The sixth annual United Nations Internet Governance Conference (UN-IGF) meeting is being held this week (September 27-30, 2011) at the U.N. Office in Nairobi, Kenya (UNON). The main theme of this meeting is “Internet as a catalyst for change: access, development, freedoms and innovation.” Representatives from government and industry from numerous places in Africa will be gathering to address a host of Internet governance topics, including security. A delegation from Microsoft is in attendance.

Historically Africa is one area where it has been difficult to obtain reliable, long-term trend data on the threat landscape for specific locations. As shown in the heat map below, published in the Microsoft Security Intelligence Report volume 10 (SIRv10) insufficient data exists for many regions in Africa. Typically, this indicates there were fewer than 100,000 executions of the Microsoft Windows Malicious Software Removal Tool (MSRT) in these locations during the reporting period. Since the number of systems that run MSRT changes from month to month, however, we do get glimpses into what is happening in some of these regions… and it’s very interesting. In addition to MSRT data, we also published data from Bing and from Internet Explorer in SIRv10; the analysis below is all based on data published in SIRv10.

Figure: Infection rates by country/region in the second half of 2010 by Computers Cleaned per Mille (CCM)

clip_image002

Figure: Infection rates by country in Africa in the second half of 2010 by Computers Cleaned per Mille (CCM), with GDP figures[1] for 2010

Country

1Q10 CCM

2Q10 CCM

3Q10 CCM

4Q10 CCM

2010 GDP

Egypt

9.7

9.0

10.0

11.4

218.47

Ghana

2.9

1.6

1.5

1.2

31.08

Kenya

3.4

2.7

2.9

2.5

32.16

Nigeria

3.5

3.2

3.7

2.8

216.80

Senegal

3.4

2.6

2.4

1.9

12.88

South Africa

12.8

11.9

11.8

9.8

357.26

Tanzania

4.3

3.9

4.3

3.1

22.67

Uganda

   

4.4

2.8

17.01

Worldwide Average

10.8

9.6

9.9

8.7

 

The CCM figures are normalized allowing us to compare regions’ infection rates without skewing the data based on the different install bases/populations in each location. Notice that some of the locations with the highest GDP and, perhaps, generally the best Internet connectivity of those locations listed - Egypt and South Africa - also have the highest malware infection rates.

Figure: CCM trends for selected locations in Africa by quarter in 2010, compared to the world wide average

clip_image004

Interestingly, worms were the number one category of threats in all of the locations listed above. Worms were found on between 40 percent and 56 percent of all infected systems in these locations. The top two malware families driving this trend were Win32/Rimecud (a.k.a. Mariposa botnet) and Win32/Autorun. Both of these threats spread using multiple techniques and have been observed spreading via mapped drives, removable media like USB drives, and by abusing the Autorun feature in Windows. I addressed threats that use Autorun-feature abuse, like Win32/Autorun and Win32/Rimecud, in this blog post: Defending Against Autorun Attacks.

To combat these threats, Microsoft has taken several steps to help protect customers including releasing updates for the Windows XP and Windows Vista platforms to make the Autorun feature more locked down, as it is by default in Windows 7. If computer users in these geographies install this one update, it will likely drive down the number of systems infected with these threats and have a very positive effect on the regional ecosystem. One important factor to note is that there are many people in these geographies still running Windows XP Service Pack 2. Support for Windows XP Service Pack 2 ended on July 13, 2010. This means that security updates are no longer offered for this platform. Windows XP Service Pack 2 was out of support when this AutoRun update was released in February 2011, so systems running Windows XP Service Pack 2 did not receive this update as a result. This means that users in these regions that haven’t yet installed Windows XP Service Pack 3 need to do so before installing the AutoRun update. For Windows XP users, installing Service Pack 3 has the added benefits of receiving security updates once again and consistently lower malware infection rates.

Figure: CCM trends for supported 32-bit versions of Windows XP, Windows Vista, and Windows 7, 3Q09-4Q10

clip_image006

The relatively low malware infection rates that many of these locations currently have, doesn’t necessarily mean that criminals aren’t trying to do business in this area of the world. Here are some examples observed in these locations:

  • Phishing sites (per 1,000 hosts) observed in Senegal was 46.08 in the first half of 2010. This is more than 102 times the number of phishing sites found in the U.S. in the same period.
  • Phishing sites (per 1,000 hosts) observed in Uganda was 4.59 in the first half of 2010. This is more than 10 times the number of phishing sites found in the U.S. in the same period.
  • The number of malware hosting sites observed in Nigeria in the first half of 2010 was 29.58 per 1,000 hosts -- more than 23 times the number of malware hosting sites observed in the U.S. in the same period.
  • The percentage of sites hosting drive-by downloads in Kenya (0.22%) in the first quarter of 2010 was almost twice that of the U.S. (0.122% in Q1) and almost 8 times higher in Q2/Q3 (0.245% in Kenya, 0.032% in U.S.).
  • The percentage of sites hosting drive-by downloads in Tanzania (5.540%) in Q1/Q2 of 2010 was 45 times that of the U.S. (0.122%) in the same period.

The call to action for the locations in Africa that I focused on here is:

1. Users running Windows XP need to have Service Pack 3 installed so they will receive security updates from Microsoft. To check what service pack you have installed, click Start, right-click My Computer, and then click Properties. You can get more information and download Windows XP Service Pack 3 from here.

2. Users running Windows XP and Windows Vista should install the security updates that help mitigate Autorun-feature abuse. Getting this one update deployed in these regions will potentially have a big positive impact on the number of systems infected by Win32/Rimecud (a.k.a. Mariposa botnet) and Win32/Autorun in Africa, as it has in other parts of the world.

3. Use strong passwords to help defend systems against Win32/Rimecud (a.k.a. Mariposa botnet) and Win32/Autorun

4. Install antimalware software from a trusted source and keep it up to date. Many reputable antivirus companies offer free scans such as this one, and Microsoft offers Microsoft Security Essentials for free (available in many languages).

Tim Rains
Director, Product Management
Trustworthy Computing


[1] Source of GDP data is the International Monetary Fund