In the first part of this series on the threat landscape in the Middle East I focused on the threats in Qatar, the location with the largest improvement in malware infection rates in the region.  In this part of the series I focus on the Palestinian Authority and Iraq, the two locations with the highest malware infection rates in the region in the second half of 2011.

The data in this article comes from the Microsoft Security Intelligence Report volume 12 (SIRv12) and previous volumes of the report.

The Palestinian Authority
The statistics presented here are generated by Microsoft security programs and services running on computers in the Palestinian territories (West Bank and Gaza Strip) in the fourth quarter of 2011 and previous quarters. This data is provided by computers whose administrators have opted into providing telemetry data to Microsoft, using IP address geolocation to determine country or region.

The Palestinian Authority’s malware infection rate (CCM) was the highest in the region in the second half of 2011.  In the third quarter (3Q11) 27.1 computers were infected with malware for every 1,000 scanned by the Microsoft Malicious Software Removal Tool (MSRT).  In the fourth quarter of 2011 (4Q11) the CCM there was 29.9.  This is substantially higher than the worldwide average CCM of 7.67 and 7.07 in the third and fourth quarters respectively.  In fact, the Palestinian Authority’s CCM in the second half of 2011 was the second highest in the world, just below that of Pakistan (32.9 in 4Q11).

Figure 1 (left): Malware infection rates in the Palestinian Authority by quarter in 2011, including the worldwide average; Figure 2 (right): Malware and potentially unwanted software categories in the Palestinian Authority in 4Q11, by percentage of cleaned computers affected (totals exceed 100 percent because some computers are affected by more than one kind of threat)

   

As seen in Figure 2, miscellaneous Trojans, worms, miscellaneous potentially unwanted software and viruses are all found in concentrations much higher than the worldwide average.  The most common category in the Palestinian Authority in 4Q11 was Miscellaneous Trojans. They affected 40.7% of all computers cleaned there, up from 38.3% in 3Q11.  The second most common category in this location was Worms. They affected 39% of all computers cleaned there, up from 32.9% in 3Q11.

Figure 3: The top 10 malware and potentially unwanted software families in the Palestinian Authority in 4Q11

In terms of the top families of malware infecting systems in the Palestinian Authority, a virus is found on more systems than any other threat; Win32/Sality, is a sophisticated virus.  Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.  Sality variants can steal cached passwords and log keystrokes entered on the affected computer.   

Autorun worms are also prevalent.  Win32/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.  I have written about these worms in the past: Defending Against Autorun Attacks.

The percentage of sites in the Palestinian Authority hosting drive-by download sites was significantly higher than the worldwide average and the highest in the region in the first quarter of 2011 (1Q11). This percentage trended below the average in the second half of the year.

Figure 4: Percentage of sites hosting drive-by downloads in the Palestinian Authority by quarter in 2011

Iraq
Iraq’s malware infection rate was one of the highest in the region in the fourth quarter of 2011 (4Q11) at 22 computers cleaned per every 1,000 scanned (CCM) there by the Microsoft Malicious Software Removal Tool (MSRT).  This is slightly lower than Egypt’s malware infection rate (22.1) and lower than the infection rate of the Palestinian Authority (29.9) in 4Q11.  Iraq’s malware infection rate trended up during 2011 and was substantially higher than the worldwide average CCM of 7.67 and 7.07 in the third and fourth quarters respectively. 

Figure 5 (left): Malware infection rates in Iraq by quarter in 2011, including the worldwide average; Figure 6 (right): Malware and potentially unwanted software categories in Iraq in 4Q11, by percentage of cleaned computers affected (totals exceed 100 percent because some computers are affected by more than one kind of threat)

   

Several categories of threats were detected in Iraq at levels well above the worldwide average in 4Q11; these include Worms, Miscellaneous Trojans, Miscellaneous Potentially Unwanted Software and Viruses.  Viruses were detected at levels significantly above the worldwide average. 

The virus family called Win32/Sality was the top threat found in Iraq and was detected on almost a quarter of all systems found to be infected there in 4Q11.  Win32/Sality is the same sophisticated virus that tops the list of threats found in the Palestinian Authority.  Win32/Sality is in the top 10 list of threats in all the locations I am covering in this series on the Middle East and it is the top threat in Iraq, the Palestinian Authority and Syria in 4Q11.  During this same period it was the number two threat found in Jordan, Kuwait, and Lebanon, and the number three threat found in Qatar.  When I add up all the Win32/Sality detections in the countries I’m covering in this series, over 119,000 systems reported detections in 4Q11.  The Microsoft Malware Protection Center has written some articles that include information on Win32/Sality including:

Figure 7: The top 10 malware and potentially unwanted software families in Iraq in 4Q11

Several families of worms appear in the top 10 list of threats found in Iraq.  Like most other regions, Autorun worms have been detected/blocked on a significant percentage of systems in Iraq. Win32/Ramnit was detected on 15.5% of computers that detected threats in Iraq in 4Q11.  Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files and HTML files. It spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.

One exploit is in the top ten list of threats in Iraq. Win32/CplLnk is a generic detection for specially-crafted, malicious shortcut files that exploit the vulnerability that is described by CVE-2010-2568. This vulnerability was resolved with the release of Microsoft Security Bulletin MS10-046 over two years ago and is one of the vulnerabilities used by Win32/Stuxnet.  It’s also noteworthy that since then, variants of Win32/Sality, Win32/Autorun, and Win32/Ramnit also attempt to use this vulnerability to compromise systems – all found in the top ten list of threats in Iraq.  Win32/CplLnk is also in the top ten list of threats in many places around the world including locations in the Middle East such as Jordan, Lebanon, the Palestinian Authority, Saudi Arabia, and Syria.

In the final part of this series on the threat landscape in the Middle East, I will examine threats found in Israel and Saudi Arabia.

Tim Rains
Director
Trustworthy Computing

 

_____________________________________________________________________________________________________________

 

Get the latest security and privacy news from Microsoft’s Trustworthy Computing group.  It’s an easy way to get real time security and privacy information, tips and tricks, learn about new security updates, mitigation tools and hear the latest insights from our security and privacy experts. Learn more.