The Threat Landscape in Pakistan: One of the Most Active in the World

One location I haven’t written about in the past is Pakistan.  This is one region where the malware infection rate increased substantially when we changed the method we use to locate systems reporting malware infections (as seen in Figure 1). Prior to 2011, the Microsoft Malware Protection Center used the administrator-specified setting under the Location tab or menu in Region and Language in the Windows Control Panel to determine the location of a system reporting an infection.  Starting in volume 11 of the Microsoft Security Intelligence Report, location was primarily determined by geolocation of the IP address used by the computer submitting the telemetry data. If you are interested in the details, you can read all about this change in an article we published previously: Determining the Geolocation of Systems Infected with Malware.

The malware infection rate of Pakistan increased from 1.8 computers cleaned for every 1,000 scanned (CCM) by the Microsoft Malicious Software Removal Tool (MSRT) in the fourth quarter of 2010 (4Q10), a level well below the worldwide average, to 27.7 in the first quarter of 2011 (1Q11). That’s a fifteen-fold increase.  Over the ensuing five quarters Pakistan’s malware infection rate increased to 35.3 in the second quarter of 2012 (2Q12), five times the worldwide average; this is the second highest infection rate (below Korea’s) of the 100+ countries included in the Microsoft Security Intelligence Report volume 13.

Figure 1: CCM infection trends in Pakistan and worldwide

The categories of threats found in Pakistan that are well above the worldwide average include worms and viruses.  Some other locations in the region that have had relatively high levels of these same categories of threats in the past include India, Vietnam, Qatar, the Palestinian Authority (West Bank and Gaza Strip), Iraq, as well as Israel and Saudi Arabia.

Figure 2 (left): Malware and potentially unwanted software categories in Pakistan in 2Q12, by percentage of computers reporting detections (totals exceed 100 percent because some computers are affected by more than one kind of threat); Figure 3 (right): The top 10 malware and potentially unwanted software families in Pakistan in 2Q12

   

Five of the top ten threats found in Pakistan in the second quarter of 2012 were worms.  This helps explain why nearly 50% of systems that were found to be infected with malware in Pakistan, had worms on them.  Win32/Autorun affected 29.0 percent of computers with detections in Pakistan. Win32/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.  These worms are in the top ten list of threats in many locations around the world.  I have written about these worms before: Defending Against Autorun Attacks. 

Another worm, Win32/Conficker is 9th on the top ten list of threats in Pakistan in the second quarter of 2012.  This is cause for concern because the primary way Conficker spreads is by using well documented, very simple passwords – something I have also written about in the past

One worm I haven’t seen show up in the top ten list of threats for many other locations is Win32/Chir.  Although it was detected in many locations in the second quarter of 2012, significant numbers of detections are limited to a few places including Pakistan, Brazil, the United States, Turkey and Spain.  But even in these cases, Win32/Chir did not appear in the top ten list of threats for these locations.  The only other location where Win32/Chir appeared in the top ten was Angola.  It was found on 13.2% of systems in Pakistan that were infected with malware in the second quarter of 2012. Another interesting fact about this threat is that Win32/Chir is both a worm and a virus. The worm component spreads via e-mail by mass-mailing a copy of itself as an e-mail attachment to e-mail addresses that it finds on local and remote drives. The worm runs when a user opens the e-mail attachment. Win32/Chir also exploits the Incorrect Mime Header vulnerability discussed in Microsoft Security Bulletin (MS01-020). This may cause the e-mail attachment to open automatically when the email is read or previewed on susceptible systems that have not had the MS01-020 security update installed.  Note that MS01-020 was originally released in March of 2001, making this security update and the vulnerability it addresses almost twelve years old.
 
Two viruses appear in the top ten list of threats found in Pakistan in the second quarter of 2012.  The most common threat family in Pakistan in 2Q12 was Win32/Sality, which affected 30.1 percent of computers with detections in Pakistan. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The other virus appearing in Pakistan’s top ten list in 2Q12 was Win32/Virut, which affected 15.1 percent of computers with detections in Pakistan. Win32/Virut is a family of file-infecting viruses that target and infect .exe and .scr files accessed on infected systems. Win32/Virut also opens a backdoor by connecting to an IRC server.

Win32/Keygen also appears in the top ten list of threats in Pakistan.  This is another threat I have written about before.

In some regions of the world that have high malware infection rates it is also common for the number of phishing sites, malware hosting sites, or drive-by download sites hosted in the region, to be elevated.  This does not appear to be the case in Pakistan in the second quarter of 2012, though drive-by downloads per 1,000 URLs in the first quarter of 2012 were higher than the worldwide average.    

Figure 4: Malicious website statistics for Pakistan in the first (1Q12) and second (2Q12) quarters of 2012

Another potential good piece of news is that the growth of Windows Update and Microsoft Update usage in Pakistan appears to be trending in the right direction.  Figure 5 shows the growth in the number of computers connecting to Windows Update and Microsoft Update in Pakistan over the last four years, indexed to the total usage for both services in Pakistan in 2008.

  • In 2012, the number of computers connecting to Windows Update and Microsoft Update in Pakistan was up 28.5 percent from 2011, and up 209.7 percent from 2008. By comparison, worldwide use of the two services increased 18.3 percent between 2011 and 2012, and 59.7 percent from 2008 to 2012.
  • Of the computers using the two update services in Pakistan in 2012, 47.0 percent were configured to use Microsoft Update, compared to 58.5 percent worldwide.

Figure 5: Windows Update and Microsoft Update usage in Pakistan and worldwide

My call to action for Pakistan is:

  • Given the prevalence of worms in the region, there are several things people and organizations can do to protect themselves including:
    • Make sure you receive the latest security updates from Microsoft by installing Service Pack 3 on systems running Windows XP.  To check what service pack you have installed, click Start, right-click My Computer, and then click Properties. Windows XP users can get more information and download Windows XP Service Pack 3 for free from here
    • Mitigate worms that attempt Autorun feature abuse by installing this free security update on systems running Windows XP and Windows Vista.
    • Use strong passwords.  Make sure you’re not using any trivial passwords that threats can just guess to penetrate systems. Instead, use strong passwords to help defend systems against Win32/Autorun, Win32/Conficker and other worms found in the region. 
    • Don’t open email attachments unless you have to.     
  • Install antimalware software from a trusted source and keep it up to date. Many reputable antivirus companies offer free scans such as this one, and Microsoft offers Microsoft Security Essentials for free.
  • Avoid downloading and using software activation key generators (keygen) as attackers are using these to fool users into installing malware on their systems.
  • Use Microsoft update instead of Windows Update.  Microsoft Update provides all of the updates offered through Windows Update and provides updates for other Microsoft software, such as the Microsoft Office system, Microsoft SQL Server, and Microsoft Exchange Server. Users can opt in to the service when installing software that is serviced through Microsoft Update or at the Microsoft Update Web site (update.microsoft.com/microsoftupdate).  

Tim Rains
Director
Trustworthy Computing

 

 

 

About the Author
Tim Rains

Director, Cybersecurity & Cloud Strategy

Tim Rains has over 20 years of experience in the technology industry across several disciplines including engineering, consulting, and marketing communications roles. He currently manages security marketing and corporate communications in the Trustworthy Computing division at Microsoft. His expertise ranges Read more »