Finale – Lessons from Some of the Least Malware Infected Countries in the World – Part 6

 

In this final post in the series on select locations with consistently low malware infection rates, I share some key findings on how these regions maintain low infection rates.

My previous five blog posts in this series focused on the threat landscape and insights from security professionals in Austria, Finland, Germany, and Japan. All these regions have enjoyed relatively low malware infection rates over the past several years.

Figure: Infection rates for Austria, Finland, Germany and Japan, compared to the world wide average in 2009 and 2010 by quarter by CCM

clip_image002

The graph below shows what the malware infection rates for Austria, Finland, Germany, and Japan look like versus the locations with the highest malware infection rates in the fourth quarter of 2010 as published in the Microsoft Security Intelligence Report volume 10 (SIRv10). You can see from the graph that Brazil, Korea, Spain, Taiwan, and Turkey have consistently had high infection rates with CCMs in the 20 to 43 range. You can also see from the graph that Korea had the highest CCM (40.3) in the fourth quarter of 2010 – something I have previously written about.

Figure: CCM trend for selected locations over 6 quarters, compared to the world wide average

clip_image004

Some insights from looking at the data:

The “usual suspects” are some of the top threats in these regions. Many of the same global threats that are prevalent in many regions in the world are also prevalent in these locations.

o Adware is among the most prevalent categories of threats found in these regions, observed as the top or second to top category in each region. This is due to the prevalence of JS/Pornpop (detected on 6,520,426 unique systems globally in the second half of 2010) and Win32/ClickPotato in these regions.

o Win32/Renos was primarily responsible for the levels of trojan downloaders and droppers found in these countries. Win32/Renos has been a prevalent family of trojan downloaders and droppers for a number of years, detected on 8,348,269 unique systems around the world in 2010.

o Win32/Autorun (detected on 9,022,858 unique systems globally in 2010) and Win32/Conficker (detected on 6,558,117 unique systems globally in 2010) are in the top ten lists of threats of all of these countries, except Finland. We should start to see rapid reductions in detections of these specific threats in 2011, a topic that I have previously written about.

Figure: Quarterly trends for the top 10 malware and potentially unwanted software families detected by Microsoft security products in the second half of 2010

clip_image006

The relatively low malware infection rates that these regions enjoy doesn’t necessarily mean that criminals aren’t doing business in these regions; i.e. although the malware infection rates for these countries are relatively low, that isn’t necessarily true for other indicators of criminal activity. For example:

o More malware hosting sites (per 1,000 hosts) were observed in Germany than in the United States in 2010. We saw 1.98 in Germany and 1.27 in the United States in the first half of the year, and 2.1 times more in Germany (4.98) than in the United States (2.38) in second half of the year.

o The percentage of sites hosting drive-by downloads in Finland was almost twice that of the United States in the first half of 2010.

o In Q4 of 2010, the percentage of sites hosting drive-by downloads in Germany was observed to be 3.7 times higher than the number observed in the United States.

o The percentage of sites hosting drive-by downloads in Japan was 12% higher than that of the United States during the first half of 2010. Although this percentage went down precipitously in both locations by the fourth quarter of 2010, the percentage of sites hosting drive-by downloads in Japan was seen to be 4.7 times higher than that of the United States in Q4.

Aggregating what the security experts in these regions told us contributed to consistently low malware infection rates in their regions:

1. There exists strong public – private partnerships that enable proactive and response capabilities

2. CERTs, ISPs and others actively monitoring for threats in the region enable rapid response to emerging threats

3. An IT culture where system administrators respond rapidly to reports of system infections or abuse is helpful

4. Enforcement policies and active remediation of threats via quarantining infected systems on networks in the region is effective

5. Regional education campaigns and media attention that help improve the public’s awareness of security issues can pay dividends

6. Low software piracy rates and widespread usage of Windows Update/Microsoft Update has helped keep infection rates relatively low

As I look at this list it strikes me to see how similar it is to the Collective Defense concept outlined in a paper that Scott Charney, Corporate Vice President of Trustworthy Computing, published in 2010. The paper called “Collective Defense: Applying Public Health Models to the Internet” outlines a model to improve the health of devices connected to the Internet. To do this, governments, the IT industry, and Internet access providers should ensure the health of consumer devices before granting them unfettered access to the Internet. The approach offered in the paper is to look at addressing online security issues using a model similar to the one society uses to address human illness. The public health model encompasses several interesting concepts that can be applied to internet security.

It seems as though the consistently least infected regions in the world, which I examined in this blog series, are already doing many of the things the Collective Defense health model proposes. The link to the Collective Defense paper is provided above, but if you prefer to watch a video instead of reading the paper, I produced a “short film” that will walk you through the model.

I hope you have enjoyed this blog series called “Lessons from Some of the Least Malware Infected Countries in the World”. I’ve looked closely at the data from these regions and talked to some security experts in each region as well, but I’d love to hear what theories you might have on why these regions are successful at keeping malware infection rates relatively low – comments are welcome.

Tim Rains
Director, Product Management
Trustworthy Computing

About the Author
Tim Rains

Director, Trustworthy Computing

Tim Rains has over 20 years of experience in the technology industry across several disciplines including engineering, consulting, and marketing communications roles. He currently manages security marketing and corporate communications in the Trustworthy Computing division at Microsoft. His expertise ranges Read more »