Japan – Lessons from Some of the Least Malware Infected Countries in the World – Part 5


Japan is the final location of focus in this series of posts on regions that consistently have low malware infection rates. I hope these insights into the threat landscape in regions with low infection rates prove useful to regions with higher infection rates.

I had the chance to visit Japan in 2007 where we launched the Microsoft Security Intelligence Report volume 2. Even then Japan had a relatively low malware infection rate. The chart below illustrates the infection rate trend in Japan for 2009 and 2010.

Figure: Infection rates for Japan in 2009 and 2010 by quarter by CCM


The graph below shows what Japan’s malware infection rate looks likes versus the other 116 countries we provided malware infection data on in SIRv10. The line seen at the top right corner of the graph below represents the CCM in the Republic of Korea in the fourth quarter of 2010. If you are interested, I wrote a blog post recently called “A Very Active Place – The Threat Landscape in the Republic of Korea” that provides insight into what is happening in this region.

Figure: CCM trend for Japan over 6 quarters, compared to 116 other locations and to the world as a whole


Looking at other data for Japan in 2010, we see the following:

  • Phishing sites (per 1,000 hosts) observed in the United States were 7.5 times higher than that of Japan in the first half of 2010 and 14 times higher in the second half of the year.
  • We observed 14.1 times more malware hosting sites (per 1,000 hosts) in the United States than in Japan in the first half of the year and 26.4 times more in the United States than in Japan in second half of the year.
  • The percentage of sites hosting drive-by downloads in Japan was 12% higher than that of the United States during the first half of 2010. Although this percentage went down precipitously in both locations by the fourth quarter of 2010, the percentage of sites hosting drive-by downloads in Japan was seen to be 4.7 times higher than that of the United States in Q4.

Figure: Phishing, Malware Hosting, and Drive-by Download Hosting Site Trends for Japan as published in SIRv10


Looking at the specific categories and families of threats found in Japan, as we saw in Austria, Finland, and Germany Adware is one of the top categories. This is due to the detection of one prevalent adware family called JS/Pornpop that was found on a quarter of all infected systems in Japan in Q4 of 2010.

The big differentiator between the threat landscape in Japan versus any of the other countries I have examined in this blog series, is the prevalence of worms. Although worms like Win32/Taterf, Win32/Autorun, and Win32/Conficker are found in many regions throughout the world, these three threats were found on over 30% of the infected systems in Japan in the fourth quarter of 2010. Win32/Conficker and Win32/Autorun combined constitute 8.7% of the threats found on infected systems in Germany and 7.6% in Austria; Win32/Taterf was not in the top ten lists of threats for either of these countries. None of these worms are on the top ten list of threats found in Finland during the same period. Threats like Win32/Autorun and Win32/Conficker can be managed – please see a blog post I recently wrote called “Defending Against Autorun Attacks” for some guidance.

The trojan downloader family called Win32/Renos that we saw in Germany, Austria, and Finland in similar percentages (7.6%, 6.9%, and 6.9% of infected systems respectively) was found on only 1.8% of infected systems in Japan.

Interestingly, a tool that generates keys for illegally-obtained versions of various software products called HackTool:Win32/Keygen was found on 2.6% of infected systems in Japan. This is interesting because this tool was also found in the other locations I focused on in this blog series including Austria, Finland, and Germany in similar percentages (5.5%, 4.1%, and 4.2% of infected systems respectively). However, this tool is not on the top ten lists of threats found in other locations like Canada, France, Italy, the United Kingdom, or the United States.

Figure: Malware and potentially unwanted software categories in Japan in 4Q10, by percentage of computers affected


Figure: The top 10 malware and potentially unwanted software families in Japan in 4Q10


We asked Hideaki Kobayashi and Toshiaki Kokado of the Information-Technology Promotion Agency, Japan (http://www.ipa.go.jp) to help explain why Japan’s malware infection rate has been consistently lower than the worldwide average, and we published the following in the Microsoft Security Intelligence Report volume 7.

