In the first three parts of this series on the threat landscape in Asia and Oceania I examined threats in Vietnam and India (highest malware infection rates in the region), Japan and Korea (very interesting juxtaposition), and Malaysia and Singapore (malware infection rates trending lower).  This final part of the series is on threats found in Australia and New Zealand.

Australia
The malware infection rate in Australia is typically below the worldwide average as it was for all four quarters in 2011.  However, it’s noteworthy that Australia has an elevated level of Trojans, exploits, and password stealers and monitoring tools, compared to the worldwide average.  Also noteworthy is that Autorun worms are at the top of the list of threats in most of the locations I have covered in this series on Asia and Oceania, but they are at the bottom of the top ten list in Australia.

Figure 1 (left): CCM infection trends in Australia and worldwide; Figure 2 (right): Malware and potentially unwanted software categories in Australia in 4Q11, by percentage of cleaned computers affected, totals can exceed 100 percent because some computers are affected by more than one kind of threat

   

Win32/Zbot and Java/CVE-2010-0840 are among the top ten threats found in Australia.  Neither of these threats were in the top ten list of threats for any of the other locations I examined in this series.  Zbot is a family of trojans that is created/generated by kits known as "Zeus"; these kits are bought and sold on the cyberworld black market.   Zbot is a family of password-stealing trojans that contain backdoor functionality which allows attackers to control infected computers remotely through illicit networks called botnets.  We published a special edition Security Intelligence Report on Zbot containing full details on this threat including guidance to help defend against it.  In that report Australia was 9th in the top ten list of locations with the highest percentage of Microsoft Security Essentials detections of Win32/Zbot, tied with the U.S.

Figure 3: The top 10 malware and potentially unwanted software families in Australia in 4Q11; Figure 4: The 10 locations with the highest concentration of Win32/Zbot detections in September 2010, as determined by Microsoft Security Essentials, the peak month before the release of detection in MSRT

   

The Java/CVE-2010-0840 exploit also seen in Australia’s list of top ten threats has been associated with the notorious Black Hole exploit kit.  I wrote about this threat recently, please see that article for more details: The Rise of the “Blackhole” Exploit Kit: The Importance of Keeping All Software Up To Date.

I asked Microsoft’s Chief Security Advisor in Australia, James Kavanagh, about what’s happening there.  James told me the following:

Cybersecurity has become a priority in Australia during recent years due to a number of high profile intrusions against government and critical infrastructure providers.  We wrote about these kinds of intrusions in our SIR 12 whitepaper on Determined Adversaries and Targeted Attacks

Interestingly, the Defence Signals Directorate (DSD) took an approach of analysing these intrusions and identifying which security mitigations would have been most effective in preventing the attacker’s success.  Their analysis was then published in a list of the Top 35 Mitigation Strategies.  They found that at least 85% of the targeted cyber intrusions that the DSD responded to in 2010 could have been prevented by following just the first four mitigation strategies listed in our Top 35:

    1. Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.
    2. Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.
    3. Minimise the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.
    4. Use application whitelisting to help prevent malicious software and other unapproved programs from running e.g. by using Microsoft Software Restriction Policies or AppLocker.

The full list of 35 Mitigations along with a guide for implementing these on the Microsoft platform can be found on the DSD website http://dsd.gov.au/infosec/top35mitigationstrategies.htm.

New Zealand
The malware infection rate was consistently lower than the worldwide average and trending down in New Zealand in 2011.  Adware was the top threat category in New Zealand in the fourth quarter of 2011 (4Q11), significantly higher than the worldwide average during the same period.  I consider this very positive because it typically means we see fewer more severe threats, such as trojans and password stealers and monitoring tools.  

Figure 5 (left): CCM infection trends in New Zealand and worldwide; Figure 6 (right): Malware and potentially unwanted software categories in New Zealand in 4Q11, by percentage of cleaned computers affected, totals can exceed 100 percent because some computers are affected by more than one kind of threat

   

Figure 7 (below): The top 10 malware and potentially unwanted software families in New Zealand in 4Q11

  • Five of the top ten threats found in New Zealand in 4Q11 were adware.
  • The most common threat family in New Zealand in 4Q11 was JS/Pornpop, which affected 12.4% of computers cleaned there.  JS/Pornpop is a generic detection for specially-crafted JavaScript-enabled objects that attempt to display pop-under advertisements, usually with adult content.
  • The second most common threat family in New Zealand in 4Q11 was Win32/Hotbar, which affected 8.3% of computers cleaned there. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of Web-browsing activity.
  • The third most common threat family in New Zealand in 4Q11 was Win32/Autorun, which affected 7.5% of computers cleaned in New Zealand. Win32/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.  Guidance to help you defend against these attacks is available in this article: http://blogs.technet.com/b/security/archive/2011/06/27/defending-against-autorun-attacks.aspx 
  • The fourth most common threat family in New Zealand in 4Q11 was Win32/Keygen, which affected 7.3% of computers cleaned in New Zealand. Win32/Keygen is a generic detection for tools that generate product keys for illegally obtained versions of various software products.

That concludes this series on the threat landscape in Asia and Oceania.  I hope you found this analysis useful.  You can find the latest data on the locations I examined in this series and a hundred others at http://microsoft.com/sir.

Tim Rains
Director
Trustworthy Computing