Antimalware Team Releases MSRT White Paper

Hello there. I'm writing to you from the Microsoft TechEd conference in Boston. This event attracts over 10,000 attendees interested in learning about current and future Microsoft products. It's also a great place for getting feedback from our customers and we'll share some of that feedback next week.

Yesterday, the Microsoft Antimalware team released a new white paper entitled "Windows Malicious Software Removal Tool: Progress Made, Trends Observed". The paper highlights Microsoft's uniquely broad understanding of the malware landscape, illustrating how the tool has removed 16 million pieces of malicious software from 5.7 million unique computers from January 2005 to March 2006. On average, the tool has removed at least one instance of malicious software from every 311 computers it has run on. A core objective of Microsoft's release of the tool is reducing the impact of malicious software on Windows customers and the report describes how removals of 41 of the 61 malware families have decreased with 21 of those families exhibiting a decrease by more than 75%.

The report goes onto highlight several trends related to malicious software categories, such as backdoor Trojans (including bots) and rootkits. For example, of the 5.7 million unique computers from which the tool has removed malware, a backdoor Trojan was present in 62% of the cases. We have noticed that there has been some confusion over this statistic so, to be clear, keep in mind that this percentage is of the population of infected computers. In other words, when the tool does find an instance of malware per every 311 computers, there is a 62% chance it will be a backdoor Trojan. This statistic does not mean that the tool has removed a backdoor Trojan from 62% of the computers the tool has run on.

What does this mean for our customers?  Our goal is to provide our customers and partners with an accurate understanding of the types of threats that exist so they can take appropriate action to ensure that they are protected.  It also means that we’re able to use this data, and data gathered from other resources, to continually evolve our understanding of the malware environment and to continually improving the way we respond to customers when faced with malicious threats.  

We hope that you find the data and guidance provided by the paper interesting and actionable. Any feedback is welcome and will be taken into consideration for future threat reports produced by the Microsoft Antimalware team.  


PS Below find a picture of some of the antimalware team at TechEd. From left to right: Adam Overton (Group Program Manager), Mike Chan (Senior Product Manager), Matt Braverman (Program Manager), Jason Joyce (Program Manager), and Sterling Reasor (Program Manager).

Comments (8)
  1. Nicholas says:

    Keep up the great work!

  2. Dann says:

    So What’s up with Window Defender Xp version i really like this software are there any good news for beta 2 user?

  3. Louis says:

    Pic is great, looks like a " we shop at (insert clothing shop name here)". Are you singelhandedly "supporting" Vista. By the way, are the malware stats based on a calc of downloads x threats detected, or information sent back via anon prog feedback. Malicious tool should provide feedback to the user,reassuring them that something has been done, e.g. fireman says that the fire is out, that sort of thing, an extra line or two of code would do it, not that big a burden, but puts the user at ease.


  4. Dann says:

    When is the next beta of Window Defender coming out for Window XP. Is it before or after they release Window Vista RC1.

  5. Russ Cooper says:

    Are raw statistics available? E.g. Monthly stats for all families?

    The total in column “Computers” in Figure 5 on page 9 is 6,800,957, yet earlier you state the number of infected computers is 5.7 million between 6/05 and 3/06. Can you explain this discrepancy?

    Is it possible to get numbers for that same figure where Removals and Computers reflect the same period, say 6/05 through 3/06? I would like to look at the number of “repeat offenders” who are re-infecting themselves with the same family. I’m interested in examining those families with higher re-infection rates to assess the techniques which are achieving greater re-infection rates.

    Atak appears to be the only malware dropped prior to 3/06. Do you have numbers for Atak over the period?

    Are no stats kept based on how the Backdoor Trojans are believed to be installed?



  6. Raw statistics naturally exist but, due to the magnitude and complexity of the data, it is not practical to make them available broadly verbatim. If you have specific questions / goals in what you’re trying do understand, please send me a mail at

    With respect to the "Computers" note, there is no discrepancy. The 5.7 million figure is the number of unique computers across all families. As there will be computers infected with more than one family, it makes sense that the sum of the statistics in Figure 5 is greater than 5.7 million.

  7. Jan Eriksson says:

    It was a really interesting report showing boot facts and tips.

    In the report You mention the wise to run the computer as an ordinary user instead of an administrator. Would it not be possible to until next report have figures backing up this. With Your knowledge about all removed malware I guess You are able to judge witch of them have the possibility to be installed by an ordinary user and witch need an administrator. If the computer is hit by a "Exploit Worm" (I guess it always run as system), a "Rootkit" and a "Email Worm" it will not be  possible to be sure I guess. I think You would not be able to give an exact answer but I am sure You would be able give us a very clear indication.

    I guess it is the same about a proper configured firewall.

    In how many case would the computer not been hit if the security updates released one month or longer time ago have been installed?

    We have made the effort to make our 10 000 + users run as ordinary users, our XP SP2 firewall is proper configured and we spend time to get all relevant security updates installed after testing them. All this takes time and have to be motivated to our management. We are lucky having a management understanding this but it would be even better if we was able to show them how important it is. It would be even more important to all of them not given the resources to handle those security questions properly.

    I think all of this would be possible to create with your knowledge and with Your information. I hope I will be able to attend to ITforum in Europe and I hope someone of You will be there and give us solid figures about this.



  8. Toby Ovod-Everett says:

    There’s a minor statistical error on page 10 of the whitepaper.  "Using the data in Figure 4, we can determine that the average number of unique malware variants removed per computer is 1.59. In other words, the tool is slightly more likely to remove more than one malware variant per computer than just one variant."  The first does not imply the second.  In fact, in 67.3% of cases where malware was removed, only one variant was removed.  In this situation, you have a heavily weighted distribution, and thus the average and the median do not coincide.

    All in all, though, it is a well written paper.

    –Toby Ovod-Everett

Comments are closed.

Skip to main content