Skip to main content
Skip to main content

Regime Stability, Demographic Instability and Regional Malware Infection Rates – Part 2: Syria

  • Tim Rains

This is part two of a three part series exploring the question of whether regions that experience political instability also experience increased malware infection rates and face more severe threats compared to more stable locations.  I examined Egypt in part 1 of this series.  In this article, using data from a new Special Edition Microsoft Security Intelligence Report: Linking Cybersecurity Policy and Performance and volume 13 of the Microsoft Security Intelligence Report, I will take a look at another region that has experienced political instability: Syria.

I defined both demographic instability and regime stability in part 1 of this series.  Both of these factors have been correlated with regional malware infection rates (Computers Cleaned per Mille or CCM).  A 0.6 correlation for demographic instability means as it increases we’d expect the malware infection rate to also increase.  A -0.4 correlation between regime stability and CCM means as regime stability increases, the malware infection rate (CCM) is expected to decrease. Keep in mind, correlation does not mean causation and many other factors are correlated with CCM.

The Threat Landscape in Syria
Although I have mentioned Syria in some of the articles I have written about the threat landscape in the Middle East, I haven’t written an article focused on Syria before.

Like Egypt, Syria is another location where the malware infection rate increased when we changed the method we use to locate systems reporting malware infections. For more details on this change please see this article: Determining the Geolocation of Systems Infected with Malware.  As seen in Figure 1, this change occurred in the fourth quarter of 2010 (4Q10) and the CCM increased from 5.6 systems infected with malware for every 1,000 that executed the Microsoft Malicious Software Removal Tool (MSRT) in Syria to 11.2 (11.0 was the worldwide average).  If we didn’t change the way we determined the location of systems reporting malware infections, the CCM in Syria would have stayed at 5.6 in 1Q11, but then started rising in 2Q11 to 7.1.  We believe the CCM is more accurate after this change than before it.  But since the political instability apparently started in some locations in the region during 4Q10, I thought pointing out this difference would help illuminate how much of the CCM increase was due to methodology versus environmental changes.  By 2Q12, the CCM in Syria was 19.8 compared to the 2Q12 worldwide average CCM of 7.0.

Figure 1: Malware infection rates (CCM) for Syria by quarter, third quarter of 2009 (3Q09) – second quarter 2012 (2Q12) with some political events that happened during this time as reported by BBC World News ( and The Wall Street Journal (

Since 1Q11, the same set of threat categories have been at levels in Syria well above the worldwide average including Miscellaneous Potentially Unwanted Software, Miscellaneous Trojans, Worms, and Viruses.  During this time, Win32/Sality, Win32/Autorun, and Win32/Keygen have been the top three families of threats in Syria.  Sality was found on 22.5% – 25.3% of systems infected with malware in Syria between 1Q11 and 2Q12.  Like many other locations around the world, the number of Adware families found in the top ten list of threats in Syria has declined and have been replaced with more severe threats.

Figure 2 (left): Malware and potentially unwanted software categories in Syria in the second quarter of 2012 (2Q12), by percentage of computers reporting detections, totals exceed 100 percent because some computers are affected by more than one kind of threat; Figure 3 (right): The top 10 malware and potentially unwanted software families in Syria in 2Q12


Figure 4: Detection trends for prominent threat families in Syria between the first quarter of 2011 (1Q11) and the second quarter of 2012 (2Q12)

Like Egypt, when the malware infection rate in Syria increased in 1Q11, so did the percentage of drive-by download sites hosted there.  As seen in Figure 5, the percentage of drive-by download sites in Syria in 4Q10 was slightly below the worldwide average.  But that number had increased to three times the worldwide average in 1Q11 and twice the average in 2Q11.  A year later, in 1Q12 and 2Q12, the level of drive-by download sites hosted in Syria was again below the worldwide average.

Figure 5 (left): Malicious website statistics for Syria as published in the Microsoft Security Intelligence Report volume 11; Figure 6 (right): Windows Update and Microsoft Update usage in Syria and worldwide


Windows Update and Microsoft Update service usage continued to increase in Syria during 2010, 2011, and 2012, at a rate outpacing the worldwide average, as seen in Figure 6.

Many socio-economic factors are correlated with CCM, and I have only mentioned two here.  If you are interested in learning about other such factors, check out the new Special Edition Security Intelligence Report: Linking Cybersecurity Policy and Performance published by Trustworthy Computing’s Global Security Strategy and Diplomacy team.  

In the final article in this series, I will look at the threat landscape in Iraq.

Tim Rains
Trustworthy Computing