Recently I wrote about the threat landscape in the European Union (part 1, 2, 3) and Africa.  This series of articles is focused on threats in select locations in Asia (Vietnam, India, Korea, Malaysia, Singapore, and Japan) and Oceania (Australia and New Zealand).  I am focusing on these locations as they were the most active locations in the region during the second half of 2011 (2H11).  I omitted China from this analysis as I hope to dedicate an article to it in the future at some point.  The primary source of data for this series of articles is the Microsoft Security Intelligence Report volume 12 (SIRv12).

As seen in the heat maps below (figures 1 and 2), the malware infection rates for locations in Asia and Oceania changed in the year between the fourth quarter of 2010 and the fourth quarter of 2011.  

Figure 1 (top): Malware infection rates by country/region in the fourth quarter of 2010 (4Q10), by computers cleaned per mille (CCM); figure 2 (below): malware infection rates by country/region in the fourth quarter of 2011 (4Q11), by CCM

The malware infection rates of Vietnam, India, Korea and Malaysia were all above the worldwide average in the fourth quarter of 2011 (4Q11). Vietnam had the highest malware infection rate in the region with 16.5 systems infected with malware for every 1,000 systems scanned by the Microsoft Malicious Software Removal Tool (computers cleaned per mille (CCM)), compared to the worldwide average of 7.1 during the same period.  India’s CCM during 4Q11 was 13.8, slightly lower than the prior three quarters.  Korea’s CCM was the most improved in the region during this period trending down from a CCM of 30.1 in the first quarter of 2011 to 11.1 in the fourth quarter. Malaysia also saw its CCM improved as it went from 13.4 in the first quarter down to 9.0 by the fourth quarter.  The CCMs of Singapore (3Q11 = 6.9, 4Q11 = 5.7) and Australia (3Q11 = 5.3, 4Q11 = 4.6) were below the worldwide average in the second half of 2011, while Japan’s CCM remains one of the lowest in the world at 1.3 in the fourth quarter of 2011.

Figure 3: Computers cleaned per mille (CCM) for select locations in Asia and Oceania, with the worldwide average for the third (3Q11) and fourth (4Q11) quarters of 2011

Vietnam

As I wrote earlier, Vietnam has the highest malware infection rate in the region.  The mixture of threats found in Vietnam is interesting because of the relatively high levels of threats in the potentially unwanted software category found there; three of the top ten threats found in Vietnam are in the potentially unwanted software category.  You find details on the top four families of threats found in Vietnam below:

  • The most common threat family in Vietnam in 4Q11 was Win32/Keygen, which affected 27.8% of computers cleaned in Vietnam. Win32/Keygen is a generic detection for tools that generate product keys for illegally obtained versions of various software products.
  • The second most common threat family in Vietnam in 4Q11 was Win32/Ramnit, which affected 22.9% of computers cleaned in Vietnam. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
  • The third most common threat family in Vietnam in 4Q11 was Win32/Autorun, which affected 19.3% of computers cleaned in Vietnam. Win32/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
  • The fourth most common threat family in Vietnam in 4Q11 was Win32/CplLnk, which affected 17.4% of computers cleaned there. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046.

Figure 4 (left): Threat categories for Vietnam in the fourth quarter of 2011, totals can exceed 100 percent because some computers are affected by more than one kind of threat; Figure 5 (right): The top 10 malware and potentially unwanted software families in Vietnam in the fourth quarter of 2011 (4Q11)

       

India

I have written about the threat landscape in India before: The Threat Landscape in India – More Active than First Thought.  India’s malware infection rate was consistently above the worldwide average in 2011 as seen in Figure 6. In the first half of 2011 (1H11), worms had infected roughly 40% of all systems found to be infected in India; this trend continued into the second half of 2011 with worms affecting 40% of all computers cleaned there during that period.  Like Vietnam, Win32/Autorun, Win32/Sality, Win32/Ramnit and Win32/Keygen are among the top five threats in India.  The relatively high percentage of drive-by download sites observed in India in the first half of 2011, diminished in the second half of the year as seen in figure 9. 

Figure 6 (left): CCM infection trends in India and worldwide by quarter in 2011; Figure 7 (right): Malware and potentially unwanted software categories in India in 4Q11, by percentage of cleaned computers affected, totals can exceed 100 percent because some computers are affected by more than one kind of threat

   

Figure 8 (left): The top 10 malware and potentially unwanted software families in India in 4Q11; Figure 9 (right): Phishing sites, malware hosting sites and drive-by download sites hosted in India in 4Q11 as published in the Microsoft Security Intelligence Report volume 12

     

In the next part of this series on the threat landscape in Asia and Oceania, I will take a close look at what has been happening in Korea and Japan – two of the most interesting threat landscapes in the world to compare and contrast.

Tim Rains
Director
Trustworthy Computing