I have written about the threat landscape in Korea a few times in the past as it has been one of the most active threat landscapes in the world for some time:

Data from the Microsoft Security Intelligence Report volume 13 indicates that Korea’s malware infection rate (Computers Cleaned per Mille or CCM) increased 6.3 times during the first half of 2012. During this period the number of systems cleaned per 1,000 systems scanned by the Microsoft Malicious Software Removal Tool (MSRT) in Korea increased from 11.1 in the fourth quarter of 2011 (4Q11) to 70.4 in the second quarter (2Q12) of 2012.  At the end of the first half of 2012 Korea had the highest malware infection rate ever published in the Microsoft Security Intelligence Report, ten times the worldwide average infection rate.

Figure 1: CCM infection trends in Korea and worldwide

The Trojan Downloaders and Droppers category of threats is significantly higher in Korea than the worldwide average.  In fact, one threat family in this category is responsible for Korea’s relatively high malware infection rate: Win32/Pluzoks.  Win32/Pluzoks is a Trojan that silently downloads and installs other arbitrary files without user consent, and may contact a remote host to download updates of itself.

Figure 2 (left): Detections by threat category, 1Q11–2Q12, by percentage of all computers reporting detections; Figure 3 (right): The top 10 malware and potentially unwanted software families in Korea in 2Q12

   

I mentioned Pluzoks in the article we recently published on Operating System Infection Rates: The Most Common Malware Families on Each Platform.  Pluzoks was the second most prevalent threat found on Windows XP SP3 in the second quarter of 2012; Pluzoks was found on far fewer Windows 7 and Windows Vista based systems. In the second quarter of 2012, 93 percent of systems reporting Pluzoks detections were located in Korea, with the US in a distant second place for detections.  Use of Windows XP remains relatively higher in Korea than in the rest of the world.  As seen in Figure 3, 46.5% of systems that were found to be infected with malware in Korea had Pluzoks installed on them. This might help explain why Korea has the highest malware infection rate in the world by a large margin.       

Figure 4: The malware and potentially unwanted software families most commonly detected by Microsoft antimalware solutions in the second quarter of 2012 (2Q12), and how they ranked in prevalence on different platforms, with Win32/Pluzoks highlighted

The other threat family that contributed to the relatively high malware infection rate in Korea was Win32/OneScan.  OneScan was found on 17.6% of systems in Korea that were found to be infected with malware in Korea in the second quarter of 2012.  Win32/Onescan is a family of rogue antivirus scanner programs that claim to scan for malware but display fake warnings of malicious files. The rogue then informs the user that payment is needed to register the software and remove these non-existent threats.  OneScan has been impacting Korea for many quarters. If you’d like to see how easy it is to be fooled by rogue security programs (also known as “scareware”) like OneScan, you can test yourself using the Microsoft Malware Protection Center’s Real vs. Rogue App.

Take note that seven of the top ten threats found in Korea in the second quarter of 2012 were Adware.  Without so many detections of the two severe threats I mentioned, Pluzoks and OneScan, Korea would likely have a much lower malware infection rate.

Given this, I recommend the following for Korea:

  • If you are still running systems with Windows XP SP3 in your environment, be aware that end of support for Windows XP SP3 is April 8, 2014. Migrate to Windows 7 or Windows 8 ASAP.  By doing this, you will get the benefits of the advanced security mitigations built into newer versions of Windows and get support and security updates from Microsoft well into the future. It also appears that the top threat in Korea, Win32/Pluzoks, is much less successful on these newer platforms.  
  • Given that rogue security software like OneScan continues to be prevalent in Korea, running up-to-date antimalware software from a trusted vendor is strongly recommended.  It’s much harder for rogue security software to get installed on your system if you already have antimalware software from a trusted source installed and up to date. Take the MMPC’s Real vs. Rogue challenge so you can learn to spot the rogues.

Tim Rains
Director
Trustworthy Computing