Microsoft Security Intelligence Report Volume 14 Regional Threat Assessment English

Published on August 2016 | Categories: Types, Articles & News Stories | Downloads: 87 | Comments: 0 | Views: 433
of x
Download PDF   Embed   Report

An in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software

Comments

Content

An in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software

Microsoft Security Intelligence Report
Volume 14

July through December, 2013

REGIONAL THREAT ASSESSMENT

Microsoft Security Intelligence Report
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Copyright © 2013 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

July–December 2012

i

ii

Microsoft Security Intelligence Report, Volume 14

Table of Contents
Albania ....................................................................................................................................................... 1 Algeria ....................................................................................................................................................... 7 Angola ......................................................................................................................................................13 Argentina .................................................................................................................................................19 Australia .................................................................................................................................................. 25 Austria.......................................................................................................................................................31 Bahamas, The ........................................................................................................................................ 37 Bahrain .................................................................................................................................................... 43 Bangladesh............................................................................................................................................. 49 Belarus ..................................................................................................................................................... 55 Belgium ....................................................................................................................................................61 Bolivia....................................................................................................................................................... 67 Brazil ........................................................................................................................................................ 73 Bulgaria ................................................................................................................................................... 79 Canada .................................................................................................................................................... 85 Chile ..........................................................................................................................................................91 China ........................................................................................................................................................ 97 Colombia .............................................................................................................................................. 103 Costa Rica ............................................................................................................................................. 109 Croatia .................................................................................................................................................... 115 Cyprus .................................................................................................................................................... 121 Czech Republic ................................................................................................................................... 127 Denmark ............................................................................................................................................... 133 Dominican Republic........................................................................................................................... 139 Ecuador ................................................................................................................................................. 145 Egypt ....................................................................................................................................................... 151 El Salvador ............................................................................................................................................ 157 Estonia ................................................................................................................................................... 163 Finland ................................................................................................................................................... 169 France .................................................................................................................................................... 175 Georgia .................................................................................................................................................. 181
July–December 2012 iii

Germany ................................................................................................................................................ 187 Greece ....................................................................................................................................................193 Guatemala .............................................................................................................................................199 Honduras .............................................................................................................................................. 205 Hong Kong S.A.R. ................................................................................................................................ 211 Hungary ................................................................................................................................................. 217 Iceland ................................................................................................................................................... 223 India ....................................................................................................................................................... 229 Indonesia .............................................................................................................................................. 235 Iraq ..........................................................................................................................................................241 Ireland ................................................................................................................................................... 247 Israel....................................................................................................................................................... 253 Italy ......................................................................................................................................................... 259 Jamaica ................................................................................................................................................. 265 Japan ...................................................................................................................................................... 271 Jordan.................................................................................................................................................... 277 Kazakhstan ........................................................................................................................................... 283 Kenya ..................................................................................................................................................... 289 Korea ..................................................................................................................................................... 295 Kuwait .....................................................................................................................................................301 Latvia ..................................................................................................................................................... 307 Lebanon .................................................................................................................................................313 Lithuania ................................................................................................................................................319 Luxembourg ........................................................................................................................................ 325 Macao S.A.R. ........................................................................................................................................331 Malaysia ................................................................................................................................................ 337 Malta ...................................................................................................................................................... 343 Mexico ................................................................................................................................................... 349 Moldova................................................................................................................................................ 355 Morocco ................................................................................................................................................361 Nepal ..................................................................................................................................................... 367 Netherlands ......................................................................................................................................... 373 New Zealand ....................................................................................................................................... 379

iv

Microsoft Security Intelligence Report, Volume 14

Nicaragua .............................................................................................................................................385 Nigeria ................................................................................................................................................... 391 Norway ..................................................................................................................................................397 Oman .................................................................................................................................................... 403 Pakistan ................................................................................................................................................ 409 Palestinian Authority .......................................................................................................................... 415 Panama ................................................................................................................................................. 421 Paraguay ...............................................................................................................................................427 Peru ....................................................................................................................................................... 433 Philippines ........................................................................................................................................... 439 Poland .................................................................................................................................................. 445 Portugal................................................................................................................................................. 451 Puerto Rico ...........................................................................................................................................457 Qatar ..................................................................................................................................................... 463 Romania ............................................................................................................................................... 469 Russia .....................................................................................................................................................475 Saudi Arabia ......................................................................................................................................... 481 Senegal..................................................................................................................................................487 Singapore ............................................................................................................................................ 493 Slovakia ................................................................................................................................................ 499 Slovenia .................................................................................................................................................505 South Africa........................................................................................................................................... 511 Spain ...................................................................................................................................................... 517 Sri Lanka ................................................................................................................................................523 Sweden ..................................................................................................................................................529 Switzerland ...........................................................................................................................................535 Syria ........................................................................................................................................................ 541 Taiwan ...................................................................................................................................................547 Tanzania................................................................................................................................................553 Thailand ................................................................................................................................................559 Trinidad and Tobago.........................................................................................................................565 Tunisia.................................................................................................................................................... 571 Turkey .................................................................................................................................................... 577

July–December 2012

v

Uganda ................................................................................................................................................. 583 Ukraine .................................................................................................................................................. 589 United Arab Emirates ........................................................................................................................ 595 United Kingdom ..................................................................................................................................601 United States ....................................................................................................................................... 607 Uruguay .................................................................................................................................................613 Venezuela .............................................................................................................................................619 Vietnam ................................................................................................................................................ 625

vi

Microsoft Security Intelligence Report, Volume 14

Albania
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Albania in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Albania

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 27.5 6.6

2Q12 25.7 7.0

3Q12 23.2 5.3

4Q12 18.0 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Albania and around the world, and for explanations of the methods and terms used here.

July–December 2012

1

Infection trends (CCM)
The MSRT detected malware on 18.0 of every 1,000 computers scanned in Albania in 4Q12 (a CCM score of 18.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Albania over the last six quarters, compared to the world as a whole.
CCM infection trends in Albania and worldwide

30.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Albania

25.0 20.0 15.0 10.0

5.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

2

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Albania in 4Q12, by percentage of computers reporting detections

Albania
Percent of computers reporting detections

Worldwide

60%
50%

Column1 Albania

40% 30% 20% 10% 0%



The most common category in Albania in 4Q12 was Worms. It affected 48.1 percent of all computers with detections there, up from 47.8 percent in 3Q12. The second most common category in Albania in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.2 percent of all computers with detections there, up from 38.8 percent in 3Q12. The third most common category in Albania in 4Q12 was Miscellaneous Trojans, which affected 23.9 percent of all computers with detections there, down from 24.8 percent in 3Q12.





