One question I have been asked on occasion is whether regions that experience political instability also experience increased malware infection rates and face more severe cyber-threats compared to more stable locations.  Recently, we published a new Special Edition Microsoft Security Intelligence Report: Linking Cybersecurity Policy and Performance.  This new report examines the correlation between thirty-four different socio-economic factors and regional malware infection rates across 105 countries.  I used this new report to try to get some insight into whether political instability is linked to higher malware infection rates.  To do this I took a closer look at a couple of the socio-economic factors from the report, demographic instability and regime stability. 

In the report, demographic instability is defined as pressures on the population such as disease and natural disasters that make it difficult for the government to protect its citizens or demonstrate lack of capacity or will.  The report indicates that the correlation between this factor and malware infection rates as measured by computers cleaned per mille (CCM) is 0.6 for 2011.  A positive correlation here means that as demographic instability increases we’d expect the malware infection rate to also increase.

Regime Stability is defined in the report as the number of years since the most recent regime change.  The report indicates that the correlation between this factor and malware infection rates as measured by computers cleaned per mille (CCM) is -0.4 for 2011.  In general, most of the socio-economic factors identified in the study rise with favorable results, thus were negatively correlated with CCM.  In this case, it means as regime stability increases, the malware infection rate (CCM) is expected to decrease.

Before I look at some real-world case studies, it is important to emphasize that these relationships demonstrate correlative, not causal, relationships; i.e. just because there is a correlation between demographic instability and malware infection rates, and regime stability and malware infection rates, doesn’t mean that demographic instability or regime stability cause the number of malware infections in a region to increase or decrease.  As I wrote in my last article on this study, the number of factors that could be contributing to a location’s malware infection rate is likely much larger than one or two factors, and those factors could include a myriad of socio-economic issues.

I thought I’d examine the threat landscape in three locations where demographic instability and regime stability have likely been more dynamic or variable in the last few years: Egypt, Iraq, and Syria.  In this article I will discuss Egypt.  Syria and Iraq will follow in parts two and three of this series.  Of course, there are other locations, such as Afghanistan for example, that might also fall into this category.  We don’t have sufficient or consistent CCM data in many of these other cases.  I selected three places to examine for which we had sufficient data on the threat landscape.

Figure 1 (left): Malware infection rates by country/region in the fourth quarter of 2011 (4Q11), by CCM as published in the Microsoft Security Intelligence Report Volume 12

The Threat Landscape in Egypt
I have written about the threat landscape in Egypt before in an article called “The Threat Landscape in Africa in the Second Half of 2011.”  As seen in Figure 2, Egypt is one location where the malware infection rate increased substantially when we changed the method we use to locate systems reporting malware infections. Prior to 2011, the Microsoft Malware Protection Center used the administrator-specified setting under the Location tab or menu in Region and Language in the Windows Control Panel to determine the location of a system reporting an infection.  Starting in volume 11 of the Microsoft Security Intelligence Report, location was primarily determined by geolocation of the IP address used by the computer submitting the telemetry data. If you are interested in the details, you can read all about this change in an article we published previously: Determining the Geolocation of Systems Infected with Malware.

The malware infection rate in Egypt has trended up over a period of years and ultimately became one of the top five locations with the highest malware infection rates worldwide. As seen in Figure 2, there was a rise in the malware infection rate in Egypt starting in 4Q10.  During this time the CCM in Egypt increased from 11.4 to 20.9 before trending downward for a period of time.  One thing to note is that the steep increase in CCM between 4Q10 and 1Q11 looks like it was primarily influenced by how we locate systems reporting malware infections.  We believe the CCM is more accurate after this change than before it.  But even if we did not make this change, the CCM in Egypt would have increased from 11.4 in 4Q10 to 13.1 in 1Q11; i.e. the increase in CCM was not soley attributable to the change in the way we locate systems infected with malware, as the malware infection rate in Egypt was continuing a multi-quarter trend of increases during this time regardless of which method we use to measure CCM.

Figure 2: Malware infection rates (CCM) for Egypt by quarter, third quarter of 2009 (3Q09) – second quarter 2012 (2Q12) with some political events that happened during this time as reported by The Wall Street Journal (

In 1Q11, viruses and worms were at levels in Egypt well above the worldwide average. The top threat in Egypt, Win32/Sality, is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe, and was a leading contributor to this upward trend.  Sality may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. There were also a plethora of worms in Egypt including Win32/Autorun, Win32/Rimecud, Win32/Conficker, and Win32/Nuqel.  A year later, in 2Q12, Sality, Autorun, and Nugel were still on the top ten list of threats in Egypt as seen in Figure 4.  But the CCM had increased from 17.5 in 3Q11 to a high of 24.7 in 1Q12 as seen in Figure 2.  Figure 5 illustrates how detections of some of these prominent families of threats trended in Egypt during this period.

Figure 3 (left): Malware and potentially unwanted software categories in Egypt in the second quarter of 2012 (2Q12), by percentage of computers reporting detections, totals exceed 100 percent because some computers are affected by more than one kind of threat; Figure 4 (right): The top 10 malware and potentially unwanted software families in Egypt in 2Q12


Figure 5: Detection trends for prominent threat families in Egypt between the first quarter of 2011 (1Q11) and the second quarter of 2012 (2Q12)

When the malware infection rate in Egypt increased in 1Q11, so did the level of malicious websites hosted in Egypt as seen in Figure 6.  Specifically, the percentage of drive-by download sites hosted in Egypt in 4Q10 was only slightly above the worldwide average.  But that number had increased to nearly 17 times the worldwide average in 1Q11 and 11 times the average in 2Q11.  A year later, in 1Q12 and 2Q12, the level of drive-by download sites hosted in Egypt was a fraction of the worldwide average.  One theory on why drive-by download sites hosted in Egypt decreased so dramatically is that connectivity to these servers was too intermittent to be useful to attackers.

Figure 6 (left): Malicious website statistics for Egypt as published in the Microsoft Security Intelligence Report volume 11; Figure 7 (right): Windows Update and Microsoft Update usage in Egypt and worldwide


As seen in Figure 7, Windows Update and Microsoft Update service usage continued to increase in Egypt at a rate outpacing the worldwide average.

Regime stability and demographic instability are only two of the thirty-four socio-economic factors that have been correlated to regional malware infection rates.  Figure 8 provides a look at several other factors that Trustworthy Computing’s Global Security Strategy and Diplomacy team examined in the new Special Edition Security Intelligence Report: Linking Cybersecurity Policy and Performance.  

Figure 8: Some of the socio-economic factors examined in the new study, with values for Egypt from the second quarter of 2011

In the next article in this series, I will look at the threat landscape in Syria.

Tim Rains
Trustworthy Computing



The following articles were used to pinpoint political events labeled in Figure 2: