The Threat Landscape in Africa in the Second Half of 2011

It’s been almost a year since I wrote about the threat landscape in Africa based on data published in the Microsoft Security Intelligence Report volume 10 (SIRv10).  Using the latest data published in the Microsoft Security Intelligence Report volume 12 (SIRv12), we took a fresh look at how the threats in Africa have changed over the one year period between the second half of 2010 and the second half of 2011. 

Africa is one area where it has been challenging to get reliable, long-term trend data on the threat landscape for specific locations. As seen in the heat maps below, published in SIRv10 and SIRv12 respectively, there is insufficient data for many locations in Africa. Typically, this indicates there were fewer than 100,000 executions of the Microsoft Windows Malicious Software Removal Tool (MSRT) in these locations during the reporting period. Both SIRv10 and SIRv12 contain data on the threat landscape for the following locations in Africa: Algeria, Angola, Egypt, Kenya, Morocco, Nigeria, Senegal, South Africa, Tanzania, Tunisia, and Uganda.  Comparing Africa in the two heat maps helps visualize how the malware infection rates of locations in Africa have changed.  The malware infection rates of all these locations in Africa were above the worldwide average in the second half of 2011.

Figure 1 (top): Malware infection rates by country/region in the fourth quarter of 2010 (4Q10), by computers cleaned per mille (CCM); figure 2 (below): malware infection rates by country/region in the fourth quarter of 2011 (4Q11), by CCM

Malware infection rate changes in Egypt immediately caught my attention.  The malware infection rate in Egypt has been trending up over the past two years and is now among the top five locations with the highest malware infection rates worldwide.  By the fourth quarter of 2010 (4Q10) Egypt’s malware infection rate had already trended above the worldwide average.  When we started using IP addresses to determine the geolocation of malware infected systems in the first quarter of 2011 (1Q11), Egypt was one location where the infection rate increased significantly (I wrote about the details of this change in this article: Determining the Geolocation of Systems Infected with Malware).  By the fourth quarter of 2011, Egypt had the highest malware infection rate in Africa.

Figure 3 (left): Computers cleaned per mille (CCM) for Egypt and the worldwide average from the second half of 2009 (2H09) to the fourth quarter of 2011 (4Q11); Figure 4 (right): malware infection rates (CCM) for select location in Africa for the third (3Q11) and fourth (4Q11) quarters of 2011

The mixture of threats found in Egypt is interesting because of the relatively high levels of viruses found there.  Most notably one virus is found on over 35% of systems that are found to be infected with malware in Egypt; Win32/Sality is a family of polymorphic file infectors that target Windows executable files with the extensions .SCR or .EXE. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.  Some Win32/Sality variants can steal cached passwords and log keystrokes entered on the affected computer.  Computers infected with the latest versions of Win32/Sality, such as Virus:Win32/Sality.AT, and Virus:Win32/Sality.AU, connect to other infected computers by joining a peer-to-peer (P2P) network. From other computers in the P2P network, they receive URLs pointing to additional malware components.

Figure 5 (left): Threat categories for Egypt in the fourth quarter of 2011; Figure 6 (right): Notable threat families found in Egypt in the fourth quarter of 2011 (4Q11)

Another location in Africa that saw its malware infection rate increase between 3Q11 and 4Q11 was Algeria.  Like Egypt, Win32/Sality is also the top threat found in Algeria.   

Figure 7 (left): Threat categories for Algeria in the fourth quarter of 2011; Figure 8 (right): Notable threat families found in Algeria in the fourth quarter of 2011 (4Q11)

Both Egypt and Algeria are also being impacted by a relatively high proportion of worms.  Worms were the top threats found in Africa in the second half of 2010 when worms were found on between 40 percent and 56 percent of all infected systems in the locations we examined at the time.  Worms are still at elevated levels in 4Q11 in all the locations we have sufficient data on in Africa relative to the worldwide average; worms were found on between 28.5% and 46.6% of all infected systems in these locations in 4Q11.  Autorun worms are the top family of threats in the worm category in 10 of the 11 locations in Africa that we examined.  Win32/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.

Looking at the graph of notable threat families in Algeria, it looks like there might be a direct correlation between the Sality infections and the Autorun infections at this location.  This could be because members of the Sality family make use of Autorun as one of its infection vectors.  The Microsoft Malware Protection Center’s malware encyclopedia entry for Sality.AT has more details on this; see the call to action section at the end of this article for recommendations that can help to defend against this type of threat.   