July–December 2012

3

Threat families
The top 10 malware and potentially unwanted software families in Albania in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Sality Win32/Helompy Win32/Keygen Win32/Conficker Win32/Rimecud Win32/Vobfus Win32/Dorkbot Win32/Hotbar Win32/Wpakill

Most significant category Misc. Potentially Unwanted Software Viruses Worms Misc. Potentially Unwanted Software Worms Misc. Trojans Worms Worms Adware Misc. Potentially Unwanted Software

% of computers with detections 22.9% 17.4% 17.0% 15.3% 11.6% 8.9% 7.0% 5.2% 5.0% 3.9%



The most common threat family in Albania in 4Q12 was INF/Autorun, which affected 22.9 percent of computers with detections in Albania. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Albania in 4Q12 was Win32/Sality, which affected 17.4 percent of computers with detections in Albania. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Albania in 4Q12 was Win32/Helompy, which affected 17.0 percent of computers with detections in Albania. Win32/Helompy is a worm that spreads via removable drives and attempts to capture and steal authentication details for a number of different websites or online services. The fourth most common threat family in Albania in 4Q12 was Win32/Keygen, which affected 15.3 percent of computers with detections in Albania. Win32/Keygen is a generic detection for tools that generate product keys for various software products.







4

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Albania

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) N/A (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.00 (0.33)

July–December 2012

5

Algeria
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Algeria in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Algeria

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 20.1 6.6

2Q12 19.0 7.0

3Q12 16.4 5.3

4Q12 17.9 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Algeria and around the world, and for explanations of the methods and terms used here.

July–December 2012

7

Infection trends (CCM)
The MSRT detected malware on 17.9 of every 1,000 computers scanned in Algeria in 4Q12 (a CCM score of 17.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Algeria over the last six quarters, compared to the world as a whole.
CCM infection trends in Algeria and worldwide

25.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Algeria

20.0

15.0

10.0

5.0

0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

8

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Algeria in 4Q12, by percentage of computers reporting detections

Algeria
Percent of computers reporting detections

Worldwide

50% Column1 45% Algeria
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Algeria in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 44.8 percent of all computers with detections there, up from 36.2 percent in 3Q12. The second most common category in Algeria in 4Q12 was Worms. It affected 41.0 percent of all computers with detections there, up from 34.8 percent in 3Q12. The third most common category in Algeria in 4Q12 was Miscellaneous Trojans, which affected 37.8 percent of all computers with detections there, up from 32.7 percent in 3Q12.





July–December 2012

9

Threat families
The top 10 malware and potentially unwanted software families in Algeria in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Ramnit INF/Autorun Win32/Sality Win32/CplLnk Win32/Vobfus Win32/Dorkbot Win32/Yeltminky Win32/Virut Win32/Mabezat

Most significant category Misc. Potentially Unwanted Software Misc. Trojans Misc. Potentially Unwanted Software Viruses Exploits Worms Worms Worms Viruses Viruses

% of computers with detections 20.6% 20.3% 19.3% 17.2% 14.2% 12.5% 10.6% 6.1% 5.1% 4.9%



The most common threat family in Algeria in 4Q12 was Win32/Keygen, which affected 20.6 percent of computers with detections in Algeria. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Algeria in 4Q12 was Win32/Ramnit, which affected 20.3 percent of computers with detections in Algeria. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The third most common threat family in Algeria in 4Q12 was INF/Autorun, which affected 19.3 percent of computers with detections in Algeria. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Algeria in 4Q12 was Win32/Sality, which affected 17.2 percent of computers with detections in Algeria. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload







10

Microsoft Security Intelligence Report, Volume 14

that deletes files with certain extensions and terminates security-related processes and services.

July–December 2012

11

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Algeria

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 3.55 (5.41) 8.52 (9.46) 0.01 (0.56)

4Q12 9.94 (5.10) 14.91 (10.85) N/A (0.33)

12

Microsoft Security Intelligence Report, Volume 14

Angola
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Angola in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Angola

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 15.0 6.6

2Q12 14.8 7.0

3Q12 12.9 5.3

4Q12 10.6 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Angola and around the world, and for explanations of the methods and terms used here.

July–December 2012

13

Infection trends (CCM)
The MSRT detected malware on 10.6 of every 1,000 computers scanned in Angola in 4Q12 (a CCM score of 10.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Angola over the last six quarters, compared to the world as a whole.
CCM infection trends in Angola and worldwide

20.0

Computers cleaned per 1 ,000 scanned (CCM)

18.0
16.0 14.0

Worldwide Angola

12.0
10.0 8.0 6.0

4.0
2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

14

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Angola in 4Q12, by percentage of computers reporting detections

Angola
Percent of computers reporting detections

Worldwide

45% 40% 35% 30% 25%
20%

Column1 Angola

15%
10%

5% 0%



The most common category in Angola in 4Q12 was Worms. It affected 41.8 percent of all computers with detections there, down from 42.7 percent in 3Q12. The second most common category in Angola in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 30.5 percent of all computers with detections there, down from 31.4 percent in 3Q12. The third most common category in Angola in 4Q12 was Miscellaneous Trojans, which affected 23.2 percent of all computers with detections there, down from 24.9 percent in 3Q12.





July–December 2012

15

Threat families
The top 10 malware and potentially unwanted software families in Angola in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Vobfus INF/Autorun Win32/DealPly Win32/Ramnit Win32/CplLnk Win32/Keygen Win32/Virut Win32/Dorkbot Win32/Chir JS/IframeRef

Most significant category Worms Misc. Potentially Unwanted Software Adware Misc. Trojans Exploits Misc. Potentially Unwanted Software Viruses Worms Viruses Misc. Trojans

% of computers with detections 24.7% 15.0% 13.0% 9.5% 7.5% 7.2% 6.7% 6.7% 6.2% 4.2%



The most common threat family in Angola in 4Q12 was Win32/Vobfus, which affected 24.7 percent of computers with detections in Angola. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The second most common threat family in Angola in 4Q12 was INF/Autorun, which affected 15.0 percent of computers with detections in Angola. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Angola in 4Q12 was Win32/DealPly, which affected 13.0 percent of computers with detections in Angola. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The fourth most common threat family in Angola in 4Q12 was Win32/Ramnit, which affected 9.5 percent of computers with detections in Angola. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved







16

Microsoft Security Intelligence Report, Volume 14

FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.

July–December 2012

17

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Angola

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) N/A (0.56)

4Q12 N/A (5.10) N/A (10.85) N/A (0.33)

18

Microsoft Security Intelligence Report, Volume 14

Argentina
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Argentina in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Argentina

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 8.7 6.6

2Q12 7.2 7.0

3Q12 6.5 5.3

4Q12 5.7 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Argentina and around the world, and for explanations of the methods and terms used here.

