85% according to Microsoft reports to the US SEC from last year. The 90% figure is several years old.

        Once you expand to computer systems beyond the Desktop, Windows fades rapidly into the background or just plain disappears.

        Scale up or down, and you leave the Windows world. Linux though is always there.

        For the Worlds Computers, what do you consider a computer? Cell Phones are computers any more, so are the controller in your Chevy (or your Lamborghini for that matter) and your WiFi router. Those mostly run Linux. go up. Linux runs on most Arm based devices, and also most MIPS devices. get bigger. There is a big Windows bump in the mid range, for 'PC's. Then Windows fades out again in the Server market. Around 30% of small servers run Windows. Around 30% run Unix, and the rest run Linux. Go up again. Large servers, Mainframes, Linux, Solaris, HP-UX and ZOS rule. Go up again, and in the big monster machines, it's almost all Linux. (95%+ of that market.)

        But, why all the desperation? Linux doesn't mind Windows, it just makes Windows unnecessary. Most real Linux users also have Windows on the same machines (probably 3/4s of them). You can transition over at any time. Some things will work better in Windows because the program was written for that OS. Others will work better in Linux, for the same reason. Some tasks are easy in Linux, where Windows. can't even do that job. When your Windows computer can't do the job, it's time for a bigger machine running Linux. Most workstations run Linux for instance.

        Just use each for where it fits.

        Take your time, enjoy. When you finally realize you need it, Linux will still be here.
    • But Linux..

      Has MLE (or something) and, you know, "stuff" that makes it like, super duper secure! It's like 10 years ahead of "Windoze" and is inherently secure! ERRBODY should be using Linux because if they don't they're idiots anyway and deserve to have their stuff wiped by EVIL viruses 'n stuff.
    • More info would help users with problems

      You're absolutely right about Linux Ed but when we talk of Microsoft improving Windows security we must not be too generous. W98 had a wonderful security feature. I ran without anti - virus for years simply by setting my browser to disallow VB scripts. Basic is still the command line language of Windows and we are forced to let advertisers and others who may gain by abusing our privacy execute scripts on our desktop.

      Another problem is lack of information. Lat year someone brought me a PC (I'm a former networks pro and still do free fixes for friends) This laptop had been invaded and svchost replaced with a malware version. The owner was getting calls saying "Only we can repair your PC" and demands for ridiculous amounts of money.

      This "unremoveable" malware to me half an hour to shift plus a few minutes to start and finish mrt. The process was relitavely easy but how many people would know how to start in safe mode at command level, extract a clean copy of svchost from i386 and simply replace the infected file before cleaning the nasties it had dropped. The laptop is still working fine and my fee, six bottles of Cotes de Beaune was very enjoyable.

      The point is what I did should not be beyond an average user if they had step by step intsrtructions but there is no manual now to encourage people to learn about the system and genuine info is hard to find on the web.
      • No Ed's not right

        Ed has no clue about anything other than Windows. That's cool. That's what he prefers, and I have no problem with that. To each his own.

        My problem is when people who are not experts pretend to *be* experts in a field they have little experience with. Ed obviously has little knowledge of Linux or UNIX internals and he is not the guy you should be listening to in analyzing the benefits (or negatives) of using Linux. There are much more qualified people out there -- you know people who actually write code and have PhD's in comp-sci.
    • hurray

      Security improved in 10 years, the famous ???Trustworthy Computing??? of Bill Gates and all. Hurray, hurray.
      And yes, the attackers improved also.
      And the competition whose clients had 10 years ago less problems with security incidents, did improve to.
      Still let's say hurray. And not consider using any other OS to address this problem. Let's not do what professionals do. Let's not try to save money and time. Because considering non-Msft solutions we are called at once "troll".

      Most of the advantages for using Msft products come from others than Msft. Using standards, learning that system, adapting to changes, programming for that system. Some people find they can better invest in something that they control more, that is more open, that offers them more options.
    • Kidding?

      Linux can be relatively safe if Selinux and/or sandboxing or both are used. Selinux is based on serious recommendations of FBI and similar organizations. MS openly explained that they use different approach because role based talk is better with execs.

      MS gave up on WinAPI security. For example, a UAC prompt just means: we do not know what is getting on, we may be hacked or maybe you have pressed a button. Anyway, let us make you responsible for our greed and stupidity.

