Windows XP use may be in decline but the 13-year-old Microsoft operating system still seems to be playing a disproportionately large role in botnet attacks.
Latest NetMarketShare figures give Windows XP a worldwide desktop share of 23.9 percent. Yet some 52 percent of the 500,000-plus infected machines in the active Qbot, or Qakbot, botnet are running it, according to Proofpoint.
The security firm said an analysis of the Russian-speaking criminal operation targeting the online credentials for mainly US banks through malware downloaded from compromised WordPress sites highlights the vulnerability of XP, which went out of support in April.
It is unclear to what extent XP is being targeted across a wider number of automated criminal attacks, but a McAfee report on the far smaller Athena HTTP botnet last year showed that almost all the machines affected were running Windows XP.
There were also suggestions earlier in 2014 that China's vast number of possibly unpatched XP devices could be ripe for exploitation by botnet operators.
Proofpoint engineering VP Wayne Huang said his firm's detailed study could provide a useful insight into Windows XP's involvement in botnets on a larger scale.
"Although the distribution reflects this group's infection rates in particular, it's still a good reference. Two years ago I would say, 'Yeah, it's typical' because at that time Windows XP was still in service. But if we'd done a dozen of these kinds of reports, we could say with confidence about what's typical now and what's not," he said.
"We cannot say that this is true across most crime groups. But it's not a surprise because we know that quite a few these groups tend to use exploits that they're familiar with."
Contrary to the views held in some quarters, crime groups do not invariably seek out the latest exploits for their attacks, Huang said.
"For a lot of these groups, it's not the case. Some of them tend to stick to what they're used to, as long as the exploit runs reliably — because exploitation is not a reliable process," he said.
"Although there are a lot of exploits out there, a lot of them are not reliable. [Criminals] don't favour these unreliable ones. Although they're new and, let's say, they work on Windows 7 — it doesn't matter. This group are running old exploits and they have a lot of exploits for Windows XP. That's why for this particular group, the Windows XP infection rate is hot.
"Windows 7 and 8 have more security mechanisms built into the operating system. I'm not saying they're not exploitable, but the exploits for Windows 7 and 8 are more complicated and require more steps than XP. But I certainly don't think that because Microsoft is not supporting XP, people have stopped trying to fuzz XP and find new exploits. I don't see why that would be the case."
More on Windows XP