This is Part 2 in a series of articles focused on understanding the threat landscape in the Middle East and Southwest Asia. Part 1 of the series examined the relatively high malware infection rates of numerous locations in the region. This article examines whether these relatively high malware infection rates are a result of people in the region encountering malware more frequently than average.
The “encounter rate” is the percentage of computers running Microsoft real-time security software that report detecting malware or potentially unwanted software during a quarter. Most of these encounters are from systems running Microsoft Security Essentials or Windows Defender (on Windows 8) reporting that they blocked malware from installing on them. The worldwide average encounter rate was 17% in the second quarter of 2013 (2Q13), while the average of all the locations in Figure 1 was 28.5%. Of these locations only Israel, with an encounter rate of 15.74%, had an encounter rate below the worldwide average.
Figure 1: Encounter rates for various locations in the Middle East and southwest Asia, from the third quarter of 2012 (3Q12) to the second quarter of 2013 (2Q13)
Figure 2 (left): Threat categories encountered in the Middle East and southwest Asia compared to the worldwide average in the second quarter of 2013 (2Q13); Figure 3 (right): Top ten threat families by encounter rate in the region between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13)
In many parts of the world that have elevated malware infection rates, typically one or two categories of threats are also elevated above the worldwide average. But in the case of these locations, as seen in Figure 2, every single category of threat is elevated. Figure 3 contains the specific families of threats encountered in these locations most often. Autorun worms have been the top threat in the region for some time. These threats are found all over the world, something I have written about before in an article called Defending Against Autorun Attacks. More than four and a half times the number of systems encountered Win32/Gamarue in 2Q13 than in the previous quarter. We have seen this family of threats distributed via exploit kits. Win32/Sality, a file infector, has been consistently encountered by more than 4% of the systems in this region. I have written about Sality before in an article called Are Viruses Making a Comeback?
Interestingly, some of the threats on the list in Figure 3 are primarily found in Turkey. For example, 92.6% of systems that reported encountering Kilim, a Trojan, were located in Turkey. Similarly, 97.0% of systems that encountered Murkados, a worm, were located in Turkey. As seen in Figure 1 Turkey had the highest encounter rate with 47.35% of systems running Microsoft real-time anti-malware software reporting that they encountered malware in 2Q13. Although Turkey had the highest encounter rate in the region, as discussed in Part 1 of this series, it didn’t have the highest infection rate (malware successfully installed on the system). Turkey had the sixth highest malware infection rate in the region in 2Q13 with a CCM of 23.6 compared to the worldwide average of 5.8. Iraq (with a CCM of 31.5), Pakistan (29.2), Syria (27.6), the Palestinian Authority (26.1) and Egypt (25.0) all had infection rates higher than Turkey in 2Q13.
So what’s happening in Turkey? The short answer is that Turkey was targeted by malware authors through social engineering that leveraged Turkish language targeting. You can read all of the details in an article recently published by the Microsoft Malware Protection Center called Turkey: Understanding high malware encounter rates in SIRv15.
Although it would seem that systems that encounter malware more often would get infected more often, the differences between encounter rates and infection rates suggest that the encounter rate is not the only factor influencing regional malware infection rates. The differences between encounter rates and infection rates are interesting and more research on these differences might help determine which best practices are most effective at helping to protect systems from compromise in each individual country/region.
In the next part of this series I will examine whether the number of systems in the Middle East and southwest Asia running up-to-date real-time anti-virus software helps explain the differences in regional malware infection rates.