This is the final part of a three part series exploring the question of whether regions that experience political instability also experience increased malware infection rates and face more severe threats compared to more stable locations.  I examined Egypt in part 1 of this series, and Syria in part 2.  In this article I look at the threat landscape in Iraq using data from a new Special Edition Microsoft Security Intelligence Report: Linking Cybersecurity Policy and Performance and past volumes of the Microsoft Security Intelligence Report.

This series of articles has been looking at demographic instability and regime stability, as both of these factors have been correlated with regional malware infection rates (Computers Cleaned per Mille or CCM).  Although these factors have a correlation with CCM (0.6 for demographic instability and -0.4 for regime stability), correlation does not mean causation and many other factors are correlated with CCM.

The Threat Landscape in Iraq
I have written about the threat landscape in Iraq before; it was one of the locations I focused on in a series of articles on the threat landscape in the Middle East: The Threat Landscape in the Middle East – Part 2: The Palestinian Authority and Iraq.

Iraq’s malware infection rate increased only slightly when we changed the method we use to locate systems reporting malware infections. For more details on this change please see this article: Determining the Geolocation of Systems Infected with Malware.  As seen in Figure 1, the CCM in the fourth quarter of 2010 (4Q10) was 10.0 systems infected with malware for every 1,000 that executed the Microsoft Malicious Software Removal Tool (MSRT) in Iraq.  After changing the way we determine the location of infected systems in 1Q11, the malware infection rate was 13.1.  It appears the effect of this change was more modest in Iraq than it was in Egypt or Syria; had we not made this change the CCM would have remained relatively flat in 1Q11 with a CCM of 9.6.  We believe the CCM is more accurate after this change than before it.  But I thought pointing out this difference would help illuminate how much of the CCM change was due to changes in methodology versus changes in the environment.  By 2Q12 Iraq’s CCM was 25.3 compared to the worldwide average CCM of 7.0.

Figure 1: Malware infection rates (CCM) for Iraq by quarter, third quarter of 2009 (3Q09) – second quarter 2012 (2Q12) with some political events that happened during this time as reported by BBC World News (http://www.bbc.co.uk/news/world-middle-east-14546763) and The Wall Street Journal (http://online.wsj.com/article/SB10001424127887324461604578191513459319542.html)

The number of worm infected systems in Iraq was far above the worldwide average during this period.  As seen in Figure 2, worms were found on 41.1 percent of all computers infected with malware in Iraq in 2Q12, up from 38.4 percent in the previous quarter and 35.3 percent in 1Q11.  Between 2Q11 and 2Q12, worms found in the top ten list of threats in Iraq included Win32/Autorun, Win32/Ramnit, Win32/Vobfus, Win32/Brontok, and Win32/Dorkbot.  Figure 3 shows the top ten list of threats found in Iraq in 2Q12 and Figure 4 shows how detections of some of these families trended over time.  

Another category found to be much higher than the worldwide average was the category of viruses, as seen in Figure 2.  Win32/Sality, a family of polymorphic file infectors, was found on between 19.8 percent and 24.0 percent of infected systems in Iraq between 2Q11 and 2Q12.

Interestingly, the percentage of infected systems where Miscellaneous Trojans were found, decreased in Iraq between 2Q11 and 2Q12, but increased substantially worldwide during the same time period.  Additionally, the percentage of Trojan Downloaders and Droppers in Iraq was lower than the worldwide average in the last half of 2011 and into the first half of 2012.  This implies that systems in Iraq were infected directly rather than through a multi-stage process that might infect, then update the malware on those infected systems.
 
Figure 2 (left): Malware and potentially unwanted software categories in Iraq in the second quarter of 2012 (2Q12), by percentage of computers reporting detections, totals exceed 100 percent because some computers are affected by more than one kind of threat; Figure 3 (right): The top 10 malware and potentially unwanted software families in Iraq in 2Q12

   

Figure 4: Detection trends for prominent threat families in Iraq between the first quarter of 2011 (1Q11) and the second quarter of 2012 (2Q12)

Getting reliable data on malicious websites hosted in Iraq has been challenging.  But, the data that is available suggests that the number of phishing sites, malware hosting sites, and drive-by download sites hosted in Iraq has been substantially higher than the worldwide average in periods between the first half of 2011 and the first half of 2012, possibly the highest in the world.  But more research is necessary to understand what this part of the threat landscape in Iraq looks like.

Figure 5 shows the growth in the number of computers connecting to Windows Update and Microsoft Update in Iraq over the last four years, indexed to the total usage for both services in Iraq in 2008.  In 2012, the number of computers connecting to Windows Update and Microsoft Update in Iraq was up 39.9 percent from 2011, and up 719.4 percent from 2008. By comparison, worldwide use of the two services increased 18.3 percent between 2011 and 2012, and 59.7 percent from 2008 to 2012.  Of the computers using the two update services in Iraq in 2012, 44.9 percent were configured to use Microsoft Update, compared to 58.5 percent worldwide.  This data might seem to indicate that there was a rapid adoption of Windows Update and Microsoft Update in Iraq.  That may not be the case.  It more likely indicates a rapid influx of hardware into a region that only had relatively small numbers in the prior years.  More study is required to get a better understanding of this effect.

Summary and Conclusion
In the cases of Egypt, Iraq, and Syria, the malware infection rates in these locations saw increases starting in the fourth quarter of 2011, as seen in Figure 6.  The way we determine where systems reporting infections to Microsoft are located was changed at this time and this change to a more accurate way to locate systems appears to be responsible for much of the infection rate increases between the fourth quarter of 2010 and the first quarter of 2011.  These higher CCM figures more accurately reflect the infection rates in these locations.  Since then, malware infection rates in these locations have seen a series of CCM increases while the worldwide average has decreased. All three of these locations have had malware infection rates well above the worldwide average since the beginning of 2011.

Figure 6: Malware infection rates (CCM) for Egypt, Iraq and Syria by quarter, third quarter of 2009 (3Q09) – second quarter 2012 (2Q12)

Many socio-economic factors are correlated with regional malware infection rates, and I have only mentioned two of them in this three part series of articles: demographic instability and regime stability.  Undoubtedly, other socio-economic factors are influencing the threat landscape in these locations.  If you are interested in learning about the other thirty two factors correlated with regional malware infection rates, please download the new Special Edition Security Intelligence Report: Linking Cybersecurity Policy and Performance published by Trustworthy Computing’s Global Security Strategy and Diplomacy team.  

Tim Rains
Director
Trustworthy Computing