Other notable findings for locations in Africa:

  • Phishing sites (per 1000 hosts) were much higher than the worldwide average in Algeria and Tunisia in 2011

Figure 9: Phishing sites per 1,000 hosts in Algeria and Tunisia by quarter in 2011, source SIRv12

  • Tunisia, Algeria, and Senegal, all had much higher malware hosting sites (per 1000 hosts) than the worldwide average at times during 2011

Figure 10: Malware Hosting sites per 1,000 hosts in select countries by quarter in 2011, source SIRv12

I asked Dr. Khomotso Kganyago, Microsoft’s Chief Security Advisor in South Africa about the situation in Africa and he told me:

The Global Competitiveness Report 2011-2012 shows that South Africa moved up by four places to attain 50th position this year, remaining the highest-ranked country in sub-Saharan Africa and the second-placed among the BRICS economies. Particularly impressive is the country’s financial market development (4th), indicating high confidence in South Africa’s financial markets. The Internet economy contributes up to 2% of South Africa’s Gross Domestic Product (World Wide Worx). This clearly makes the financial markets attractive to investments and a focus for cybercriminals whose access are being enhanced by the improvement in broadband connectivity by the undersea cables

Win32/Rimecud which can be used to steal passwords and sensitive data from protected storage saved by the Web Browser is prevalent in South Africa with 11% of infected computers affected. It is a family of worms with multiple components that spreads via removable drives, and instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected system.

When one looks into the Southern African Development Community (SADC) and the East African Community (EAC) – we noted an improvement (decrease) in the malware infection rate in South Africa from 4Q10 to 4Q11 while Kenya showed almost no change. There is little change in the level of phishing websites, and a general decrease in malware hosting sites and percentage of sites hosting drive-by downloads in South Africa while Win32/Autorun still tops the list of threat families in South Africa and Kenya with 18.4% and 19.9% of infected computers affected respectively. This is probably due to the scaled up efforts to combat cybercrimes through a multi-stakeholder approach involving the government, industry and civil society organizations by the two regions. The National Cyber Security Policy Framework was approved in South Africa by Cabinet in February 2012 and this will accelerate coordination of cyber incidents and awareness amongst citizens.

Figure 11 (left): Threat categories for South Africa in the fourth quarter of 2011; Figure 12 (right): Threat categories for Kenya in the fourth quarter of 2011 (4Q11)

The figures above show the malware and potentially unwanted software categories in South Africa (left) and Kenya (right) in the fourth quarter of 2011 (4Q11). Infected computers detected with Worms in South Africa and Kenya are at 42.8% and 36.1% respectively, compared to worldwide figure of 11.3%. Worms are found to be the most common threat category in both countries, with South Africa down from 43.7% and Kenya up from 35.6% in 3Q11. Miscellaneous Potentially Unwanted Software is the second most common category in South Africa which affected 30.1% of all infected computers, down from 31.2% in 3Q11. There is an improvement in terms of computers cleaned per 1000 scanned (CCM) both in South Africa and worldwide. The second most common category in Kenya in 4Q11 was Miscellaneous Trojans, which affected 29.6% of all infected computers, up from 28.8% in 3Q11. The third most common category is Miscellaneous Trojans, which affected 20.7% of all infected computers in South Africa, down from 20.8% in 3Q11 while the third most common category in Kenya in 4Q11 was Miscellaneous Potentially Unwanted Software, which affected 29.6% of all infected computers, up from 28.6% in 3Q11.

Call to Action

The call to action for the locations in Africa that we focused on includes the following.

Defending Against Sality

  • The Microsoft Malware Protection Center’s malware encyclopedia entry for Win32/Sality includes comprehensive prevention and recovery guidance.

Defending Against Autorun Attacks

  • Users running Windows XP need to have Service Pack 3 installed so they will receive security updates from Microsoft. To check what service pack you have installed, click Start, right-click My Computer, and then click Properties. You can get more information and download Windows XP Service Pack 3 from here.
  • Users running Windows XP and Windows Vista should install the security updates that help mitigate Autorun-feature abuse. Getting this update deployed in these regions will potentially have a big positive impact on the number of systems infected by Win32/Autorun in Africa, as it has in other parts of the world. 
  • Use strong passwords
  • Enable a firewall on your computer
  • Run antimalware software from a trusted vendor and keep it up-to-date
  • I wrote a full article on Autorun attacks with more detail and guidance: Defending Against Autorun Attacks

Tim Rains
Director, Trustworthy Computing


About the Author
Tim Rains

Chief Security Advisor, Microsoft Worldwide Cybersecurity & Data Protection

Tim Rains is Chief Security Advisor of Microsoft’s Worldwide Cybersecurity & Data Protection group where he helps Microsoft’s enterprise customers with cybersecurity strategy and planning. Formerly, Tim was Director Cybersecurity & Cloud Strategy in Trustworthy Computing at Microsoft, where he Read more »