July–December 2012

19

Infection trends (CCM)
The MSRT detected malware on 5.7 of every 1,000 computers scanned in Argentina in 4Q12 (a CCM score of 5.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Argentina over the last six quarters, compared to the world as a whole.
CCM infection trends in Argentina and worldwide

10.0

Computers cleaned per 1 ,000 scanned (CCM)

9.0
8.0 7.0

Worldwide Argentina

6.0
5.0 4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

20

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Argentina in 4Q12, by percentage of computers reporting detections

Argentina
Percent of computers reporting detections

Worldwide

40% Column1 35% Argentina 30%
25%

20% 15%
10%

5% 0%



The most common category in Argentina in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 32.6 percent of all computers with detections there, down from 33.0 percent in 3Q12. The second most common category in Argentina in 4Q12 was Adware. It affected 31.3 percent of all computers with detections there, up from 18.0 percent in 3Q12. The third most common category in Argentina in 4Q12 was Worms, which affected 29.0 percent of all computers with detections there, down from 32.9 percent in 3Q12.





July–December 2012

21

Threat families
The top 10 malware and potentially unwanted software families in Argentina in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/DealPly Win32/Dorkbot Win32/Keygen INF/Autorun Win32/Conficker Win32/Obfuscator ASX/Wimad JS/IframeRef Win32/Sality Win32/OpenCandy

Most significant category Adware Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Misc. Trojans Viruses Adware

% of computers with detections 25.3% 14.7% 12.3% 8.5% 5.6% 3.9% 3.5% 3.3% 3.0% 2.9%



The most common threat family in Argentina in 4Q12 was Win32/DealPly, which affected 25.3 percent of computers with detections in Argentina. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Argentina in 4Q12 was Win32/Dorkbot, which affected 14.7 percent of computers with detections in Argentina. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Argentina in 4Q12 was Win32/Keygen, which affected 12.3 percent of computers with detections in Argentina. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Argentina in 4Q12 was INF/Autorun, which affected 8.5 percent of computers with detections in Argentina. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.







22

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Argentina

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 13.24 (5.41) 17.72 (9.46) 0.35 (0.56)

4Q12 9.40 (5.10) 16.30 (10.85) 0.32 (0.33)

July–December 2012

23

Australia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Australia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Australia

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 4.0 6.6

2Q12 2.9 7.0

3Q12 3.8 5.3

4Q12 3.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Australia and around the world, and for explanations of the methods and terms used here.

July–December 2012

25

Infection trends (CCM)
The MSRT detected malware on 3.2 of every 1,000 computers scanned in Australia in 4Q12 (a CCM score of 3.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Australia over the last six quarters, compared to the world as a whole.
CCM infection trends in Australia and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Australia

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

26

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Australia in 4Q12, by percentage of computers reporting detections

Australia
Percent of computers reporting detections

Worldwide

40% 35% 30%
25%

Column1 Australia

20% 15%
10%

5% 0%



The most common category in Australia in 4Q12 was Miscellaneous Trojans. It affected 31.5 percent of all computers with detections there, down from 35.4 percent in 3Q12. The second most common category in Australia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 31.0 percent of all computers with detections there, up from 26.7 percent in 3Q12. The third most common category in Australia in 4Q12 was Exploits, which affected 18.7 percent of all computers with detections there, up from 15.4 percent in 3Q12.





July–December 2012

27

Threat families
The top 10 malware and potentially unwanted software families in Australia in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc Java/Blacole Win32/Sirefef ASX/Wimad JS/IframeRef Win32/Hotbar Win32/Zbot JS/Medfos Win32/Obfuscator

Most significant category Misc. Potentially Unwanted Software Exploits Exploits Misc. Trojans Trojan Downloaders & Droppers Misc. Trojans Adware Password Stealers & Monitoring Tools Misc. Trojans Misc. Potentially Unwanted Software

% of computers with detections 12.0% 7.7% 7.3% 7.3% 6.8% 5.9% 5.8% 5.6% 4.2% 4.2%



The most common threat family in Australia in 4Q12 was Win32/Keygen, which affected 12.0 percent of computers with detections in Australia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Australia in 4Q12 was Win32/Pdfjsc, which affected 7.7 percent of computers with detections in Australia. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Australia in 4Q12 was Java/Blacole, which affected 7.3 percent of computers with detections in Australia. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in Australia in 4Q12 was Win32/Sirefef, which affected 7.3 percent of computers with detections in Australia. Win32/Sirefef is a rogue security software family distributed under the name Antivirus 2010 and others.







28

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Australia

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 10.30 (5.41) 10.91 (9.46) 0.26 (0.56)

4Q12 9.05 (5.10) 10.99 (10.85) 0.14 (0.33)

July–December 2012

29

Austria
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Austria in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Austria

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 2.8 6.6

2Q12 2.8 7.0

3Q12 2.3 5.3

4Q12 2.0 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Austria and around the world, and for explanations of the methods and terms used here.

July–December 2012

31

Infection trends (CCM)
The MSRT detected malware on 2.0 of every 1,000 computers scanned in Austria in 4Q12 (a CCM score of 2.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Austria over the last six quarters, compared to the world as a whole.
CCM infection trends in Austria and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Austria

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

32

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Austria in 4Q12, by percentage of computers reporting detections

Austria
Percent of computers reporting detections

Worldwide

40% Column1 35% Austria 30%
25%

20% 15%
10%

5% 0%



The most common category in Austria in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 29.9 percent of all computers with detections there, up from 26.8 percent in 3Q12. The second most common category in Austria in 4Q12 was Miscellaneous Trojans. It affected 27.7 percent of all computers with detections there, down from 30.6 percent in 3Q12. The third most common category in Austria in 4Q12 was Exploits, which affected 25.0 percent of all computers with detections there, up from 19.1 percent in 3Q12.





July–December 2012

33

Threat families
The top 10 malware and potentially unwanted software families in Austria in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Pdfjsc Win32/DealPly Win32/Keygen Java/Blacole JS/IframeRef Win32/Reveton Win32/OpenCandy Win32/Obfuscator Win32/Zwangi Win32/Hotbar

Most significant category Exploits Adware Misc. Potentially Unwanted Software Exploits Misc. Trojans Misc. Trojans Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware

% of computers with detections 14.1% 13.5% 13.4% 10.7% 6.8% 5.2% 3.9% 3.2% 2.9% 2.7%



The most common threat family in Austria in 4Q12 was Win32/Pdfjsc, which affected 14.1 percent of computers with detections in Austria. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The second most common threat family in Austria in 4Q12 was Win32/DealPly, which affected 13.5 percent of computers with detections in Austria. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Austria in 4Q12 was Win32/Keygen, which affected 13.4 percent of computers with detections in Austria. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Austria in 4Q12 was Java/Blacole, which affected 10.7 percent of computers with detections in Austria. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run.







34

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Austria

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 3.08 (5.41) 5.52 (9.46) 0.16 (0.56)

4Q12 2.61 (5.10) 5.64 (10.85) 0.08 (0.33)

July–December 2012

35

Bahamas, The
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the Bahamas in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the Bahamas

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 11.6 6.6

2Q12 10.4 7.0

3Q12 8.6 5.3

4Q12 9.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the Bahamas and around the world, and for explanations of the methods and terms used here.

