The Threat Landscape in Ukraine: Where Malicious Websites Thrive

Belarus, China, and Ukraine had the highest concentrations of malware hosting sites in the second quarter of 2012 (2Q12), based on data from the Microsoft Security Intelligence Report volume 13.  Belarus had the highest number of malware hosting servers in 2Q12, but Ukraine had the highest concentration of malware hosting servers in 1Q12, more than double the worldwide average.  I have already published details on the threat landscape in China and Belarus.  This article focuses on the threat landscape in Ukraine. 

Figure 1: Top 20 locations with highest number of malware hosting sites per 1,000 Internet hosts in 2Q12

Besides the relatively high concentration of malware hosting sites, Ukraine also has relatively high levels of phishing sites and drive-by download sites as seen in Figure 2.  The number of drive-by download sites per 1,000 hosts found in Ukraine in 2Q12 was nearly six times the worldwide average, nearly five times the concentration found in Belarus, and nine times that of China.  Only Malaysia (5.7) and Cyprus (6.98) had higher concentrations of drive-by download sites than Ukraine in 2Q12.

Figure 2: Malicious website statistics for Ukraine in the first quarter (1Q12) and second quarter (2Q12) of 2012

One surprise in a region with such high levels of malicious websites is that the malware infection rate isn’t above average.  The malware infection rate (CCM) of Ukraine has followed the worldwide average in three of the last four quarters for which we have data, as seen in Figure 3.  The Microsoft Malicious Software Removal tool (MSRT) detected malware on 7.0 of every 1,000 computers scanned in Ukraine in 2Q12, which was the worldwide average CCM.

Figure 3: Infection rate statistics for Ukraine

Figure 4 shows that the most common category of threat found in Ukraine in 2Q12 was Miscellaneous Potentially Unwanted Software. It affected 60.0 percent of all computers with detections there, down from 65.4 percent in 1Q12 – very similar to what we saw in Belarus during the same period.

Figure 4 (left): Malware and potentially unwanted software categories in Ukraine in 2Q12, by percentage of computers reporting detections, note: totals exceed 100 percent because some computers are affected by more than one kind of threat; Figure 5 (right): The top 10 malware and potentially unwanted software families in Ukraine in 2Q12


The most common families of threats found in Ukraine looks very similar to the list for Belarus.   Like Belarus, the most common threat family in Ukraine in 2Q12 was Win32/Pameseg, which affected 31.6 percent of computers with detections. Win32/Pameseg is a fake program installer that requires the user to send SMS messages to a premium number to successfully install certain programs.  Win32/Pameseg was found in many locations in Eastern Europe during 2Q12, including Belarus, Estonia, Georgia, Kazakhstan, Latvia, Lithuania, Moldova, Russia, and Ukraine.  Full details, including some screen shots of this threat are available in the Microsoft Malware Protection Center’s malware encyclopedia:

One notable difference between the list of threats found in the Ukraine and Belarus in 2Q12, is Java/Blacole is on the list for Ukraine, but not Belarus.  Java/Blacole is a detection for a component of the “Blackhole” exploit kit – a kit used by attackers to distribute malware. Typically, the Blackhole exploit kit attempts to exploit vulnerabilities in applications such as Oracle Java, Sun Java, Adobe Acrobat and Adobe Reader.  I have written about this exploit kit before:

Figure 6 shows the growth in the number of computers connecting to Windows Update and Microsoft Update in Ukraine over the last four years, indexed to the total usage for both services in Ukraine in 2008. In 2012, the number of computers connecting to Windows Update and Microsoft Update in Ukraine was up 35.5 percent from 2011, and up 430.1 percent from 2008. By comparison, worldwide use of the two services increased 18.3 percent between 2011 and 2012, and 59.7 percent from 2008 to 2012.  Of the computers using the two update services in Ukraine in 2012, 57.9 percent were configured to use Microsoft Update, compared to 58.5 percent worldwide.

Figure 6: Windows Update and Microsoft Update usage in Ukraine and worldwide

 As with all regions, there are likely socioeconomic factors contributing to the high levels of malicious websites and average malware infection rate in Ukraine.  Figure 7 provides a snap shot of some of the measures that have been correlated to malware infection rates as described in the Special Edition Security Intelligence Report called “Linking Cybersecurity Policy and Performance” that we released earlier this year.

Figure 7: Some of the socio-economic factors examined in the new study, with values for the Ukraine from the second quarter of 2011

Tim Rains
Trustworthy Computing 


About the Author
Tim Rains

Chief Security Advisor, Microsoft Worldwide Cybersecurity & Data Protection

Tim Rains is Chief Security Advisor of Microsoft’s Worldwide Cybersecurity & Data Protection group where he helps Microsoft’s enterprise customers with cybersecurity strategy and planning. Formerly, Tim was Director Cybersecurity & Cloud Strategy in Trustworthy Computing at Microsoft, where he Read more »