The Threat Landscape in China: A Paradox

The threat landscape in China is one topic that always garners a lot of interest. Using trend data from the Microsoft Security Intelligence Report volume 13, and previous volumes, I will provide some insight into what the threat landscape in China looked like in the first half of 2012.

Threat landscape data for China is somewhat paradoxical.  China had the lowest malware infection rate (CCM) of any of the 105 locations included in volume 13 of the Security Intelligence Report.  The malware infection rate in China in the second quarter of 2012 (2Q12) was 0.6.  This means that 0.6 of every 1,000 computers scanned in China in 2Q12 was infected with malware, compared to the 2Q12 worldwide average CCM of 7.0. To add even more context, China’s malware infection rate in 2Q12 is lower than those of the locations that consistently have the lowest rates in the world like Finland (CCM of 1.1 in 2Q12) and Japan (CCM of 0.9 in 2Q12) as seen in Figure 2.  This is a stark contrast to a location with a high infection rate, like Korea with a CCM of 70.4 in 2Q12.

Figure 1 (left): CCM infection trends in China and worldwide, third quarter 2009 (3Q09) to second quarter 2012 (2Q12); Figure 2 (right): trends for the five locations with the lowest infection rates in the first half of 2012, by CCM, by quarter

 

This relatively low CCM in China likely doesn’t reflect the complete picture of what’s happening there.  There are at least a couple of reasons I think this is the case.  First, it’s important to recognize that CCM is measuring the number of systems infected with “global” threats.  These are threats that the Microsoft Malware Protection Center know are prevalent in many locations around the world.  These threats are detected and removed by the Microsoft Malicious software Removal Tool (MSRT).  A full list of threats that the MSRT detects is available here.  This list changes over time as the MMPC adds new detections for malware to the MSRT typically on a monthly basis.  It’s also important to note that the MSRT only detects threats categorized as malware, and not those categorized as potentially unwanted software like adware and spyware.  China’s relatively low CCM suggests that there could be fewer of these global threats in China than anywhere else in the world. Also, when looking at the data from all Microsoft desktop antimalware solutions, the number of systems reporting infections back from China is fairly small compared to the overall number of systems online there, as Figure 3 suggests.      

Figure 3:  The locations with the most computers reporting detections and removals by Microsoft desktop antimalware products in 1H12

There are regional threats, not reflected in the CCM, impacting systems in China.  This isn’t the only factor contributing to the relatively low CCM in China, but you can see evidence of this in the list of categories and families of threats detected by all Microsoft desktop anti-malware in China, as opposed to just MSRT data.  As seen in Figure 4, Miscellaneous Potentially Unwanted Software, Adware, Password Stealers and Monitoring Tools, and Spyware are all found on systems in China, but are not reflected in the CCM for China.  In particular, Miscellaneous Potentially Unwanted Software is significantly higher in China than the worldwide average – something that is not a factor in CCM.  Additionally, other primary research conducted by Microsoft in China suggests that malware is being introduced onto systems that are being distributed through unsecure supply chains in the region.  This could be especially serious in a region that has a relatively high piracy rate.  For more information on this research, please see Counterfeit Software Preloaded with Malware and the Link to Botnets: Operation b70.   

Figure 4 (left): Malware and potentially unwanted software categories in China in the second quarter of 2012 (2Q12), by percentage of computers reporting detections (totals exceed 100 percent because some computers are affected by more than one kind of threat); Figure 5 (right): the top 10 malware and potentially unwanted software families in China in 2Q12

   

Win32/BaiduSobar, a Web browser toolbar that delivers pop-up and contextual advertisements, blocks certain other advertisements, and changes the Internet Explorer search page, is the top family found on systems in China.  The MSRT does not detect and remove this family because it focuses only on malware removal and will not remove Potentially Unwanted Software like BaiduSobar.  However, Microsoft desktop anti-malware products, like Microsoft Security Essentials for example, will alert the user and provide them with guidance when this family is detected on the system.  In the case of Potentially Unwanted Software the user has the option to remove, quarantine, or ignore those families that are detected.