July–December 2012

37

Infection trends (CCM)
The MSRT detected malware on 9.2 of every 1,000 computers scanned in the Bahamas in 4Q12 (a CCM score of 9.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the Bahamas over the last six quarters, compared to the world as a whole.
CCM infection trends in the Bahamas and worldwide

14.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Bahamas, The

12.0 10.0

8.0
6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

38

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in the Bahamas in 4Q12, by percentage of computers reporting detections

Bahamas, The
Percent of computers reporting detections

Worldwide

40% 35% 30%
25%

Column1 Bahamas, The

20% 15%
10%

5% 0%



The most common category in the Bahamas in 4Q12 was Worms. It affected 34.7 percent of all computers with detections there, up from 31.9 percent in 3Q12. The second most common category in the Bahamas in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.0 percent of all computers with detections there, up from 27.3 percent in 3Q12. The third most common category in the Bahamas in 4Q12 was Adware, which affected 26.7 percent of all computers with detections there, down from 31.9 percent in 3Q12.





July–December 2012

39

Threat families
The top 10 malware and potentially unwanted software families in the Bahamas in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Hotbar Win32/Zwangi INF/Autorun Win32/Vobfus Win32/Dorkbot Win32/ClickPotato Win32/Keygen JS/IframeRef Win32/Hamweq ASX/Wimad

Most significant category Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Worms Adware Misc. Potentially Unwanted Software Misc. Trojans Worms Trojan Downloaders & Droppers

% of computers with detections 17.8% 15.3% 12.2% 9.6% 8.7% 6.9% 6.9% 6.1% 4.3% 4.2%



The most common threat family in the Bahamas in 4Q12 was Win32/Hotbar, which affected 17.8 percent of computers with detections in the Bahamas. Win32/Hotbar is adware that displays a dynamic toolbar and targeted popup ads based on its monitoring of web-browsing activity. The second most common threat family in the Bahamas in 4Q12 was Win32/Zwangi, which affected 15.3 percent of computers with detections in the Bahamas. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. The third most common threat family in the Bahamas in 4Q12 was INF/Autorun, which affected 12.2 percent of computers with detections in the Bahamas. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in the Bahamas in 4Q12 was Win32/Vobfus, which affected 9.6 percent of computers with detections in the Bahamas. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.







40

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the Bahamas

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.30 (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.03 (0.33)

July–December 2012

41

Bahrain
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Bahrain in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Bahrain

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 15.4 6.6

2Q12 14.7 7.0

3Q12 12.3 5.3

4Q12 12.6 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Bahrain and around the world, and for explanations of the methods and terms used here.

July–December 2012

43

Infection trends (CCM)
The MSRT detected malware on 12.6 of every 1,000 computers scanned in Bahrain in 4Q12 (a CCM score of 12.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Bahrain over the last six quarters, compared to the world as a whole.
CCM infection trends in Bahrain and worldwide

20.0

Computers cleaned per 1 ,000 scanned (CCM)

18.0
16.0 14.0

Worldwide Bahrain

12.0
10.0 8.0 6.0

4.0
2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

44

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Bahrain in 4Q12, by percentage of computers reporting detections

Bahrain
Percent of computers reporting detections

Worldwide

50%
45% 40%

Column1 Bahrain

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Bahrain in 4Q12 was Worms. It affected 43.7 percent of all computers with detections there, up from 33.4 percent in 3Q12. The second most common category in Bahrain in 4Q12 was Miscellaneous Trojans. It affected 34.9 percent of all computers with detections there, up from 27.6 percent in 3Q12. The third most common category in Bahrain in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 34.6 percent of all computers with detections there, up from 27.6 percent in 3Q12.





July–December 2012

45

Threat families
The top 10 malware and potentially unwanted software families in Bahrain in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Nuqel INF/Autorun Win32/Keygen Win32/Dorkbot Win32/Patched Win32/Sality Win32/Vobfus Win32/CplLnk Win32/Rimecud Win32/Ramnit

Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Trojans Viruses Worms Exploits Misc. Trojans Misc. Trojans

% of computers with detections 15.9% 15.5% 15.4% 11.9% 7.8% 7.5% 6.0% 5.9% 5.5% 5.4%



The most common threat family in Bahrain in 4Q12 was Win32/Nuqel, which affected 15.9 percent of computers with detections in Bahrain. Win32/Nuqel is a worm that spreads via mapped drives and certain instant messaging applications. It may modify system settings, connect to certain websites, download arbitrary files, or take other malicious actions. The second most common threat family in Bahrain in 4Q12 was INF/Autorun, which affected 15.5 percent of computers with detections in Bahrain. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Bahrain in 4Q12 was Win32/Keygen, which affected 15.4 percent of computers with detections in Bahrain. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Bahrain in 4Q12 was Win32/Dorkbot, which affected 11.9 percent of computers with detections in Bahrain. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits.







46

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Bahrain

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) N/A (0.56)

4Q12 N/A (5.10) N/A (10.85) N/A (0.33)

July–December 2012

47

Bangladesh
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Bangladesh in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Bangladesh

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 15.6 6.6

2Q12 15.1 7.0

3Q12 14.4 5.3

4Q12 12.9 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Bangladesh and around the world, and for explanations of the methods and terms used here.

July–December 2012

49

Infection trends (CCM)
The MSRT detected malware on 12.9 of every 1,000 computers scanned in Bangladesh in 4Q12 (a CCM score of 12.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Bangladesh over the last six quarters, compared to the world as a whole.
CCM infection trends in Bangladesh and worldwide

18.0

Computers cleaned per 1 ,000 scanned (CCM)

16.0 14.0 12.0

Worldwide Bangladesh

10.0
8.0 6.0

4.0
2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

50

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Bangladesh in 4Q12, by percentage of computers reporting detections

Bangladesh
Percent of computers reporting detections

Worldwide

60%
50%

Column1 Bangladesh

40% 30% 20% 10% 0%



The most common category in Bangladesh in 4Q12 was Miscellaneous Trojans. It affected 49.1 percent of all computers with detections there, up from 47.9 percent in 3Q12. The second most common category in Bangladesh in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.9 percent of all computers with detections there, up from 40.2 percent in 3Q12. The third most common category in Bangladesh in 4Q12 was Viruses, which affected 38.2 percent of all computers with detections there, down from 38.6 percent in 3Q12.





