Examining Korea’s Rollercoaster Threat Landscape

The last time I wrote about the threat landscape in the Republic of Korea, its malware infection rate had increased six-fold in the first six months of 2012. Korea has had one of the most active threat landscapes in the world for many years. According to the latest data published in the Microsoft Security Intelligence Report Volume 14, the last half of 2012 was no different. Figure 1 provides the raw number of systems that were disinfected in Korea and other relatively active locations in each of the four quarters of 2012. 

Figure 1: Trends for the top five locations with the most computers reporting detections and removals by Microsoft desktop antimalware products in 2H12

As Figure 2 illustrates, the number of systems disinfected of malware in Korea for every 1,000 systems scanned by the Microsoft Windows Malicious Software Removal Tool (MSRT) went down from 70.4 in the second quarter of 2012 (2Q12) to 27.5 in the third quarter (3Q12), then up to 93.0 in the fourth quarter (4Q12). During this time, Korea’s malware infection rate has trended between 5 and 15.5 times higher than the worldwide average. Korea had the highest malware infection rate in the world in 4Q12 with a Computers Cleaned Per Mille (CCM) measure of 93.0; this is the highest malware infection rate ever published in the Microsoft Security Intelligence Report.

As seen in Figure 3, Korea’s malware infection rate is significantly higher than any other location in Asia. For example, while Korea’s malware infection rate has been one of the highest in the world for some time, Japan’s infection rate has been one of the lowest – I have written about this interesting contrast before. I included Pakistan in Figure 3 as it had the highest malware infection rate in the world in 3Q12 at 30.6, when Korea’s infection rate dropped to 27.5. Pakistan ranked second place in 4Q12 with a CCM of 26.8 when Korea’s infection rate increased to 93.0. In 4Q12 Korea’s infection rate was 3.5 times higher than Pakistan’s.  

Figure 2 (left): CCM infection trends in Korea and worldwide from third quarter of 2011 (3Q11) to the fourth quarter of 2012 (4Q12); Figure 3 (right): CCM infection trends in Korea and select locations in Asia, including Pakistan from third quarter of 2011 (3Q11) to the fourth quarter of 2012 (4Q12)


The good news for Korea is that there really are just two families of malware that are responsible for this very high malware infection rate.  As seen in Figure 4, Miscellaneous Trojans are found on over 70 percent of systems in Korea that are infected with malware.

Figure 4 (left): Malware and potentially unwanted software categories in Korea in 4Q12, by percentage of computers reporting detections; Figure 5 (right): The top 10 malware and potentially unwanted software families in Korea in 4Q12


As seen in Figure 5, one Miscellaneous Trojan family called Win32/Onescan is the malware primary responsible for the consistently high malware infection rate in Korea. It was found on 70.6% of systems that were infected with malware in Korea in 4Q12. Some other names that various anti-virus vendors call this same threat include Siren114, EnPrivacy, PC Trouble, and My Vaccine, among others. Win32/Onescan is a family of rogue scanner programs that claim to scan for malware but display fake warnings of malicious files. The rogue security software then informs the user that payment is needed to register the software and remove these non-existent threats. This threat is distributed via Korean websites – an example of such a website can be seen in Figure 6. The good news for users of Internet Explorer 8 and newer versions is that the download is blocked by the SmartScreen Filter that is enabled by default. Win32/OneScan is branded and distributed using over 125 different names including the following examples, to avoid detection: alphavaccine, anycop, bestvaccine, bizvaccine, Bootcare, checkvaccine, cleanvaccine, coolspeed, defencevacci, directvaccine, diskvaccine , doublevaccine, DoubleVaccine, easyboan, easyvaccine, EnPrivacy, everyclean, everyguard, EveryGuard, fastcure, InfoDoctor, internetspeed, mastervaccine, MyKeeper, mypcclean, One Scan, onescan, PCTrouble, proguard, realsecurity, SmartVaccine, speedsolution, UtilKorea, windowcure, windowguard, windowvaccine , WindowVaccine, among others.

Figure 6 (left): Download sites for Win32/OneScan may appear similar to this example; Figure 7 (right): Branding known to be used by Win32/OneScan


The other threat family that has been contributing to Korea’s extreme malware infection rate is Win32/Pluzoks. Win32/Pluzoks is a Trojan Downloader/Dropper. I consider this category of threats to be among the most severe because once a system has been compromised, these threats typically give attackers control of the system, which can enable them to enlist the compromised system into botnets.  Win32/Pluzoks is a Trojan that silently downloads and installs other arbitrary files without user consent and is typically installed by other malware. Win32/Pluzoks may contact a remote host to download updates of the Trojan. As seen in Figure 5 Win32/Pluzoks was found on 6.4% of systems that were infected with malware in Korea in 4Q12.

Typically I find that locations that have high malware infection rates also have elevated levels of malicious websites. Attackers often use compromised systems to host malicious websites. From the data in Figure 8, it appears that in 4Q12, malware hosting sites in Korea were well above the worldwide average and the highest among most locations in Asia, including Pakistan. But the level of malware hosting sites in Korea was not the highest in the world in 4Q12; locations like Brazil (31.97), Ukraine (26.78), Vietnam (25.11), and others had significantly higher levels compared to Korea. 

Figure 8: Malicious websites statistics for select locations in the fourth quarter of 2012


Call to Action for Korea:

  • Interestingly, the percentage of systems in Korea that were not protected by up-to-date real-time anti-malware software in 4Q12 was 21%.  This is better than the worldwide average of 24%. Given this, one prudent course of action is to confirm that Win32/OneScan is being detected/blocked/disinfected by the anti-malware software installed on your systems in Korea.  If your anti-virus solution does not have detection for this threat, ask your anti-virus vendor to add detection for it to their product. If detection isn’t added for Win32/OneScan it would be prudent to use an alternative solution that does have detection for this malware.
  • There are a lot of systems in Korea still running Windows XP. Support for Windows XP ends April 8th 2014. I recently wrote an article on The Risk of Running Windows XP After Support Ends April 2014. There are so many Windows XP systems in Korea found infected with Win32/OneScan, it elevates OneScan as the most detected threat on Windows XP globally, as seen in Figure 9 below. Migrating to a modern operating system like Windows 7 or Windows 8 is recommended in order to avoid these risks.

Figure 9: The malware and potentially unwanted software families most commonly detected by Microsoft antimalware solutions in 4Q12, and how they ranked in prevalence on different platforms

Tim Rains
Trustworthy Computing





About the Author
Tim Rains

Chief Security Advisor, Microsoft Worldwide Cybersecurity & Data Protection

Tim Rains is Chief Security Advisor of Microsoft’s Worldwide Cybersecurity & Data Protection group where he helps Microsoft’s enterprise customers with cybersecurity strategy and planning. Formerly, Tim was Director Cybersecurity & Cloud Strategy in Trustworthy Computing at Microsoft, where he Read more »