The Latest Picture of the Threat Landscape in the European Union – part 2

In part 1 of this series on the threat landscape in the European Union (EU) I examined the encounter and infection rates among EU member countries/regions, focusing on a couple of the locations with highest malware encounter rates (ER) and infection rates (CCM).

In part 2 of the series I’ll focus on the locations in the EU with the lowest ERs and CCMs, I’ll also examine the top threats found in the region in the last half of 2014.

Figure 1 illustrates the locations in the EU that have the lowest ERs. Finland, Denmark, Sweden, Ireland, Germany, and Austria had the lowest ERs in the EU in the last quarter of 2014. These locations have consistently had lower ERs than the worldwide average.

Figure 1: Locations with the lowest encounter rates in the EU in the third (3Q14) and fourth (4Q14) quarters of 2014

Taking a closer look at Finland in Figure 2, the location with the lowest ER in the EU, we can see every category of threat is encountered significantly less frequently by systems in Finland than the worldwide average.
0629_Figure1

Figure 2: (left) malware categories encountered in Finland in the fourth quarter of 2014 compared to the worldwide averages; (right); unwanted software categories encountered in Finland and worldwide during the last quarter of 2014
0629_Figure2

Although Norway is not a member of the EU, my coworkers and many of the customers I have met in Norway would want me to mention that Norway is another location in the region with one of the healthiest ecosystems in the world, as is Japan.

Figure 3: (left) Encounter and infection rates for Norway during each quarter of 2014; (right) Encounter and infection rates for Japan during each quarter of 2014
0629_Figure3

Looking at the locations in the EU with the lowest malware infection rates we can see some of the locations with the lowest ERs in the region also have low infection rates, including Finland, Denmark, Sweden, Ireland, and Austria. Estonia had a consistently low infection rate through all four quarters of 2014. We didn’t have enough data to publish an ER for Luxembourg, but its infection rate was consistent with other low infection rate locations in the region during 2014. The Netherlands also has consistently low infection rates.

Figure 4: Locations in the EU with the lowest malware infection rates (CCM) in the last quarter of 2014
0629_Figure4

Although there are locations in the EU with consistently low infection rates, this doesn’t mean those locations don’t experience temporary dramatic infection rate increases. For example, Figure 5 illustrates some dramatic infection rate increases that took place in Austria and the Netherlands in 2011 when the Win32/EyeStye Trojan (also known as SpyEye) was detected and cleaned from a relatively large number of systems in Austria, the Netherlands, Germany and Italy. I visited numerous enterprise customers in the region during that time period to discuss this threat with them.

Figure 5: (left) The infection rate trend for Austria between the third quarter of 2011 and the second quarter of 2013; (right) the infection rate trend for the Netherlands between the third quarter of 2011 and the fourth quarter of 2012
0629_Figure5

Some locations in the EU saw great infection rate improvements in 2014. Figure 6 illustrates some of the biggest infection rate improvements in the region. France, Italy, Portugal, and Spain all ended 2014 with infection rates lower than the worldwide average after starting the year with significantly higher CCMs. Interestingly, over the years I have noticed elevated levels of Adware among these locations relative to the worldwide average, and the fourth quarter of 2014 was no different. With the exception of Portugal, these locations also all had elevated levels of Trojan Downloaders & Droppers during the last quarter of the year.

Figure 6: The largest CCM improvements in the EU in the second half of 2014
0629_Figure6

The most prevalent threat families found in the EU during the second half of 2014 are listed in Figure 7. Having only one commercial exploit kit (JS/Axpergle, also known as Angler) in the top ten threats in the region is good news as they are typically used by attackers to spread ransomware and other malware to unpatched systems. The top three threats in the EU in the fourth quarter of 2014 were all families of worms that typically spread through via unsecured file shares and removal media like USB drives.

Figure 7: The top 10 threat families in the EU in the second half of 2014
0629_Figure7

The good news is that many of these threats can be mitigated by keeping systems up-to-date with security updates and running up-to-date antimalware software. Could it be that locations in the EU that have relatively high malware infection rates also have relatively low antimalware software adoption/usage?

In part 3 of this series on the threat landscape in the EU I’m going to look at which locations in the EU have the highest and lowest usage of real-time antimalware software in the region – a key protection technology. I’m also going to examine which locations in the region host the most drive-by download attacks – a favorite malware distribution method for attackers.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

About the Author
Tim Rains

Director, Security

Tim Rains is Director, Security at Microsoft where he helps manage marketing communications for Microsoft Cloud & Enterprise security, identity, and enterprise mobility products and services. Formerly, Tim was Chief Security Advisor of Microsoft’s Enterprise Cybersecurity Group where he helped Read more »