Threat Categories by Location
The malware ecosystem has moved away from highly visible threats, such as self-replicating worms, toward less visible threats that rely more on social engineering for distribution and installation. This shift means that the spread and effectiveness of malware have become more dependent on language and cultural factors. Some threats are spread using techniques that target people who speak a particular language or who use services that are local to a particular geographic region. Others target vulnerabilities or operating system configurations and applications that are unequally distributed around the globe. Infection data from several Microsoft security products for some of the more populous locations around the world demonstrates the highly localized nature of malware and unwanted software.
Accordingly, the threat landscape is much more complex than a simple examination of the biggest global threats would suggest.
2011 security intelligence
The following figure shows those countries/regions reporting significantly large numbers of computers cleaned by Microsoft desktop antimalware products since 2009.
Countries/regions with significantly large numbers of computers cleaned since 2009
Click on the image to enlarge.
The following figure shows countries/regions that have historically reported high infection rates as compared to the average infection rate for all countries/regions.
Countries/regions with historically high infection rates as compared to the worldwide average since 2009
Click on the image to enlarge.
The following figure shows countries/regions that have historically reported low infection rates as compared to the average infection rate for all countries/regions.
Countries/regions with historically low infection rates as compared to the worldwide average since 2009
Click on the image to enlarge.
Lessons from least infected countries/regions
Austria, Finland, Germany, and Japan have all enjoyed relatively low malware infection rates over the past several years. However, many of the same global threats that are prevalent in countries/regions with high malware infection rates, such as Brazil, Korea, and Turkey, are also prevalent in countries/regions with low infection rates.
- Adware is among the most prevalent categories of threats found in countries/regions with both high malware infection rates and low malware infection rates; it was observed as the top or second to top category in each. Both JS/Pornpop (detected on more than 6.5 million unique computers globally in the second half of 2010) and Win32/ClickPotato are very prevalent in these countries/regions.
- Win32/Renos was primarily responsible for the levels of trojan downloaders and droppers found in countries/regions with both high malware infection rates and low malware infection rates. Win32/Renos has been a prevalent family of trojan downloaders and droppers for a number of years, and was detected on more than 8 million unique computers around the world in 2010.
- Win32/Autorun, detected on more than 9 million unique computers globally in 2010, and Win32/Conficker, detected on more than 6.5 million unique computers globally in 2010, are in the top ten lists of threats for countries/regions with both high malware infection rates and low malware infection rates, except Finland.
The relatively low malware infection rates in Austria, Finland, Germany, and Japan does not necessarily mean that criminals are not active in these countries/regions. For example:
- More malware hosting sites (per 1,000 hosts) were observed in Germany than in the United States in 2010.
- The percentage of sites hosting drive-by downloads in Finland was almost twice that of the United States in the first half of 2010.
- In Q4 of 2010, the percentage of sites hosting drive-by downloads in Germany was observed to be 3.7 times higher than the number observed in the United States.
- The percentage of sites hosting drive-by downloads in Japan was 12 percent higher than that of the United States during the first half of 2010. Although this percentage went down precipitously in both locations by the fourth quarter of 2010, the percentage of sites hosting drive-by downloads in Japan was 4.7 times higher than that of the United States in Q4.
Security experts in these countries/regions indicate that the following factors contribute to consistently low malware infection rates in their countries/regions:
- Strong publicâ€“private partnerships exist that enable proactive and response capabilities.
- Computer emergency response teams (CERTs), Internet service providers (ISPs), and others who actively monitor for threats enable rapid response to emerging threats.
- An IT culture in which system administrators respond rapidly to reports of system infections or abuse is helpful.
- Enforcement policies and active remediation of threats via quarantining infected systems on networks in the country/region is effective.
- Educational campaigns and media attention that help improve the publicâ€™s awareness of security issues can pay dividends.
- Low software piracy rates and widespread usage of Windows Update/Microsoft Update has helped keep infection rates relatively low.
This list has striking similarities to the Collective Defense concept outlined in a paper written by Scott Charney, Corporate Vice President of Trustworthy Computing at Microsoft, in 2010. â€œCollective Defense: Applying Public Health Models to the Internetâ€ (PDF) outlines a model to improve the health of devices connected to the Internet. To accomplish this, governments, the IT industry, and ISPs should ensure the health of consumer devices before granting them unfettered access to the Internet. The approach offered in the paper is to look at addressing online security issues using a model similar to the one society uses to address human illness. The public health model encompasses several interesting concepts that can be applied to Internet security.
The consistently least infected countries/regions in the world appear to be already doing many of the things that the Collective Defense health model proposes. A video that examines the model is available on the Trustworthy Computing website here.