I published a series of articles about the threat landscape in the Middle East back in 2012 where I focused on the threats found in several locations in the region. This region continues to be of high interest among the customers I talk to because of the above average level of strife and turmoil, and the political transitions that have occurred in the region over the past few years. Additionally, high profile cyber-attacks like Stuxnet, Saudi Aramco, and RasGas have captured the attention of security professionals around the world.

Based on the latest data from the Microsoft Security Intelligence Report volume 15, we did some deeper analysis on even more locations in the region. Recently I delivered a presentation at RSA Conference 2014 in San Francisco based on this research. Thanks again to all the RSA attendees that came to my 8:00 AM session. The presentation at RSA Conference was well received so I thought I’d share this research with a broader audience by publishing a series of articles based on it. This series of articles will focus on trends we have seen in the region in the two and a half years between the first quarter of 2011 and the second quarter of 2013 – a full ten quarters of data from millions of systems and some of the Internet’s busiest services. The countries/regions we examined include Bahrain, Egypt, Israel, Iraq, Jordan, Kuwait, Lebanon, Oman, Pakistan, Palestinian Authority, Qatar, Saudi Arabia, Syria, Turkey, and the United Arab Emirates. Some of the locations in the region aren’t included in this analysis because we didn’t have enough data from them to be confident in the findings.

Figure 1: Bing maps of the area of the world that this research is focused on

The collection of countries/regions referred to by many people in the region as “the Gulf” include some of the locations that surround the Persian Gulf and are members of the Gulf Cooperation Council: Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates. I call attention to this group because their malware infection rate trends have mirrored each other and the worldwide average for many quarters as seen in Figure 2. The malware infection rates (computers cleaned per mille or CCM) for all of these locations have remained stable in a tight range, ending the second quarter of 2013 (2Q13) between 10 and 13. The average CCM for these locations was 11.9 in 2Q13, more than double the worldwide average of 5.8.

The malware infection rate in Qatar went from 5.6 in 4Q10 to 61.5 in 1Q11, 50.5 infected systems per 1,000 higher than the worldwide average at the time. This infection rate spike was due primarily to a couple of families of threats getting traction in the region, most notably Win32/Rimecud. More details are available in two articles I wrote: The Curious Case of Qatar and The Threat Landscape in the Middle East – Part 1: Qatar. Security professionals in Qatar did a great job of managing the situation and getting the infection rate back down to more typical levels where it has remained for numerous quarters. Qatar now has the lowest infection rate in the Gulf as seen in Figure 2.

Figure 2 (left): Malware infection rates in the Gulf between the first quarter of 2011 (1Q11) and the second quarter of 2013 (2Q13); Figure 3 (right): Malware infection rates for various locations in the Middle East and southwest Asia, from the first quarter of 2011 (1Q11) to the second quarter of 2013 (2Q13)

     

Locations in the region outside of the Gulf all had significantly higher malware infection rates, with the exception of Israel where the CCM was less than one point above the worldwide average in 2Q13. The average CCM of the locations in Figure 3 was 22.6 in 2Q13 which is nearly four times the worldwide average of 5.8. There are some interesting things to note here. None of these locations had a CCM in the 10 to 13 range in 2Q13 that all of the Gulf locations trended in. Almost all of these locations’ CCMs trended up in the last three or four quarters while the worldwide average trended down. Israel’s CCM trended down from 15.2 in 1Q10 to 6.4 in 2Q13, a 58% reduction over three and a quarter year period.

At this point you might be wondering why there are differences in regional malware infection rates? i.e. why do some locations have lower or higher infection rates compared to others and compared to the worldwide average? Do these countries/regions do something different from the others that explains the differences? The rest of this series of articles is dedicated to exploring this question. In Part 2 of this series I will examine whether people in the Middle East and Southwest Asia encounter malware more often than people in other parts of the world and whether this factor explains the high infection rates in the region and the differences among infection rates of locations in the region.

Tim Rains
Director
Trustworthy Computing