Recently I spoke at the Microsoft EU Cybersecurity & Digital Crimes Forum 2012 in Brussels.  I provided an in-depth briefing on some of the significant shifts in threat landscape in the EU during the second half of 2011.  I will be sharing some of the key findings of this analysis in a short series of articles.

Of the 27 member states of the European Union (EU) we have identified the locations with the highest malware infection rates.  We determine this using a measure called computers cleaned per mille (CCM).  The CCM is the number of computers found infected with malware for every 1,000 systems scanned by the Microsoft Malicious Software Removal Tool (MSRT) which runs on over 600 million systems worldwide on a monthly basis.

As seen in figures 1 and 2 below, some of the most active locations in the world and some locations in the EU had dramatic increases in their CCM during the second half of 2011.  Austria, Germany, Italy, and the Netherlands all experienced relatively large increases in their CCM.  As seen in Figure 2, Romania has the highest CCM of the 27 EU member states; subsequently I will examine the situation in Romania in more detail below.

Figure 1 on left: The locations with the most computers reporting detections and removals by Microsoft desktop antimalware products in the third (3Q11) and fourth quarters (4Q11) of 2011; Figure 2 on right: Locations in the EU with high infection rates in 3Q11 and 4Q11

As seen in figures 2 and 3, Romania’s CCM was well above the worldwide average in 2011.  A relatively high prevalence of several categories of threats are contributing to the high CCM as seen in Figure 4 below. 

Figure 3 on left: CCM infection trends in Romania and worldwide; Figure 4 on right: Malware and potentially unwanted software categories in Romania in 4Q11, by percentage of cleaned computers affected (totals exceed 100 percent because some computers are affected by more than one kind of threat)


The specific families of threats infecting systems in Romania are an interesting mix.  Seeing a virus at the top of the list is rare as viruses generally don’t support the profit motive that malware authors typically have, as effectively as other categories of threats like trojan downloaders and droppers for example.  In the case of Win32/Sality, it is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.

Two threats in the top ten list of threats found in Romania are related to software piracy, which is also not common to see in most other locations in the EU.  Win32/Keygen, which affected 14.0 percent of computers cleaned in Romania, is a generic detection for tools that generate product keys for illegally obtained versions of various software products. Win32/Wpakill, which affected 3.6 percent of computers cleaned in Romania, is a tool that attempts to disable or bypass Windows Product Activation (WPA) by altering Windows operating system files. Both of these threats are also on the top ten list of threats found in Latvia.

Figure 5: The top 10 malware and potentially unwanted software families in Romania in 4Q11

At 6.9 percent, Romania leads the EU with the highest percentage of systems affected by Win32/Conficker, followed by Bulgaria (6.3%), Hungary (5.8%), and Latvia (5.0%).  We published findings of a new study on Conficker in the Microsoft Security Intelligence Report volume 12 that will help many organizations still trying to rid their environments of this threat.

It’s also noteworthy to seeWin32/Rimecud on the list of top threats in Romania. Win32/Rimecud is a family of worms with multiple components that spread via fixed and removable drives and via instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected system.  Rimecud is a “kit” family: different people working independently use a malware creation kit to create their own Rimecud botnets. Rimecud is the primary malware family behind the so-called Mariposa botnet, which infected millions of computers around the world in 2009 and 2010. In July 2010, the Slovenian Criminal Police arrested a 23-year-old Slovenian citizen suspected of writing the malware code, following the February 2010 arrests of three suspected Mariposa botnet operators by the Spanish Guardia Civil (as published in the Microsoft Security Intelligence Report volume 9).

Now that you have a sense of what is happening in the EU location with the highest malware infection rate, in the next part of this series on the threat landscape in the EU, I will describe what is happening in the EU member states that have seen the biggest increases in malware infection rates in the last half of 2011 – some very interesting developments in Austria, Germany, Italy, and the Netherlands with criminals targeting financial institutions.

Tim Rains
Director, Trustworthy Computing