One global threat, Win32/Conficker, made it on the top ten list of threats found in China in 2Q12.  There were a couple of other malware threats that are more obscure and were only found on China’s top ten list in 2Q12.  Win32/Orsam and Win32/Bumat are both Trojans and were found on 4.0% and 3.3% of systems infected with malware in China, respectively.  While these Trojans were detected on relatively small numbers of systems in many locations around the world in 2Q12, they were not on the top ten list of threats for any of the other 104 locations reported in volume 13 of the Microsoft Security Intelligence Report.  Win32/Orsam was found on 2.8% (ranked tenth) of infected systems in Hungary in 4Q11, and on 3.9% of infected systems (ranked tenth) in Belarus in 2Q11.  Detections of Win32/Bumat were more widespread and it appeared on the top ten list of threats in many locations in past quarters, including Argentina, Bangladesh, Belarus, Brazil, Egypt, Germany, Israel, Moldova, the Netherlands, Russia, Saudi Arabia, and the Ukraine. 

Another reason I suggested that the threat landscape in China is paradoxical is that although the CCM for China is the lowest in the world, it has the second highest concentration of malware hosting sites of all the countries for which we have data.  SmartScreen Filter in Internet Explorer helps provide protection against sites that are known to host malware, in addition to phishing sites. SmartScreen Filter uses URL reputation data and Microsoft anti-malware technologies to determine whether those sites distribute unsafe content.  Figures 6 and 7 show the geographic distribution of malware hosting sites reported to Microsoft in the first half of 2012 (1H12).

Figure 6 (top): Malware distribution sites per 1,000 Internet hosts for locations around the world in the first quarter of 2012 (1Q12); Figure 7 (bottom): Malware distribution sites per 1,000 Internet hosts for locations around the world in second quarter in 2012 (2Q12)

China had the second highest concentration of malware hosting sites with 8.1 malware hosting sites per 1,000 Internet hosts in 2Q12. Only Belarus had a higher concentration, with 8.8 malware hosting sites per 1,000 Internet hosts in 2Q12.  As seen in Figure 7, the worldwide average in 2Q12 was 4.4 malware hosting sites per 1,000 Internet hosts.  Other locations with large concentrations of malware hosting sites during this period included Russia (7.7), the United States (5.6), and Romania (5.5). Locations with low concentrations of malware hosting sites included Thailand (1.2), Malaysia (1.3), and Mexico (1.5).

Sites that host malware were significantly more common than phishing sites in the first half of 2012 (1H12).  China had one of the lowest concentrations of phishing sites in the world in 1H12.

Figure 8 (top): Phishing sites per 1,000 Internet hosts for locations around the world in the first quarter of 2012 (1Q12); Figure 9 (bottom): Phishing sites per 1,000 Internet hosts for locations around the world in the second quarter of 2012 (2Q12)

There is little correlation between the number of Internet hosts in a country or region and the number of phishing sites detected there.  The United States, which has the largest number of hosts, also had a large number of phishing sites (2.9 per 1,000 Internet hosts in 2Q12).  China has the second largest number of hosts, but had just 0.7 phishing sites per 1,000 Internet hosts in 2Q12.  Locations with high concentrations of phishing sites include Romania (3.8 per 1,000 Internet hosts in 2Q12), Russia (3.4), and the United States (2.9).  Other locations with low concentrations of phishing sites include Taiwan (0.4) and Colombia (0.4).  One thing to note about phishing is that phishing impressions (users that visited a known phishing site) and active phishing pages rarely correlate strongly with each other.  So although the number of phishing sites hosted in China is relatively low, that doesn’t mean that Internet users in China are not being targeted by attackers using phishing.  More details on the difference between phishing impressions and phishing sites can be found in this article: Phishing Financial Institutions & Social Networks.

Figure 10: Malicious website statistics for China in the first (1Q12) and second (2Q12) quarters of 2012

There have been periods when the number of drive-by download sites hosted in China have been many times higher than the worldwide average.  For example, the percentage of sites hosting drive-by downloads in China was 5.6% in 1Q11 and 3.9% in 2Q11 compared to the worldwide average of 0.223% and 0.273% respectively.  But as seen in Figure 10, in the first half of 2012, the number of drive-by download sites per 1,000 URLs in China was lower than the worldwide average. 