July–December 2012

51

Threat families
The top 10 malware and potentially unwanted software families in Bangladesh in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Ramnit Win32/CplLnk INF/Autorun Win32/Keygen Win32/Sality Win32/Conficker Win32/Virut Win32/Rimecud Win32/Dorkbot Win32/VB

Most significant category Misc. Trojans Exploits Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Worms Viruses Misc. Trojans Worms Worms

% of computers with detections 39.0% 25.3% 25.1% 25.0% 16.8% 9.4% 8.4% 7.4% 5.7% 4.9%



The most common threat family in Bangladesh in 4Q12 was Win32/Ramnit, which affected 39.0 percent of computers with detections in Bangladesh. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The second most common threat family in Bangladesh in 4Q12 was Win32/CplLnk, which affected 25.3 percent of computers with detections in Bangladesh. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046. The third most common threat family in Bangladesh in 4Q12 was INF/Autorun, which affected 25.1 percent of computers with detections in Bangladesh. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Bangladesh in 4Q12 was Win32/Keygen, which affected 25.0 percent of computers with detections in Bangladesh. Win32/Keygen is a generic detection for tools that generate product keys for various software products.







52

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Bangladesh

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 1.01 (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.94 (0.33)

July–December 2012

53

Belarus
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Belarus in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Belarus

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 5.4 6.6

2Q12 7.2 7.0

3Q12 6.5 5.3

4Q12 5.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Belarus and around the world, and for explanations of the methods and terms used here.

July–December 2012

55

Infection trends (CCM)
The MSRT detected malware on 5.2 of every 1,000 computers scanned in Belarus in 4Q12 (a CCM score of 5.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Belarus over the last six quarters, compared to the world as a whole.
CCM infection trends in Belarus and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Belarus

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

56

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Belarus in 4Q12, by percentage of computers reporting detections

Belarus
Percent of computers reporting detections

Worldwide

60% Column1 Belarus 50% 40% 30% 20% 10% 0%



The most common category in Belarus in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 50.5 percent of all computers with detections there, down from 53.9 percent in 3Q12. The second most common category in Belarus in 4Q12 was Miscellaneous Trojans. It affected 39.1 percent of all computers with detections there, up from 37.7 percent in 3Q12. The third most common category in Belarus in 4Q12 was Worms, which affected 18.5 percent of all computers with detections there, up from 15.7 percent in 3Q12.





July–December 2012

57

Threat families
The top 10 malware and potentially unwanted software families in Belarus in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pameseg Win32/Dorkbot Win32/Obfuscator Win32/Vundo JS/IframeRef Win32/Dynamer JS/Redirector INF/Autorun Win32/Ramnit

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Misc. Trojans Misc. Trojans Misc. Trojans Misc. Trojans Misc. Potentially Unwanted Software Misc. Trojans

% of computers with detections 23.2% 12.9% 10.9% 8.8% 5.9% 5.4% 4.7% 4.4% 4.3% 3.6%



The most common threat family in Belarus in 4Q12 was Win32/Keygen, which affected 23.2 percent of computers with detections in Belarus. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Belarus in 4Q12 was Win32/Pameseg, which affected 12.9 percent of computers with detections in Belarus. Win32/Pameseg is a fake program installer that requires the user to send SMS messages to a premium number to successfully install certain programs. The third most common threat family in Belarus in 4Q12 was Win32/Dorkbot, which affected 10.9 percent of computers with detections in Belarus. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The fourth most common threat family in Belarus in 4Q12 was Win32/Obfuscator, which affected 8.8 percent of computers with detections in Belarus. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods,







58

Microsoft Security Intelligence Report, Volume 14

including encryption, compression, anti-debugging and anti-emulation techniques.

July–December 2012

59

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Belarus

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 11.01 (5.41) 10.62 (9.46) 3.67 (0.56)

4Q12 13.38 (5.10) 13.77 (10.85) 1.31 (0.33)

60

Microsoft Security Intelligence Report, Volume 14

Belgium
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Belgium in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Belgium

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 3.7 6.6

2Q12 4.1 7.0

3Q12 3.0 5.3

4Q12 2.1 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Belgium and around the world, and for explanations of the methods and terms used here.

July–December 2012

61

Infection trends (CCM)
The MSRT detected malware on 2.1 of every 1,000 computers scanned in Belgium in 4Q12 (a CCM score of 2.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Belgium over the last six quarters, compared to the world as a whole.
CCM infection trends in Belgium and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Belgium

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

62

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Belgium in 4Q12, by percentage of computers reporting detections

Belgium
Percent of computers reporting detections

Worldwide

40% Column1 35% Belgium 30%
25%

20% 15%
10%

5% 0%



The most common category in Belgium in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 30.4 percent of all computers with detections there, up from 27.5 percent in 3Q12. The second most common category in Belgium in 4Q12 was Adware. It affected 30.1 percent of all computers with detections there, up from 28.5 percent in 3Q12. The third most common category in Belgium in 4Q12 was Miscellaneous Trojans, which affected 28.2 percent of all computers with detections there, down from 30.1 percent in 3Q12.





July–December 2012

63

Threat families
The top 10 malware and potentially unwanted software families in Belgium in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/DealPly Win32/Pdfjsc Win32/Keygen Java/Blacole JS/IframeRef Win32/Hotbar Win32/Zwangi Win32/Reveton ASX/Wimad Win32/Sirefef

Most significant category Adware Exploits Misc. Potentially Unwanted Software Exploits Misc. Trojans Adware Misc. Potentially Unwanted Software Misc. Trojans Trojan Downloaders & Droppers Misc. Trojans

% of computers with detections 16.5% 13.8% 11.5% 9.2% 7.8% 7.3% 6.7% 6.3% 5.9% 3.7%



The most common threat family in Belgium in 4Q12 was Win32/DealPly, which affected 16.5 percent of computers with detections in Belgium. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Belgium in 4Q12 was Win32/Pdfjsc, which affected 13.8 percent of computers with detections in Belgium. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Belgium in 4Q12 was Win32/Keygen, which affected 11.5 percent of computers with detections in Belgium. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Belgium in 4Q12 was Java/Blacole, which affected 9.2 percent of computers with detections in Belgium. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run.







64

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Belgium

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 3.04 (5.41) 4.32 (9.46) 0.14 (0.56)

4Q12 2.64 (5.10) 4.39 (10.85) 0.13 (0.33)

July–December 2012

65

Bolivia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Bolivia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Bolivia

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 11.7 6.6

2Q12 10.7 7.0

3Q12 9.4 5.3

4Q12 9.4 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Bolivia and around the world, and for explanations of the methods and terms used here.

July–December 2012

67

Infection trends (CCM)
The MSRT detected malware on 9.4 of every 1,000 computers scanned in Bolivia in 4Q12 (a CCM score of 9.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Bolivia over the last six quarters, compared to the world as a whole.
CCM infection trends in Bolivia and worldwide

16.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Bolivia

14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

68

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Bolivia in 4Q12, by percentage of computers reporting detections

Bolivia
Percent of computers reporting detections

Worldwide

60%
50%

Column1 Bolivia

40% 30% 20% 10% 0%



The most common category in Bolivia in 4Q12 was Worms. It affected 48.3 percent of all computers with detections there, up from 44.8 percent in 3Q12. The second most common category in Bolivia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 39.5 percent of all computers with detections there, up from 37.1 percent in 3Q12. The third most common category in Bolivia in 4Q12 was Miscellaneous Trojans, which affected 26.4 percent of all computers with detections there, down from 28.4 percent in 3Q12.





