The Threat Landscape Shifts Significantly in the European Union - Part 3
This article is focused on threats observed in the first half of 2012. The most recent volume of the Microsoft Security Intelligence Report, volume 13, includes data on the first half of 2012, including deep dive regional threat assessments on every member state in the EU as well as 78 other locations around the world. In this article I provide a summary of the latest threat data for the EU.
Romania continues to have the highest malware infection rate of any location in the EU. In the second quarter of 2012 (2Q12) Romania’s infection rate was 15 computers infected with malware for every 1,000 scanned there by the Microsoft Malicious Software Removal Tool (This is a measured called computers cleaned per mille (thousand) or CCM. The number of computers cleaned for every 1,000 times the MSRT is run. For example, if MSRT is run 50,000 times in a particular location in the first quarter of the year and removes infections from 200 computers, the CCM for that location in the first quarter of the year is 4.0 (200 ÷ 50,000 × 1,000).
This is over twice the worldwide average of 7. Romania also hosts large numbers of drive-by download sites, malware hosting sites and phishing sites, well above the worldwide averages. If you are unfamiliar with these types of attacks, please refer to an article I wrote in the past for background information: What You Should Know About Drive-By Download Attacks - Part 1.
Both Poland and Bulgaria also have infection rates above the worldwide average, both with 8 systems infected for every 1,000 scanned in 2Q12. The lines representing Poland and Bulgaria in Figure 1 are literally on top of each other in 1Q12 and 2Q12. Both of these locations have phishing sites (per 1,000 hosts) above the worldwide average.
Figure 1 (left): 10 locations in the EU with relatively high malware infection rates; Figure 2 (right): malware infection rates for 17 locations in the EU, all of which have infection rates below the worldwide average in 2Q12
All other locations in the EU have malware infection rates below the worldwide average in 2Q12. The large increase in infection rates observed in Austria, Germany, Italy, and the Netherlands in the second half of 2011 has trended down to more typical levels. This spike was caused by detections of Win32/EyeStye (a.k.a. SpyEye), a family of Trojans that attempt to steal sensitive data, such as logon credentials, from banking websites and other online properties. It then sends this data to a remote attacker. EyeStye is distributed commercially in the form of a builder kit. You can read more about this threat here.
Locations in the EU like Cyprus and Latvia saw dramatic improvements in their malware infection rates between the first quarter of 2011 (1Q11) and the second quarter of 2012 (2Q12). The malware infection rate in Cyprus went from 15.1 in 1Q11 to 6.3 in 2Q12, while the infection rate in Latvia went from 11.9 to 4.5 during the same period. Unfortunately it’s not all good news in these locations as figures 3 and 4 reflect. Both locations have concentrations of malicious websites well above worldwide averages, except for phishing sites in Latvia which are slightly below the average.
Figure 3: Malicious website statistics for Cyprus
Figure 4: Malicious website statistics for Latvia
Figures 5 and 6 help compare and contrast detection numbers and trends for notable malware families, from a global perspective and an EU perspective respectively. As seen in figure 6, there have been steep increases in detections of Blacole in the EU over the past four quarters. This threat is also known as the “Black hole” exploit kit. It’s a kit used by attackers to distribute malware. If you encounter Blacole
while browsing the Internet, it will use any number of available exploits to attempt to compromise your computer. It does this by probing your computer to determine what software you have installed, then selects (from its pool of vulnerabilities) the ones that it can use to gain access to your computer by exploiting vulnerabilities in the software you have installed. The best way to minimize your chance of being compromised by Blacole is to make sure you have all the latest available updates installed for all of the software you have installed on your computer. If you are interested in more information on this threat, I have written about this exploit kit in the past: The Rise of the “Blackhole” Exploit Kit: The Importance of Keeping All Software Up To Date.
Figure 5: Global trends for notable threat families
Figure 6: EU trends for notable threat families
I recently wrote an article on Win32/Keyge
n, also seen trending steeply in the EU. Win32/Keygen is a family of tools that generates keys for various software products. By nature, Keygen is not malicious. However, because it is commonly bundled with malware or leads to malware, it should be avoided. In fact, 76% of the systems where we found Win32/Keygen, we also found other threats.
The EU continues to be an active place for purveyors of malware and other attacks. The Microsoft Security Intelligence Report also provides guidance to help organizations manage the risks associated with the threats described in the report.
Please feel free to read the key findings summary, download the full report and watch related videos at www.microsoft.com/sir.