This is Part 3 in a series of articles focused on understanding the threat landscape in the Middle East and Southwest Asia. Part 1 of the series examined malware infection rates of many locations in the region including Bahrain, Egypt, Israel, Iraq, Jordan, Kuwait, Lebanon, Oman, Pakistan, Palestinian Authority, Qatar, Saudi Arabia, Syria, Turkey, and the United Arab Emirates. Part 2 took a close look at whether the relatively high malware infection rates in the region were simply a result of people encountering malware more frequently in this region than the worldwide average. Relatively high encounter rates among these locations helps partially explain why they have high infection rates. But there were some notable exceptions, like Turkey, that had the highest encounter rate but did not have the highest infection rate; high encounter rates in Turkey were primarily due to attackers targeting Turkish language speakers. This part of the series, Part 3, explores whether differences in real-time anti-virus usage among locations helps explain differences among regional infection rates. i.e. do locations that have a high percentage of unprotected systems have high malware infection rates? You might be surprised by the results.
Recent releases of the Malicious Software Removal Tool (MSRT) collects and report details about the state of real-time antimalware software on the computer, if the computer’s administrator has chosen to opt in to provide data to Microsoft. This telemetry makes it possible to analyze security software usage patterns around the world and correlate them with infection rates. A typical computer runs the MSRT three times each quarter, once for each monthly version of the MSRT released. In Figure 1, “Always protected” represents computers that had real-time security software active and up to date all three times the MSRT ran during a quarter; “Intermittently protected” represents computers that had security software active during one or two MSRT executions, but not all three; and “Unprotected” represents computers that did not have security software active during any MSRT executions that quarter. Figure 1 shows the infection rates (CCM) of computers worldwide in these three categories between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13).
On average, the MSRT reported that computers that were never found to be running real-time security software during a quarter were 7.1 times as likely to be infected with malware as computers that were always found to be protected. The infection rate for unprotected computers ranged from 20.9 to 24.6, compared to a range of 3.1 to 4.5 for computers that were always protected. With infection rates ranging from 16.5 to 20.5, computers that were intermittently protected were 6.0 times as likely to be infected with malware as computers that were always protected—a ratio nearly as great as that for computers that were never found to be protected.
Given the infection rate differences between protected, intermittently protected and unprotected systems, one reasonable hypothesis is that locations that have high numbers of unprotected or intermittently protected systems will have relatively high infection rates. Figure 2 illustrates the percentage of systems in the Middle East and southwest Asia that were always protected. Iraq and Syria had the lowest percentage of always protected systems, with less than 50 percent of systems running up-to-date real-time antimalware software in 2Q13, more than 25 percent lower than the worldwide average. Qatar had the highest anti-virus software usage in the region with 71.1 percent of systems always protected. Recall from Part 1 of this series that Qatar had the lowest malware infection rate in the Gulf in 2Q13 with a CCM of 10.0 compared to the worldwide average of 5.8. Also recall that Pakistan had the second highest infection rate (29.2) in the region, higher than that of Syria (27.6). But Pakistan had a higher percentage (60.1%) of always protected systems than Syria (49.5%), Bahrain (52.1%), and Egypt (58.8%).
Figure 1 (left): Infection rates for always protected, intermittently protected, and unprotected computers, from the third quarter of 2012 (3Q12) to the second quarter of 2013 (2Q13); Figure 2 (right): The percentage of systems in the Middle East and southwest Asia that were always protected between 3Q12 and 2Q13
Figure 3 illustrates the percentage of systems that had up-to-date real-time anti-virus software only once or twice during the quarter. Qatar had the lowest percentage of intermittently protected systems in the region at 22.1 percent, just above the worldwide average of 20.4 percent. Iraq and Syria had the most systems that were intermittently protected in the region, with 48.3 percent and 43.1 percent of systems respectively. Egypt and Pakistan also had relatively high percentages of intermittently protected systems with 38.0 percent and 37.3 percent of systems respectively.
There are several reasons systems could be intermittently protected. For example, many families of malware attempt to disable anti-virus software once they successfully compromise a system. Some users, like Gamers, decide to disable anti-virus software in an attempt to optimize system performance. Trial anti-virus software that expired during the quarter leaving systems unprotected is also a common reason systems are intermittently protected.
Figure 3 (left): The percentage of systems in the Middle East and southwest Asia that were intermittently protected between 3Q12 and 2Q13; Figure 4 (right): The percentage of systems in the Middle East and southwest Asia that were unprotected between 3Q12 and 2Q13
Figure 4 illustrates the percentage of systems in the region that did not have active up-to-date anti-virus software in any of the three months of each quarter between 3Q12 and 2Q13. There are some interesting insights in this data. For example, Bahrain had the highest percentage of unprotected systems in the region in 2Q13 and an above average percentage of intermittently protected systems. But Bahrain didn’t have a relatively high infection rate compared to other locations in the region; Bahrain had the highest CCM in the Gulf at 12.9, but much lower than the average CCM of 22.6 for locations in the region outside of the Gulf. Another interesting thing to note is the percentage of unprotected systems in Pakistan. Only 2.6 percent of systems in Pakistan were unprotected in 2Q13, well below the 5 percent worldwide average. But remember that Pakistan has had consistently one of the highest infection rates in the world, second only to Iraq in 2Q13 with a CCM of 29.2; Iraq’s CCM was 31.5 and the worldwide average was 5.8 in 2Q13. To recap, 60 percent of the systems in Pakistan were always protected, 37.3 percent were intermittently protected, 2.6 percent were unprotected, and the infection rate was 5 times higher than the worldwide average. Egypt is a similar case with one of the highest malware infection rates in the region, with a CCM of 25, but the second lowest percentage of unprotected systems in the region at 3.1 percent. Both Egypt and Pakistan have similar percentages of intermittently protected systems, with 38.0 percent and 37.3 percent respectively.
One conclusion is that although they both have relatively low percentages of unprotected systems, even lower than the United States, the relatively high percentage of intermittently protected systems is contributing to their relatively high malware infection rates. Another possible conclusion is that anti-virus usage is only one factor contributing to malware infection rates and there are other contributing factors that help explain differences in regional malware infection rates.
One such factor could be Windows XP usage. Since Windows XP has a much higher infection rate compared to other, newer operating systems, could it be that locations with more Windows XP systems have higher malware infection rates? In the next part of this series I will examine whether the number of systems in the Middle East and southwest Asia running Windows XP helps explain the relatively high malware infection rates in the region.