July–December 2012

69

Threat families
The top 10 malware and potentially unwanted software families in Bolivia in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/Keygen Win32/Sohanad INF/Autorun Win32/Vobfus Win32/Sality Win32/Conficker Win32/Nuqel Win32/Ramnit Win32/Obfuscator

Most significant category Worms Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Worms Viruses Worms Worms Misc. Trojans Misc. Potentially Unwanted Software

% of computers with detections 19.9% 18.3% 15.1% 14.2% 13.8% 13.5% 5.3% 5.0% 4.1% 3.6%



The most common threat family in Bolivia in 4Q12 was Win32/Dorkbot, which affected 19.9 percent of computers with detections in Bolivia. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Bolivia in 4Q12 was Win32/Keygen, which affected 18.3 percent of computers with detections in Bolivia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Bolivia in 4Q12 was Win32/Sohanad, which affected 15.1 percent of computers with detections in Bolivia. Win32/Sohanad is a family of worms that may spread via removable or network drives and particular messenger applications. It may also modify a number of system settings and contact a remote host. The fourth most common threat family in Bolivia in 4Q12 was INF/Autorun, which affected 14.2 percent of computers with detections in Bolivia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.







70

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Bolivia

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.01 (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.02 (0.33)

July–December 2012

71

Brazil
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Brazil in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Brazil

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 13.3 6.6

2Q12 10.1 7.0

3Q12 9.0 5.3

4Q12 7.3 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Brazil and around the world, and for explanations of the methods and terms used here.

July–December 2012

73

Infection trends (CCM)
The MSRT detected malware on 7.3 of every 1,000 computers scanned in Brazil in 4Q12 (a CCM score of 7.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Brazil over the last six quarters, compared to the world as a whole.
CCM infection trends in Brazil and worldwide

20.0

Computers cleaned per 1 ,000 scanned (CCM)

18.0
16.0 14.0

Worldwide Brazil

12.0
10.0 8.0 6.0

4.0
2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

74

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Brazil in 4Q12, by percentage of computers reporting detections

Brazil
Percent of computers reporting detections

Worldwide

45% 40% 35% 30% 25%
20%

Column1 Brazil

15%
10%

5% 0%



The most common category in Brazil in 4Q12 was Adware. It affected 40.8 percent of all computers with detections there, up from 17.4 percent in 3Q12. The second most common category in Brazil in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.0 percent of all computers with detections there, down from 40.5 percent in 3Q12. The third most common category in Brazil in 4Q12 was Miscellaneous Trojans, which affected 17.1 percent of all computers with detections there, down from 23.5 percent in 3Q12.





July–December 2012

75

Threat families
The top 10 malware and potentially unwanted software families in Brazil in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/DealPly Win32/Keygen Win32/Banload INF/Autorun Win32/Protlerdob Win32/Obfuscator Win32/Bancos Win32/Sality Win32/Conficker JS/IframeRef

Most significant category Adware Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Password Stealers & Monitoring Tools Viruses Worms Misc. Trojans

% of computers with detections 36.6% 13.0% 8.2% 7.1% 6.0% 5.8% 4.6% 4.4% 4.1% 3.8%



The most common threat family in Brazil in 4Q12 was Win32/DealPly, which affected 36.6 percent of computers with detections in Brazil. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Brazil in 4Q12 was Win32/Keygen, which affected 13.0 percent of computers with detections in Brazil. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Brazil in 4Q12 was Win32/Banload, which affected 8.2 percent of computers with detections in Brazil. Win32/Banload is a family of trojans that download other malware. Banload usually downloads Win32/Banker, which steals banking credentials and other sensitive data and sends it back to a remote attacker. The fourth most common threat family in Brazil in 4Q12 was INF/Autorun, which affected 7.1 percent of computers with detections in Brazil. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.







76

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Brazil

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 13.11 (5.41) 36.24 (9.46) 0.18 (0.56)

4Q12 12.59 (5.10) 31.97 (10.85) 0.13 (0.33)

July–December 2012

77

Bulgaria
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Bulgaria in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Bulgaria

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 9.0 6.6

2Q12 8.0 7.0

3Q12 6.9 5.3

4Q12 7.6 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Bulgaria and around the world, and for explanations of the methods and terms used here.

July–December 2012

79

Infection trends (CCM)
The MSRT detected malware on 7.6 of every 1,000 computers scanned in Bulgaria in 4Q12 (a CCM score of 7.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Bulgaria over the last six quarters, compared to the world as a whole.
CCM infection trends in Bulgaria and worldwide

10.0

Computers cleaned per 1 ,000 scanned (CCM)

9.0
8.0 7.0

Worldwide Bulgaria

6.0
5.0 4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

80

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Bulgaria in 4Q12, by percentage of computers reporting detections

Bulgaria
Percent of computers reporting detections

Worldwide

60% Column1 Bulgaria 50% 40% 30% 20% 10% 0%



The most common category in Bulgaria in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 47.9 percent of all computers with detections there, up from 42.4 percent in 3Q12. The second most common category in Bulgaria in 4Q12 was Miscellaneous Trojans. It affected 35.4 percent of all computers with detections there, up from 30.8 percent in 3Q12. The third most common category in Bulgaria in 4Q12 was Worms, which affected 26.0 percent of all computers with detections there, up from 19.4 percent in 3Q12.





July–December 2012

81

Threat families
The top 10 malware and potentially unwanted software families in Bulgaria in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Obfuscator INF/Autorun Win32/Phorpiex Win32/Dorkbot Win32/Conficker JS/IframeRef Win32/Bocinex Win32/Meredrop Win32/Sality

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Worms Worms Misc. Trojans Misc. Trojans Misc. Trojans Viruses

% of computers with detections 26.2% 6.7% 6.6% 5.8% 5.8% 5.4% 4.9% 4.6% 3.6% 3.6%



The most common threat family in Bulgaria in 4Q12 was Win32/Keygen, which affected 26.2 percent of computers with detections in Bulgaria. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Bulgaria in 4Q12 was Win32/Obfuscator, which affected 6.7 percent of computers with detections in Bulgaria. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The third most common threat family in Bulgaria in 4Q12 was INF/Autorun, which affected 6.6 percent of computers with detections in Bulgaria. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Bulgaria in 4Q12 was Win32/Phorpiex, which affected 5.8 percent of computers with detections in Bulgaria. Win32/Phorpiex is a family of worms that spread via removable drives and instant messaging software. The worms also allow backdoor access and control.







82

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Bulgaria

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 8.15 (5.41) 7.95 (9.46) 0.93 (0.56)

4Q12 8.89 (5.10) 8.57 (10.85) 0.45 (0.33)

July–December 2012

83

Canada
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Canada in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Canada

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 3.8 6.6

2Q12 2.7 7.0

3Q12 2.7 5.3

4Q12 2.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Canada and around the world, and for explanations of the methods and terms used here.