Hideaki Kobayashi and Toshiaki Kokado, Information-Technology Promotion Agency, Japan (http://www.ipa.go.jp)

“One of the reasons [that the infection rate in Japan is lower than in many other countries] is that Cyber Clean Center (https://www.ccc.go.jp/), a cooperative project between ISPs (76 companies as of June 2009), major security vendors (7 companies, including Microsoft), and Japanese government agencies, has worked on educating users and helping them remove infections from their computers. Thanks to this effort, we have succeeded in reducing the number of computers infected by botnet malware to 1 percent in June 2008, from 2.5 percent in April 2005. At the same time, we have contributed to improving the detection rate of malware on users’ computers by providing security vendors with samples collected by honey pots.

However, this is just part of a long-term effort for IPA, which was established in 1970 by the Japanese Ministry of International Trade and Industry (MITI – In 2001, MITI was reorganized into the Ministry of Economy, Trade and Industry (METI)). The first countermeasure was a virus consultation service IPA started in 1990. The service provides basic answers for questions from companies and people, including “What is a virus?” and “My computer is infected. What should I do?”. Information gathered via inquiries, samples, and trend information from administrative agencies is provided to security vendors, which leads to specific actions.

For the purpose of preventing virus infection, it is necessary to improve the quality of software product security, and efforts have been made to reduce the number of vulnerabilities over the years. For example, over 1.3 million copies of How to Secure Your Website, a textbook for building Web sites securely and reducing vulnerabilities in Web applications, have been downloaded since its release.

Apart from that, we have offered a tool that tests for known vulnerabilities in standard protocols, such as TCP/IP, to development companies for free. Our goal is to provide help for developers who are not security specialists, and they have accepted our assistance as beneficial to users. IPA and the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) have also started Japan Vulnerability Notes (JVN) to release information in Japanese on vulnerabilities in both Japanese software and software distributed in Japan, and to provide information for enlightenment and prevention of recurrence.

At the same time, we have worked actively on challenges for the future. For example, we have launched an information security workgroup for home information appliances and cars.

These activities do not have an immediate effect. However, these government-affiliated agencies have continued their IT lifecycle-wide efforts for years, including providing knowhow for secure software development, and gathering information about current threats and countermeasures against them. These measures have created a high level of awareness about information security among the nation, companies, and the entire population. We believe that this high level of awareness helps make Japan a country with such a low malware infection rate.”

I also asked Masakazu Takahashi, the Chief Security Advisor for Microsoft Japan, for his opinion.

CCC Project

“The activity of the cyber clean center was effective in big in reducing the infection rate of the worm.

The CCC project sent 536,628 emails to 108,726 people by January, 2011, and 32.5% download the extermination tool. As a result, the worm infection rate was reduced from 2.5% to 1% as Kobayashi mentioned.

It seems to be non-efficiency to do direct contact to the owner of an infected PC, but this result shows that this is an extremely effective method.

Broadband adoption rate

In Japan, 80% of Internet users use broadband connections. Therefore, connections to the Internet will go through a router, and the router functions as Firewall. This feature builds a solid environment for the infection of the worm.

Autorun and Drive by download

This analysis is supported by the relatively high infection rates of Autorun, Conficker and JS/Pornpop. Honeypots cannot catch these kinds of malware, and the router isn’t able to prevent. Therefore, the methods that I described above are not effective.

Next step

In Japan, this matter has been already recognized, and some new actions have started. For example, APT measures from the viewpoint of network design, malware collection through Web crawling, and Information sharing about the target type attack. These actions just began, but some interesting results appear. I want to introduce these results shortly.”

In my next post, I will recap the key findings of this series of blog posts for your reference.

Tim Rains
Director, Product Management
Trustworthy Computing

About the Author
Tim Rains

Director, Security

Tim Rains is Director, Security at Microsoft where he helps manage marketing communications for Microsoft Cloud & Enterprise security, identity, and enterprise mobility products and services. Formerly, Tim was Chief Security Advisor of Microsoft’s Enterprise Cybersecurity Group where he helped Read more »