In this fourth installment in the series of posts, I focus on locations that consistently have low malware infection rates. In this case we examine the threat landscape in Germany. I’m trying to offer insights into the threat landscape in regions with low infection rates, knowing that regions with higher infection rates are interested in information that might help them.

Since we started publishing regional malware infection rates back in 2007, Germany has consistently had a malware infection rate below the worldwide average. The chart below illustrates the infection rate trend in Germany for 2009 and 2010.

Figure: Infection rates for Germany in 2009 and 2010 by quarter by CCM

clip_image002

To provide a little more context, the graph below shows what Germany’s malware infection rate looks likes versus the other 116 countries we provided malware infection data on in SIRv10.

Figure: CCM trend for Germany over 6 quarters, compared to 116 other locations and to the world as a whole

clip_image004

Looking at other data for Germany in 2010, we see the following:

  • Phishing sites (per 1,000 hosts) in Germany was very similar to that of the United States in 2010; 0.44 sites (per 1,000 hosts) in Germany in the first half of 2010 while the same metric for the US was 0.45. In the second half of 2010 we observed a slightly larger spread with 0.43 in Germany versus 0.56 in the United States.
  • We observed more malware hosting sites (per 1,000 hosts) in Germany than we did in the United States in 2010. We saw 1.98 in Germany and 1.27 in the United States in the first half of the year, and 2.1 times more in Germany (4.98) than in the United States (2.38) in second half of the year.
  • Percentage of sites hosting drive-by downloads in Germany was similar to that in the United States during the first three quarters of 2010. But in Q4, the percentage of sites hosting drive-by downloads in Germany (0.026%) was observed to be 3.7 times higher than the number observed in the United States (0.007%).

Figure: Phishing, Malware Hosting, and Drive-by Download Hosting Site Trends for Germany as published in SIRv10

clip_image006

Looking at the specific categories and families of threats found in Germany, as we saw in Austria and Finland, adware and miscellaneous potentially unwanted software are top categories. This is due to detections of two prevalent adware families, JS/Pornpop, found on 18.2% of infected systems in Germany in Q4 (16.2% in Austria), and Win32/ClickPotato found on 3.4% of infected systems in Germany (not in the top ten detections in Austria) in Q4.

The trojan downloader family called Win32/Renos is found in Germany, Austria and Finland in similar percentages (7.6%, 6.9%, and 6.9% of infected systems respectively). The data stealing Trojan Win32/Alureon is also found in Germany and Austria in similar percentages (4.1%, 2.9% of infected systems in Q4 respectively). Win32/Renos has been a top threat in most regions around the world for several years.

A threat called Win32/Zbot (a.k.a. Zeus) was found on 6.9% of infected systems in Germany in Q4 of 2010, but wasn’t in the top ten threats detected in Austria or in Finland. We recently released a Special Edition Security Intelligence Report: Battling the Zbot Threat. I encourage IT professionals who are responsible for the security of financial systems, government systems and critical infrastructure to learn more about Zbot since it has been used to attack such systems. I encourage you to download the full report from the link above, but here are some excerpts from the report that explain what Zbot is:

Win32/Zbot is a family of password-stealing Trojans that contain backdoor functionality which allows attackers to control infected computers remotely through botnets…Like many botnet families, Win32/Zbot can be used for a variety of illicit purposes, including sending spam email messages, executing distributed denial-of-service (DDoS) attacks, and distributing additional malware. However, its primary purpose, and the one for which it was specifically developed, is to steal financial information from infected computers. Built-in commands allow the botnet operator to perform a number of actions that are designed to facilitate theft of financial information.

Interestingly, a tool that generates keys for illegally-obtained versions of various software products called HackTool:Win32/Keygen is also found in Germany, Austria and Finland in similar percentages (4.2%, 5.5%, and 4.1% of infected systems respectively).

Figure: Malware and potentially unwanted software categories in Germany in 4Q10, by percentage of computers affected

clip_image008

Figure: The top 10 malware and potentially unwanted software families in Germany in 4Q10

clip_image010

We asked Torsten Voss of DFN-CERT and Hans-Peter Jedlicka of the Federal Office for Information Security (BSI) to help explain why Germany’s malware infection rate has been consistently lower than the worldwide average, and we published the following in the Microsoft Security Intelligence Report volume 7.

Torsten Voss, DFN-CERT (http://www.dfn-cert.de/); Hans-Peter Jedlicka, Federal Office for Information Security (BSI) (http://www.bsi.de/)

“Germany has a very large CERT community, with more than thirty commercial, government, and academic CERTs organised in the German CERT-Verbund (http://www.cert-verbund.de). Here is how CERT-Bund and DFN-CERT work to keep infection within their constituency low.

The federal Computer Emergency Response Team (CERT-Bund) is part of the Federal Office for Information Security (BSI) as the IT security provider for the German government. Its main task is to strengthen IT security and to mitigate any potential impact on governmental networks. The BSI also works closely with the German ISP community, which identifies botnet infections and informs the owners of infected computers, in some cases even isolating them under quarantine.

Additionally, a multitude of different awareness-raising initiatives, conducted by different stakeholders from the government and private sectors, provide information for every interested citizen. This includes efficient warning and alerting services for each of the CERTs’/CSIRTs’ prime constituencies (http://www.cert-bund.de/), but also for the citizens (http://www.buerger-cert.de/).

DFN-CERT is the Incidence Response Team for the German Research Network (DFN; http://www.dfn.de/) and serves the German academic and research community. One major goal of DFN-CERT’s daily work is to actively prevent the distribution of malware in its constituency, resulting in a low malware infection rate.”

Besides proactive measures (distribution of information about vulnerabilities and patches), this includes an important reactive service, which is based on a knowledge of IP address ranges and security contacts in the constituency. It consists of the following three steps:

1. Collection of information about suspicious traffic, either from other CERTs or from the DFN-CERT systems (e.g. honeypots, darknets).

2. Cross-referencing of this information with IP addresses in the constituency, which yields knowledge about which site has a problem with a certain machine or IP address.

3. Contacting the sites directly and give them detailed reports. This way local security contacts can act quickly, check their systems, and avoid the further spread of malware.

I also asked Michael Kranawetter, the Chief Security Advisor for Microsoft Germany, for his opinion:

“Information Security and especially privacy is an important topic in Germany. Many companies and even consumers are aware of the threats the internet has and due to the culture people are in general careful. In addition to this the awareness level is constantly raising, not only due to the fact that press and media are reporting incidents on a frequent base, but also on considering a holistic view beyond technology. In addition people are utilizing the support they get from Microsoft, in terms of automated updates, anti-virus signatures and the usage of the malicious software removal tool.

But the most important fact is information distribution and the well-organized CERT infrastructure. In addition consumers are informed with the help of the Sicherhheitsbarometer.

The situation is quite good and we are very proud that we help Germany to reduce cybercrime, but there is always room for improvement. We should take this as a challenge to get even better and to work on a cyber-agenda to support the public and private area to avoid incidents.”

Japan will be the final region I focus on in this series of blog posts.

Tim Rains
Director, Product Management
Trustworthy Computing