In Time and Malware I mention that very old malware is still with us.  That made me curious about just how many PCs are still running pre-XP versions of Microsoft Windows (e.g., Windows 98).  The data from a number of sources that track web browser usage suggest that pre-XP versions of Windows still represent 5.5% of the operating system market!  And because that survey uses web browser user agent data, it probably understates the actual market share for two reasons.  The first is that older PCs seem less likely to be connected to the Internet than newer PCs would be.  The second is that there are a lot of people running old versions of operating systems on Servers, which of course would never be used to browse the web (even if connected to the Internet).

The Server case is one I’m fairly familiar with.  Years ago there was a very large SQL Server customer I talked to who was still running SQL Server 4.2 on IBM OS/2 and couldn’t figure out how to move to something new.  The servers were spread over several hundred  nationally dispersed branch locations, and upgrading them would take two years of having IT people physically go out to each branch.  It was such a large task that they just couldn’t even contemplate doing it.  For all I know they are still out there running the OS/2 servers.  And they weren’t alone.  Many IT shops had the attitude that when you have a mature system that requires little attention you just leave it alone until the application it runs reaches obsolescence.  And so there are likely quite a number of Windows NT and Windows 2000 servers that are still kept running, just waiting until someone says “hey, we replaced the FOO application and no longer need that Server for it”.

On the PC side there are people who quite literally still find operating systems like Windows 98 adequate for their needs, because their needs haven’t changed.  The simple spreadsheets they wrote back in the 90s still work, and that old version of Quicken still knows how to maintain a checkbook.  There are also all those people who don’t have access to broadband, with removes much of the incentive to use a modern OS.  Some people might have peripherals that aren’t supported by the NT-based operating systems and so they keep a PC around running Win 9x for the occasion where they need to use that old scanner, for example.  There are also special purpose systems, for example a restaurant order management system, that are still in use.  In fact, I still occasionally see systems like this that are still running character cell (ie, MS-DOS) based applications!  You don’t upgrade the OS until you replace the entire system.  And then I know people who took an old PC and turned it into a print server or other special purpose system.  Why upgrade, especially since it would cost you money and bring no apparent benefit?  Security, after all, is something most people ignore until it bites them on the backside.

And so, with millions of machines out there running operating systems that are still susceptible to attack by ancient malware, ancient malware lives on.