The Threat Landscape in India – More Active Than First Thought

The threat landscape in India has turned out to be more active than initially suspected. India has had a relatively low malware infection rate for some time, which seemed subdued for a region that has such a large high tech industry. But with the new data we recently released in the latest Microsoft Security Intelligence Report (volume 11), the plot thickens.

For example, the Microsoft Windows Malicious Software Removal Tool (MSRT) cleaned malware on 2.9 computers for every 1,000 it executed on, in the first half of 2011. This is well below the worldwide average of 10.97 in the first quarter and 9.77 in the second quarter of 2011. Recently I published an article called Determining the Geolocation of Systems Infected with Malware that describes how we changed the way we determine the location of systems that report malware infections. Using this new method to determine the malware infection rate in India, we see 15.2 and 15.9 systems infected with malware in the first and second quarters of 2011 respectively. This tells us at least two things. First, many people who do not live in India still set the locale setting of their Windows systems to India. Second, the malware infection rate in India is much higher than initially suspected.

Figure: The infection rate, measured in Computers Cleaned per Mille (CCM), trend for India over the four quarters spanning the third quarter of 2010 to the second quarter of 2011, compared to the worldwide rate


Figure: Malware and potentially unwanted software categories in India in the 2nd quarter of 2011, by percentage of computers affected


As seen in the graph above, the most common category of threat found in India during the second quarter of 2011 was Worms, which affected 38.3% of all computers cleaned in India, down from 40.6% in the first quarter. Five of the top ten families of threats found in India were Worms. The second most common category of threat in India during Q2 was Miscellaneous Trojans, which affected 33.6% of all computers cleaned in India, up from 33.3% in the first quarter. The third most common category in India in Q2 was Miscellaneous Potentially Unwanted Software, which affected 30.7% of all computers cleaned, down from 32.3% in Q1.

Figure: The top 10 malware and potentially unwanted software families in India in the 2nd quarter of 2011


The thing that really caught my attention was that India has the highest percentage of spambot IP addresses in the world. 11% of all spambot IP addresses were located in India in the second quarter of 2011. To give you some context, Germany had 0.786%, France had 0.982%, the United Kingdom had 1.805%, and the United States had 4.97% of all spambot IP addresses during the same period. India had more spambot IP addresses than all of these locations added together.

I asked Microsoft’s Chief Security Officer in India, Sanjay Bahl, what computer users in India should do to protect themselves. Sanjay had the following to say:

Computer Emergency Response Team India tracked 1.6 million Bot Infected Systems in the financial year 2010 – 2011 and is aware and concerned of the Spam issue. The challenge is to create mass cyber security awareness among users. A pilot initiative on public health model has been tried to fight the bot menace with some encouraging results. In India almost 73% of the users are still on Windows XP and hence it is imperative that:

  • Users should invest and move to newer versions to keep themselves protected. Using older generation software and trying to thwart current age threats will not help.
  • The users still wanting to run Windows XP, need to have Service Pack 3 installed immediately, if not done so already, so that they can receive security updates from Microsoft. They can check what service pack they have installed by clicking Start, right-clicking My Computer, and then clicking Properties. They can get more information and download Windows XP Service Pack 3 from here.
  • All users should regularly and in a timely manner apply security updates to protect themselves. Users running Windows XP and Windows Vista should install the security updates including the updates that help them mitigate Autorun-feature abuse. Getting this singular update on their machines would potentially have a big positive impact on the number of systems infected by Win32/Rimecud (a.k.a. Mariposa botnet) and Win32/Autorun thereby bringing down the MSRT cleaned malware figures for India.
  • In addition, users should use strong passwords to help defend their systems against Win32/Rimecud (a.k.a. Mariposa botnet) and Win32/Autorun.

Tim Rains
Director, Product Management
Trustworthy Computing

About the Author
Tim Rains

Chief Security Advisor, Microsoft Worldwide Cybersecurity & Data Protection

Tim Rains is Chief Security Advisor of Microsoft’s Worldwide Cybersecurity & Data Protection group where he helps Microsoft’s enterprise customers with cybersecurity strategy and planning. Formerly, Tim was Director Cybersecurity & Cloud Strategy in Trustworthy Computing at Microsoft, where he Read more »