In the first two parts of this series on the threat landscape in the Middle East (Part 1, Part 2) I focused on the threats in Qatar, Iraq and the Palestinian Authority (West Bank and Gaza Strip). In this final part of the series I focus on Israel and Saudi Arabia.

The data in this article comes from the Microsoft Security Intelligence Report volume 12 (SIRv12) and previous volumes of the report.

Israel
The malware infection rate in Israel was the lowest in the region in the last quarter of 2011 (4Q11) at 9.5 systems infected with malware for every 1,000 systems scanned with the Microsoft Malicious Software Removal Tool (MSRT), compared to the worldwide average CCM of 7.1.  Israel’s malware infection rate trended down in the second half of 2011 as seen in Figure 1.  In earlier time periods the malware infection rate in Israel more closely mirrored the worldwide average, but in the first quarter of 2011 (1Q11) when we started using IP addresses to determine the geolocation of infected systems, the infection rate in Israel increased to a level (15.1) well above the average (8.6).  For more information on the factors related to this increase please see an article called Determining the Geolocation of Systems Infected with Malware.

Figure 1:  Malware infection rates in Israel by quarter in 2011, including the worldwide average

The most common category of threat in Israel in 4Q11 was Miscellaneous Potentially Unwanted Software, which affected 41.8 percent of all infected computers, up from 40.4 percent in 3Q11.  The second most common category in Israel in 4Q11 was Miscellaneous Trojans, which affected 25.2 percent of all infected computers, down from 26.5 percent in 3Q11.  Worms affected 23.2 percent of all infected computers, down from 23.4 percent in 3Q11.

Figure 2 (left): Malware and potentially unwanted software categories in Israel in 4Q11, by percentage of cleaned computers affected (totals exceed 100 percent because some computers are affected by more than one kind of threat); Figure 3 (right): The top 10 malware and potentially unwanted software families in Israel in 4Q11

   

Win32/Keygen is the top threat found in Israel.  Win32/Keygen is the detection for tools that generate keys for illegally-obtained versions of various software products.  There are no obvious symptoms that indicate the presence of Win32/Keygen on an affected machine. Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptom.  Corporate administrators need to keep an eye out for detections of these tools on their networks as it might point to corporate policy violations.  

Win32/Sality is number five on the top ten list.  As I described in Part2 of this series, Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.  Sality variants can steal cached passwords and log keystrokes entered on the affected computer.

Both Win32/Keygen and Win32/Sality are on the top ten list of threats in several locations in the Middle East including Bahrain, Iraq, Jordan, Kuwait, Lebanon, Oman, the Palestinian Authority, Qatar, Saudi Arabia, and Syria.

One Potentially Unwanted Software threat in the top ten list of threats found in Israel in 4Q11 that isn’t on the top ten list for any other location in the Middle East, or any other location worldwide, is Win32/AmmyyAdmin.  Win32/AmmyyAdmin is a remote control application that allows full control of the computer on which it is installed. These types of applications are typically installed by the computer owner or administrator and should only be removed if they are not expected to be present in the computer.  The AmmyyAdmin program has built-in server and client components, thus the program can be used as a server or as a client on the computer. The person controlling the client can remotely control the computer on which the server component is executed.  The Microsoft Malware Protection Center has observed this program being used by people involved in technical support phone scams.

Figure 4: A screen shot of AmmyyAdmin;

Phishing sites, malware hosting sites, and the percentage of sites hosting drive-by downloads in Israel were all at or below the worldwide average in 4Q11.

Figure 5: Phishing sites, malware hosting sites and drive-by download sites hosted in Israel in 4Q11 as published in the Microsoft Security Intelligence Report volume 12

Saudi Arabia
The Microsoft Malicious Software Removal Tool (MSRT) detected malware on 14.1 of every 1,000 computers scanned in Saudi Arabia in the fourth quarter of 2011 (4Q11).  This is nearly double the worldwide average CCM of 7.1. Saudi Arabia’s CCM has been consistently above the worldwide average for many quarters.  Since the second half of 2010, Saudi Arabia’s CCM has been as high as 17.9. 

Figure 6 (left): CCM infection trends in Saudi Arabia and worldwide in 2011 by quarter; Figure 7 (right): Malware and potentially unwanted software categories in Saudi Arabia in 4Q11, by percentage of cleaned computers affected

   

The most common category in Saudi Arabia in 4Q11 was Miscellaneous Trojans, affecting 36.4 percent of all computers cleaned there, up from 35.4 percent in 3Q11.  Miscellaneous Potentially Unwanted Software affected 35.7 percent of all computers cleaned there in 4Q11, up from 33.2 percent in 3Q11.
The third most common category in Saudi Arabia in 4Q11 was Worms, which affected 30.7 percent of all computers cleaned there, up from 25.7 percent in 3Q11.  It’s also interesting to see the Virus category so much higher in Saudi Arabia than the worldwide average.

Figure 8 contains the top threats found in Saudi Arabia in 4Q11.  You can see several families that I have discussed in this series on the list including Win32/Autorun, Win32/Keygen and Win32/Sality. Win32/Rimecud is a family of worms with multiple components that spreads via removable drives, and instant messaging and contains backdoor functionality that allows unauthorized access to an affected system. This threat was found on 7.1% of infected systems in Saudi Arabia and is in the top ten list of threats for many locations in the Middle East including Bahrain, Israel, Jordan, Kuwait, Lebanon, Oman, the Palestinian Authority, Qatar, and Syria; it’s interesting that Win32/Rimecud is not in the list of top threats in Iraq.

Figure 8 (left): The top 10 malware and potentially unwanted software families in Saudi Arabia in 4Q11

One threat on Saudi Arabia’s list of top threats, a polymorphic virus called Win32/Mabezat, was found in only a hand full of locations worldwide in 4Q11 including Algeria, Bahrain, Morocco, Senegal, South Africa and Tunisia.

Phishing sites and malware hosting sites in Saudi Arabia did rise above the worldwide average in the second half of 2011.  The percentage of sites hosting drive-by downloads remained well below the worldwide average during the year.

Figure 5: Phishing sites, malware hosting sites and drive-by download sites hosted in Saudi Arabia in 4Q11 as published in the Microsoft Security Intelligence Report volume 12

That concludes this three-part series on the threat landscape in the Middle East.  I hope you found this analysis informative and useful.  You can find the latest data on the locations I examined in this series and many others at http://microsoft.com/sir.

Tim Rains
Director
Trustworthy Computing

 

_____________________________________________________________________________________________________________

 

Get the latest security and privacy news from Microsoft’s Trustworthy Computing group.  It’s an easy way to get real time security and privacy information, tips and tricks, learn about new security updates, mitigation tools and hear the latest insights from our security and privacy experts. Learn more.