Looking at the growth in usage of Windows Update and Microsoft Update in China over the past few years is very interesting.  Figure 11 shows the growth in the number of computers connecting to Windows Update and Microsoft Update in China over the last four years, indexed to the total usage for both services in China in 2008.

  • In 2012, the number of computers connecting to Windows Update and Microsoft Update in China was up 190.2 percent from 2011, and up 83.1 percent from 2008. By comparison, worldwide use of the two services increased 18.3 percent between 2011 and 2012, and 59.7 percent from 2008 to 2012.
  • Of the computers using the two update services in China in 2012, 35.2 percent were configured to use Microsoft Update, compared to 58.5 percent worldwide.

Figure 11: Windows Update and Microsoft Update usage in China and worldwide

This growth in Windows Update and Microsoft Update usage in China is encouraging.  As seen in Figure 11, usage of these services declined between 2008 and 2011.  This likely means during this period fewer and fewer systems in the region were getting security updates from Microsoft and were running the MSRT. The other location that had similar decreases in Windows Update and Microsoft Update service usage during the same period of time is Korea and it had the highest malware infection rate ever published in the Microsoft Security Intelligence Report, in 2Q12.  One theory to explain this decline in update service usage in China is the relatively high software piracy rate there, and the potential that malware embedded in such software will disable or lead people to disable Automatic Updates on systems thus reducing the number of systems using these services over time.  This would also help explain why the number of systems reporting malware infections in China is fairly small compared to the overall number of systems online there.  Whatever the underlying reasons for this decline, the increase we saw in Windows Update and Microsoft Update usage in 2012 is great news.  I recommend that systems in China be configured to use Microsoft update instead of Windows Update where possible.  Microsoft Update provides all of the updates offered through Windows Update and provides updates for other Microsoft software, such as the Microsoft Office system, Microsoft SQL Server, and Microsoft Exchange Server. 

I also recommend that users in China use genuine software and avoid using software key generators that might give them access to software at discounted prices or for free.  This is a topic I have written about before.  These key generators were found on 12.6% of systems infected with malware in China in 2Q12 and ranked third on the top ten list of threats.  Attackers are using key generators to trick users into installing malware on their systems. 

I asked Trustworthy Computing’s Senior Security Strategist in China, Feng Xue, what steps technology users in China should take to protect themselves.  Feng told me that based on the data and some of the security related events that have happened in China over the past few years, there are a few things users should do to protect themselves including:

  • Turn on the Microsoft Update service so your systems receive security updates.  Security updates are offered to all systems whether they are genuine or not.
  • Do not use the same username and password at all the websites you have accounts on.  If one of the sites gets compromised, attackers will attempt to use your credentials at other popular sites including banks.
  • Upgrade from Windows XP to the newer and safer operating systems such as Windows 8 and Windows 7; end of support for Windows XP is April 8, 2014.  If you are currently running Windows XP, ensure that you have Service Pack 3 installed (available here).
  • Upgrade Internet Explorer 6 to Internet Explorer 8 if you are using Windows XP; upgrade to Internet Explorer 9 if you are running Windows 7.
  • Install an anti-virus product from a vendor you trust
  • Use advanced tools such as EMET to protect software which has not leveraged mitigations built into Windows operating systems.  This makes it harder for attackers to successfully exploit vulnerabilities.

In conclusion, I think the current picture we have of the threat landscape in China is a paradox.  We see very low malware infection rates, the highest concentration of malware hosting sites in the world, traditionally low Windows Update and Microsoft Update service usage, and high piracy rates.  Needless to say, there are more pieces to the complex puzzle that makes up the threat landscape in China.

Tim Rains
Director
Trustworthy Computing

 

About the Author
Tim Rains

Director, Trustworthy Computing

Tim Rains has over 20 years of experience in the technology industry across several disciplines including engineering, consulting, and marketing communications roles. He currently manages security marketing and corporate communications in the Trustworthy Computing division at Microsoft. His expertise ranges Read more »