What’s Another 32-bits to Malware?

The migration of PC computing from 32-bit to 64-bit is in full swing at last, and if you’ve been confused as to what it all means, you’re not alone.  PCs built for years now have been capable of running both 32-bit and 64-bit operating systems, but for that you need 64-bit version of Windows (and corresponding drivers for devices), and getting everything working on 64-bit used to be for brave and technical people only.

There are many advantages to using a 64-bit operating system – using twice as many bits can make computers faster and the maximum amount of memory that can be used goes way above the 4 gigabyte limit (that’s 232 bytes). And 64-bit Windows includes Patchguard, which makes tampering with the Windows kernel (the part of the OS that makes the underlying hardware usable by software) much, much more difficult.

Most PCs shipping with Windows 7 come with the 64-bit versions of Windows, and finally there’s nothing to be confused about; these PCs just work.

As reported in the Security Intelligence Report, 64-bit Windows has some of the lowest reported malware infection rates in the first half of 2009:

There are still many threats that can affect 64-bit Windows, unfortunately. One other feature of 64-bit Windows is WOW64 – which is an acronym for Windows On Windows 64. WOW64 emulates a 32-bit Windows environment to allow software to run on the 64-bit operating system, which is great for compatibility with applications that haven’t ported to 64-bit yet, but also allows malicious code to grab a foothold. Even though these threats may run, since they’re running in the 32-bit emulated Windows environment they can do less to your computer, and don’t see 64-bit processes at all. For the same reason, 64-bit Windows needs 64-bit antimalware software like Microsoft Security Essentials to protect the whole computer.

Computer viruses are very confused by 64-bit. Taking a look at 64-bit executable code detected by Microsoft antimalware technologies in the past month, the vast majority is innocent 64-bit files infected by 32-bit viruses. While a 32-bit virus can only see other 32-bit processes, it unfortunately can see the file system, and can tamper with files it finds there. The 32-bit code in a 64-bit binary will immediately crash when executed. So even 64-bit Windows needs protection from malware.

There are also two remote control software packages that have been ported to 64-bit, which are potentially unwanted if you don’t know they are on your computer, and a couple of hacking tools that have been written for 64-bit.



Distinct Files

























   Table 1: Detected 64-bit binaries

Note that though the Microsoft Antimalware Engine may use the Win32 prefix for threat names, the technologies used can still locate malicious 64-bit code with signatures for 32-bit threats.

Overall, 64-bit malware is still exceedingly rare in the wild, and the additional protections built into 64-bit Windows will make it harder for malware to make the 64-bit jump that’s easy for PC users with Windows 7.

For a complete discussion of the PC threat landscape, see the Security Intelligence Report.

--Joe Faulhaber

Comments (0)

Skip to main content