      Thus, MS opted for a clean restart with WinRT. It has Selinux like security and runs type safe code.

      Thus, I am not safer today, but I may be safer in a year or two.
      • Really

        MIC in Windows (since Vista) provides pretty much the same functionality as sellinux does, an Uac prompt pretty much means that the process being ran doesn't have enough rights to do the task, and the uac prompt (or prompt for userid/pwd if the user that invokes the process isn't in the administrator group) is merly an elevation procedure, pretty much in the same way as me using sudo if a certain action required usage of sudo.
      • re:Kidding

        I haven't seen anything that says that WP8 will implement SE Linux type protocols. If it's like past attempts, then Microsoft will implement around half of the functionality, and only the weakest half.

        By the way, security is still an impediment to ease of use. Both Microsoft and Apple seem to agree that ease of use is much more important than security.

        What Microsoft seems to be doing is making signed code a requirement. SE Linux goes beyond that. The signed code implementation means that Microsoft can exclude programs that they don't like. I might be a good idea in theory, but past experience is that it won't be well implemented, and will rapidly be worked around. Expect version three of this product to finally make it work sort of like you think it will.
      • pretty much in the same way as me using sudo

        No it's not, Linux (and Unix) uses a proper standard user account (hence the need to enter a password)
        But windows doesn't, the default user in windows 7 has admin rights (hence no need to enter a password) plus that UAC prompt can be bypassed by malware.
    • RE: Linux?!

      That's a "NEVER MIND THE QUALITY, FEEL THE WIDTH" statement. Most of the Internet backbone is based on Linux, Wall Street, Tokyo and London Stock exchanges and many other financial institutions around the world run on Linux.

      If malware writers were interested in making it really big I should think that Linux with the same vulnerabilities as Windows would be a prime target.

      People have been offering that excuse for decades based on waving a wet finger in the air.
      • You're missing the point. There's nothing on those servers you mentioned

        of any value to a hacker, Windows based or Linux based.
        And they are professionally managed, behind some of the better hardware, and monitored and protected. It's also mission specific, nobody's doing email on the servers. It's not like "they're Linux, and can't be hacked", as we see them being hacked all the time, but only because there is something of value on the Linux systems that are hacked to these guys.

        There's no incentive for the malware writer to write for Linux. It's really no different then many legit softwaere companies writing Linux based versions of their programs - they don't see the ROI.

        Why would a malware writer waste the time on 1% of the market when they have 90% ? what's the real ROI to them?
        William Farrel
      • The Point

        Mr. Farrel, no, you completely missed the point.

        Break into any bank's Linux system and transfer a few millions to your account. Or, break into Dow Jones and transfer a few Billion to your account.

        Now, Ed stated that the current malware folks are after money, right? So, which is better, a few hundred thousand $100 credit card fraud transfers ($10 Million total) or a single Billion Dollar transfer?

        The parent poster is right. You completely missed the point.
    • Have to disagree with you on these Ed.

      These are nothing more than troll posts couched as "troll repellent".
      • Second that

        I think Ed's 'troll repellent' posts are brilliant in concept but contain one major and inherent flaw. Linux advocates should always have a free voice in any computing discussion. Assuming those comments do not divert too far from the subject at hand (something we can all be guilty of at times).

        The kicker is, I've seen where Dietrich is on topic but the mere introduction of the Linux example or approach gets his posts excised. It thus becomes part of the 'crying wolf' syndrome, unfairly.

        Censorship stinks, especially in so called 'free societies' (ha! YMMV on that lofty concept). Sadly, the more one gets of it and other forms of marginalization, the more one thinks of turning to guns and other reactionary measures instead. FACT.
    • Not troll repellent, ED.....

      Many of your articles get blasted because the material you post is inflammatory, biased and many times, incorrect.

      Many business networks run linux, in fact the bigger they are, the more likely linux is the OS of choice. Ask Google, IBM, Stock Exchanges, All but 5 of the top 500 super computers, etc....what they are runnng .... and they will ALL be linux.

      Linux is just a more secure OS than Windows, and that is a fact that you can't spin away.

      Now you MS Fanbois can downgrade all you like, the facts won't change though.
      linux for me
      • If Ed is wrong

        Then you should have no issue telling us how and why he is wrong.