July–December 2012

85

Infection trends (CCM)
The MSRT detected malware on 2.2 of every 1,000 computers scanned in Canada in 4Q12 (a CCM score of 2.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Canada over the last six quarters, compared to the world as a whole.
CCM infection trends in Canada and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Canada

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

86

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Canada in 4Q12, by percentage of computers reporting detections

Canada
Percent of computers reporting detections

Worldwide

40% 35% 30%
25%

Column1 Canada

20% 15%
10%

5% 0%



The most common category in Canada in 4Q12 was Miscellaneous Trojans. It affected 36.6 percent of all computers with detections there, up from 36.6 percent in 3Q12. The second most common category in Canada in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 29.0 percent of all computers with detections there, up from 24.9 percent in 3Q12. The third most common category in Canada in 4Q12 was Adware, which affected 21.7 percent of all computers with detections there, down from 27.7 percent in 3Q12.





July–December 2012

87

Threat families
The top 10 malware and potentially unwanted software families in Canada in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 JS/IframeRef Win32/Keygen Java/Blacole Win32/Sirefef Win32/Pdfjsc Win32/DealPly Win32/Hotbar Win32/Zwangi ASX/Wimad Win32/OpenCandy

Most significant category Misc. Trojans Misc. Potentially Unwanted Software Exploits Misc. Trojans Exploits Adware Adware Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Adware

% of computers with detections 10.7% 10.0% 8.8% 8.7% 7.6% 6.7% 6.6% 6.4% 6.2% 3.6%



The most common threat family in Canada in 4Q12 was JS/IframeRef, which affected 10.7 percent of computers with detections in Canada. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The second most common threat family in Canada in 4Q12 was Win32/Keygen, which affected 10.0 percent of computers with detections in Canada. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Canada in 4Q12 was Java/Blacole, which affected 8.8 percent of computers with detections in Canada. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in Canada in 4Q12 was Win32/Sirefef, which affected 8.7 percent of computers with detections in Canada. Win32/Sirefef is a rogue security software family distributed under the name Antivirus 2010 and others.







88

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Canada

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 6.79 (5.41) 8.20 (9.46) 0.39 (0.56)

4Q12 5.23 (5.10) 7.99 (10.85) 0.31 (0.33)

July–December 2012

89

Chile
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Chile in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Chile

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 13.7 6.6

2Q12 9.4 7.0

3Q12 7.1 5.3

4Q12 5.6 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Chile and around the world, and for explanations of the methods and terms used here.

July–December 2012

91

Infection trends (CCM)
The MSRT detected malware on 5.6 of every 1,000 computers scanned in Chile in 4Q12 (a CCM score of 5.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Chile over the last six quarters, compared to the world as a whole.
CCM infection trends in Chile and worldwide

16.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Chile

14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

92

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Chile in 4Q12, by percentage of computers reporting detections

Chile
Percent of computers reporting detections

Worldwide

45% Column1 40% Chile 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Chile in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 40.2 percent of all computers with detections there, up from 33.1 percent in 3Q12. The second most common category in Chile in 4Q12 was Worms. It affected 36.6 percent of all computers with detections there, up from 33.8 percent in 3Q12. The third most common category in Chile in 4Q12 was Miscellaneous Trojans, which affected 20.0 percent of all computers with detections there, down from 21.7 percent in 3Q12.





July–December 2012

93

Threat families
The top 10 malware and potentially unwanted software families in Chile in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/Keygen INF/Autorun Win32/Conficker Win32/OpenCandy Win32/Zwangi Win32/Obfuscator Win32/Wpakill Win32/Brontok Win32/VBInject

Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software

% of computers with detections 21.4% 15.9% 8.6% 5.4% 4.6% 3.7% 3.5% 3.4% 3.4% 3.4%



The most common threat family in Chile in 4Q12 was Win32/Dorkbot, which affected 21.4 percent of computers with detections in Chile. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Chile in 4Q12 was Win32/Keygen, which affected 15.9 percent of computers with detections in Chile. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Chile in 4Q12 was INF/Autorun, which affected 8.6 percent of computers with detections in Chile. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Chile in 4Q12 was Win32/Conficker, which affected 5.4 percent of computers with detections in Chile. Win32/Conficker is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables several







94

Microsoft Security Intelligence Report, Volume 14

important system services and security products, and downloads arbitrary files.

July–December 2012

95

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Chile

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 11.09 (5.41) 15.65 (9.46) 0.53 (0.56)

4Q12 9.75 (5.10) 10.38 (10.85) 0.28 (0.33)

96

Microsoft Security Intelligence Report, Volume 14

China
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in China in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for China

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 0.8 6.6

2Q12 0.6 7.0

3Q12 0.6 5.3

4Q12 0.7 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in China and around the world, and for explanations of the methods and terms used here.

July–December 2012

97

Infection trends (CCM)
The MSRT detected malware on 0.7 of every 1,000 computers scanned in China in 4Q12 (a CCM score of 0.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for China over the last six quarters, compared to the world as a whole.
CCM infection trends in China and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide China

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

98

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in China in 4Q12, by percentage of computers reporting detections

China
Percent of computers reporting detections

Worldwide

60% Column1 China 50% 40% 30% 20% 10% 0%



The most common category in China in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 49.0 percent of all computers with detections there, up from 43.5 percent in 3Q12. The second most common category in China in 4Q12 was Miscellaneous Trojans. It affected 32.1 percent of all computers with detections there, up from 28.4 percent in 3Q12. The third most common category in China in 4Q12 was Viruses, which affected 15.2 percent of all computers with detections there, up from 13.0 percent in 3Q12.





July–December 2012

99

Threat families
The top 10 malware and potentially unwanted software families in China in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/BaiduSobar Win32/PossibleHostsFileHijack Win32/Obfuscator X97M/Mailcab JS/IframeRef Win32/Agent Win32/Conficker Win32/Nitol Win32/Orsam

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Misc. Trojans Trojan Downloaders & Droppers Worms Misc. Trojans Misc. Trojans

% of computers with detections 20.2% 12.5% 6.8% 6.6% 4.8% 4.6% 4.5% 4.3% 3.5% 3.5%



The most common threat family in China in 4Q12 was Win32/Keygen, which affected 20.2 percent of computers with detections in China. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in China in 4Q12 was Win32/BaiduSobar, which affected 12.5 percent of computers with detections in China. Win32/BaiduSobar is a Chinese-language web browser toolbar that delivers pop-up and contextual advertisements, blocks certain other advertisements, and changes the Internet Explorer search page. The third most common threat family in China in 4Q12 was Win32/PossibleHostsFileHijack, which affected 6.8 percent of computers with detections in China. Win32/PossibleHostsFileHijack is an indicator that the computer’s HOSTS file may have been modified by malicious or potentially unwanted software, which can cause access to certain Internet domains and websites to be redirected or denied. The fourth most common threat family in China in 4Q12 was Win32/Obfuscator, which affected 6.6 percent of computers with detections in China. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods,







100

Microsoft Security Intelligence Report, Volume 14

including encryption, compression, anti-debugging and anti-emulation techniques.

