A recent blog post I wrote entitled Determining the Geolocation of Systems Infected with Malware, focused on some of the interesting changes in regional malware infection rates that occurred when we started using IP geolocation in the latest Microsoft Security Intelligence Report (SIRv11).

Figure 1: The five locations with the largest malware infect rate (CCM) increases caused by the switch to IP geolocation
image

As seen in figure 1, the difference between Qatar’s CCM when measured via IP geolocation (61.5 CCM) and when measured via the administrator specified location setting (5.6 CCM), is significant. The 61.5 CCM for Qatar in the first quarter of 2011 (1Q11) means that for every 1,000 systems that the Microsoft Malicious Software Removal Tool (MSRT) executed on in Qatar, 61.5 systems were found to be infected with malware. This is the largest CCM figure ever reported in the Microsoft Security Intelligence Report and is 50.5 points higher than the worldwide CCM average during the same period. This represents an increase of 55.1 more systems, per 1,000 scanned, infected with malware compared to the figure reported for Qatar for 4Q10 using the administrator-configured locale setting to determine location.

What’s going on in Qatar?

It would seem that many systems in Qatar are configured with a system location setting, set to something other than “Qatar”. This suggests that, rather than using the locale settings designated for Qatar, many computer administrators are using locale settings for different locations. As a result, the reported infection rates, using the location setting, were being skewed (underreporting malware detections) for Qatar and this became evident when we started using IP geolocation.

Figure 2: Location setting under Control Panel\Clock, Language, and Region

image

The categories and families of threats found in Qatar provide some insight into what attackers are doing in the region. As seen in figure 3 below, the prevalence of worms is well above the worldwide average with Win32/Rimecud, Win32/Autorun, and Win32/Conficker all contributing to this. Of all the systems found to be infected with malware and/or potentially unwanted software in Qatar, 43.7% of them are worms spreading using tactics like autorun feature abuse, removable drives and by exploiting weak passwords. I have written about these specific threats before and provide some advice on how to defend against them: Defending Against Autorun Attacks. A key for Windows XP Service Pack 2 users is to ensure they install Service Pack 3 as soon as possible, as Service Pack 2 is no longer supported; i.e. without Windows XP Service Pack 3 they won’t receive security updates, like the ones designed to protect against autorun feature abuse.

Figure 3: left: malware and potentially unwanted software categories in Qatar in 2Q11, by percentage of cleaned computers affected; right: the top 10 malware and potentially unwanted software families in Qatar in 2Q11

imageimage

Additionally, 26.6% of threats found in Qatar in 2Q11 are adware with clearly visible components such browser toolbars or installed applications. These adware families include Win32/Hotbar, Win32/ShopperReports, and Win32/ClickPotato.

We asked Hamid Sadiq, Q-CERT Department Manager (http://www.qcert.org), his view on the situation in Qatar.

“At Q-CERT, as the National Information Security Team, we are working with all the local and international partners to reduce the cyber security risks and threats in the State of Qatar. As an example, we have started a tighter collaboration with the Microsoft Security Team in 2Q11 to reduce the number of infected machines. We hope to demonstrate visible results by 2Q12.
On top of that, although there is no lack of technologies available on the market, we recognize that the most important challenge is to educate people about safe Internet usage.”

I also asked Microsoft’s Chief Security Advisor for the Gulf region, Cyril Voisin, what actions people in Qatar can take to defend themselves from these threats. Cyril had some great advice including:

1. Make sure you will receive the latest security updates from Microsoft by installing the free Service Pack 3 on your machines running Windows XP. To check what service pack you have installed, click Start, right-click My Computer, and then click Properties. Windows XP users can get more information and download Windows XP Service Pack 3 for free from here.

2. Mitigate the Autorun-feature abuse by installing this free security update on your machines running Windows XP and Windows Vista. As many of the threats found in Qatar were abusing the Autorun-feature to propagate, applying this one security update will have a positive impact on the number of systems infected in Qatar.

3. Make sure you’re not using any trivial password that threats can just guess to penetrate your systems. Instead, use strong passwords to help defend systems against Win32/Rimecud (a.k.a. Mariposa botnet) and Win32/Autorun

4. Install antimalware software from a trusted source and keep it up to date. Many reputable antivirus companies offer free scans such as this one, and Microsoft offers Microsoft Security Essentials for free.

Tim Rains
Director
Trustworthy Computing