In part 1 of this series on the threat landscape in Asia and Oceania I focused on Vietnam and India – the two locations with the highest malware infection rates in the region.  In this part of the series, I’m focusing on Korea and Japan.  Historically Korea has had one of the most active threat landscapes and highest malware infection rates in the world, while Japan has had the opposite.    

I often get asked why the malware infection rate is so high in Korea or why it’s so low in Japan.  I have had the opportunity to visit both Korea and Japan to discuss the threat landscape with customers, government, and academics.  I have heard a lot of perspectives and find the threat landscape in these two locations very interesting to compare and contrast.  It would be easy to jump to the conclusion that malware infection rates and related threat activity is related to language or culture when looking at the situation in Japan.  But that argument gets much harder to make when Japan and Korea are compared.  For example, some factors that could help explain why Japan has such a low malware infection rate include:

  • The language is unique and relatively hard for attackers to learn.  Thus, the population of would-be attackers is likely much smaller than that for English speaking locations.
  • Broadband penetration in Japan is high and broadband routers there also function as firewalls to help protect consumers’ systems from some threats.
  • Great public – private partnerships focused on Internet safety.  An example of this is the Cyber Clean Center (https://www.ccc.go.jp/), which is a cooperative project between ISPs (76 companies as of June 2009), major security vendors (seven companies, including Microsoft), and Japanese government agencies.  They help to educate users and help them remove malware infections from their computers.

But it would seem that Korea has all these same factors in place: a unique language, high broadband penetration, and great public – private partnerships focused on Internet safety.  Despite this, until recently, Korea consistently had one of the highest malware infection rates in the world with periods where phishing sites, malware hosting sites and drive-by download sites hosted in Korea were well above levels seen in many other parts of the world.  Therefore, I think there are more factors at work than just the ones I mentioned here.  For example, the motivations of the attackers is likely a key factor.

The rest of this article provides a look at the threats found in these two very interesting locations based on the latest data available in the Microsoft Security Intelligence Report volume 12.

Korea

I have written about the threat landscape in Korea on a couple of occasions in the past:

Korea continues to be an extremely active location for attacks and continues to have a malware infection rate above the worldwide average.  That said, Korea was one of the most improved locations in the world in the second half of 2011 (2H11) as the malware infection rate (CCM) there went from 30.1 in the first quarter of 2011 (1Q11) to 11.1 in the fourth quarter of the same year (4Q11).  Significant decreases in detections of Rimecud, Win32/Frethog, and Win32/Parite were responsible for much of this improvement.  The top threat in Korea, a Korean-language rogue security software threat called Win32/OneScan, also trended down between the third and fourth quarters of 2011.  OneScan infections have trended up and down dramatically in Korea in the past.  For example, it was the top detection in Korea in the fourth quarter of 2010, but wasn’t in the top 10 most detected threats in Korea in the second quarter of 2011.  It was back to the number one threat in Korea in the fourth quarter of 2011.

Adware affected 58% of infected systems in Korea in 4Q11, which is a relatively high percentage.  I consider this positive news because that means more severe threats like worms, Trojan downloaders and droppers, etc., are relatively less prevalent.

Figure 1 (left): CCM infection trends in Korea and worldwide by quarter in 2011; Figure 2 (right): The top 10 malware and potentially unwanted software families in Korea in 4Q11

Although the malware infection rate has improved greatly and 5 of the top 10 threats in Korea are adware, it’s not all positive news.  Phishing sites and malware hosting sites are at relatively elevated levels in Korea as seen in figure 3.

Figure 3: Phishing sites, malware hosting sites and drive-by download sites hosted in Korea in 4Q11 as published in the Microsoft Security Intelligence Report volume 12

Japan

Japan has had a relatively low malware infection rate for the last 5+ years.  In 1Q11, while Korea’s CCM was over 30, the CCM in Japan was 2.7 trending down to 1.3 by the end of 2011.  1.3 systems infected with malware for every 1,000 systems scanned by the Microsoft Malicious Software Removal Tool (MSRT) makes it the lowest CCM of any location in Asia and one of the lowest in the world. 

Although the CCM in Japan has been lower than the worldwide average for 5+ years, it was elevated for the year between the last half of 2009 and the first half of 2010, peaking at 5.1 in the first quarter of 2010.  This was due in large part to the effectiveness of worms like Win32/Autorun, Win32/Conficker and Win32/Taterf in Japan.  In fact, worms have typically been one of the top categories of threats found in Japan, even during periods when worms weren’t prevalent in many other parts of the world.  This trend goes back many years in Japan and this reminds me of the work Microsoft did to help tackle the worm called Win32/Antinny that was targeting Japanese-language users of a popular peer-to-peer program.  As seen in figure 4, detection for the Antinny worm was added to the MSRT in October of 2005 and within a year and a half over 650,000 systems were cleaned of ~70 variants of this threat.  Antinny has a very “long tail” as it was still in the top ten list of threats found in Japan in the second half of 2011, although at very low levels - found on 1.4% of systems in Japan infected with malware in 4Q11.
 
Figure 4 (left): Number of systems cleaned of Win32/Antinny between October 2005 and February 2007; Figure 5 (right):  The top 10 malware and potentially unwanted software families in Japan in 4Q11

The level of adware in Japan is much higher than the worldwide average, something I consider positive and see in other locations with relatively low malware infection rates. i.e. relatively high adware percentages means lower percentages of more severe threats.  That said, Win32/EyeStye is in the top ten threats found in Japan – at low levels.  EyeStye is a banking Trojan that has been impacting systems in increasing numbers in several countries in Europe as I wrote about recently; the Microsoft Malware Protection Center recently published a threat report on EyeStye as well.

Figure 6 (left): Malware and potentially unwanted software categories in Japan in 4Q11, by percentage of cleaned computers affected, totals can exceed 100 percent because some computers are affected by more than one kind of threat; Figure 7 (right): Phishing sites, malware hosting sites and drive-by download sites hosted in Japan in 4Q11 as published in the Microsoft Security Intelligence Report volume 12

I often get asked what Japan is doing right to maintain such a positive ecosystem.  As I wrote earlier, I don’t think there is a simple answer such as language or culture.  I wrote about lessons learned from Japan in part 5 of the six part series I published a while back called Lessons from Some of the Least Malware Infected Countries in the World.  This article includes some commentary from security experts in Japan.

In the next part of this series on threats in Asia and Oceania, I will explore threats in Malaysia and Singapore.

Tim Rains
Director
Trustworthy Computing

Read other parts of this series

Part 1:The Threat Landscape in Asia & Oceania – Part 1: Vietnam and India
Part 2: The Threat Landscape in Asia & Oceania – Part 2: Korea and Japan