July–December 2012

101

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for China

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 2.88 (5.41) 25.14 (9.46) 0.15 (0.56)

4Q12 3.43 (5.10) 25.09 (10.85) 0.17 (0.33)

102

Microsoft Security Intelligence Report, Volume 14

Colombia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Colombia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Colombia

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 8.3 6.6

2Q12 7.2 7.0

3Q12 7.1 5.3

4Q12 5.8 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Colombia and around the world, and for explanations of the methods and terms used here.

July–December 2012

103

Infection trends (CCM)
The MSRT detected malware on 5.8 of every 1,000 computers scanned in Colombia in 4Q12 (a CCM score of 5.8, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Colombia over the last six quarters, compared to the world as a whole.
CCM infection trends in Colombia and worldwide

10.0

Computers cleaned per 1 ,000 scanned (CCM)

9.0
8.0 7.0

Worldwide Colombia

6.0
5.0 4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

104

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Colombia in 4Q12, by percentage of computers reporting detections

Colombia
Percent of computers reporting detections

Worldwide

45% 40% 35% 30% 25%
20%

Column1 Colombia

15%
10%

5% 0%



The most common category in Colombia in 4Q12 was Worms. It affected 41.8 percent of all computers with detections there, up from 40.7 percent in 3Q12. The second most common category in Colombia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.6 percent of all computers with detections there, up from 37.5 percent in 3Q12. The third most common category in Colombia in 4Q12 was Miscellaneous Trojans, which affected 21.9 percent of all computers with detections there, down from 24.0 percent in 3Q12.





July–December 2012

105

Threat families
The top 10 malware and potentially unwanted software families in Colombia in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/Keygen INF/Autorun Win32/Conficker Win32/Sality Win32/VBInject Win32/Silly_P2P Win32/Vobfus Win32/OpenCandy Win32/Wpakill

Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Viruses Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Worms Adware Misc. Potentially Unwanted Software

% of computers with detections 21.5% 18.0% 15.7% 8.3% 6.5% 5.2% 4.3% 4.2% 3.9% 3.8%



The most common threat family in Colombia in 4Q12 was Win32/Dorkbot, which affected 21.5 percent of computers with detections in Colombia. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Colombia in 4Q12 was Win32/Keygen, which affected 18.0 percent of computers with detections in Colombia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Colombia in 4Q12 was INF/Autorun, which affected 15.7 percent of computers with detections in Colombia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Colombia in 4Q12 was Win32/Conficker, which affected 8.3 percent of computers with detections in Colombia. Win32/Conficker is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables







106

Microsoft Security Intelligence Report, Volume 14

several important system services and security products, and downloads arbitrary files.

July–December 2012

107

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Colombia

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 11.90 (5.41) 10.97 (9.46) 0.72 (0.56)

4Q12 8.42 (5.10) 11.50 (10.85) 0.01 (0.33)

108

Microsoft Security Intelligence Report, Volume 14

Costa Rica
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Costa Rica in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Costa Rica

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 5.8 6.6

2Q12 4.3 7.0

3Q12 4.0 5.3

4Q12 3.7 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Costa Rica and around the world, and for explanations of the methods and terms used here.

July–December 2012

109

Infection trends (CCM)
The MSRT detected malware on 3.7 of every 1,000 computers scanned in Costa Rica in 4Q12 (a CCM score of 3.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Costa Rica over the last six quarters, compared to the world as a whole.
CCM infection trends in Costa Rica and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Costa Rica

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

110

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Costa Rica in 4Q12, by percentage of computers reporting detections

Costa Rica
Percent of computers reporting detections

Worldwide

50% Column1 45% Costa Rica
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Costa Rica in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.7 percent of all computers with detections there, up from 36.6 percent in 3Q12. The second most common category in Costa Rica in 4Q12 was Worms. It affected 27.3 percent of all computers with detections there, down from 28.1 percent in 3Q12. The third most common category in Costa Rica in 4Q12 was Miscellaneous Trojans, which affected 23.2 percent of all computers with detections there, up from 22.9 percent in 3Q12.





July–December 2012

111

Threat families
The top 10 malware and potentially unwanted software families in Costa Rica in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot INF/Autorun Win32/OpenCandy Win32/Conficker JS/IframeRef Win32/Wpakill ASX/Wimad Win32/Rimecud Win32/Sality

Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Adware Worms Misc. Trojans Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Misc. Trojans Viruses

% of computers with detections 21.7% 13.7% 8.5% 5.2% 4.5% 4.4% 3.9% 3.6% 3.3% 3.1%



The most common threat family in Costa Rica in 4Q12 was Win32/Keygen, which affected 21.7 percent of computers with detections in Costa Rica. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Costa Rica in 4Q12 was Win32/Dorkbot, which affected 13.7 percent of computers with detections in Costa Rica. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Costa Rica in 4Q12 was INF/Autorun, which affected 8.5 percent of computers with detections in Costa Rica. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Costa Rica in 4Q12 was Win32/OpenCandy, which affected 5.2 percent of computers with detections in Costa Rica. Win32/OpenCandy is an adware program that may be bundled with certain third-party software installation programs. Some versions may send user-specific information, including a unique machine







112

Microsoft Security Intelligence Report, Volume 14

code, operating system information, locale, and certain other information to a remote server without obtaining adequate user consent.

July–December 2012

113

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Costa Rica

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 3.70 (5.41) 5.19 (9.46) 0.86 (0.56)

4Q12 2.59 (5.10) 6.67 (10.85) 1.08 (0.33)

114

Microsoft Security Intelligence Report, Volume 14

Croatia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Croatia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Croatia

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 9.3 6.6

2Q12 8.0 7.0

3Q12 7.4 5.3

4Q12 7.3 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Croatia and around the world, and for explanations of the methods and terms used here.

July–December 2012

115

Infection trends (CCM)
The MSRT detected malware on 7.3 of every 1,000 computers scanned in Croatia in 4Q12 (a CCM score of 7.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Croatia over the last six quarters, compared to the world as a whole.
CCM infection trends in Croatia and worldwide

12.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Croatia

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

116

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Croatia in 4Q12, by percentage of computers reporting detections

Croatia
Percent of computers reporting detections

Worldwide

45% Column1 40% Croatia 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Croatia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 42.7 percent of all computers with detections there, up from 34.5 percent in 3Q12. The second most common category in Croatia in 4Q12 was Miscellaneous Trojans. It affected 29.3 percent of all computers with detections there, up from 26.7 percent in 3Q12. The third most common category in Croatia in 4Q12 was Worms, which affected 23.1 percent of all computers with detections there, down from 24.1 percent in 3Q12.





July–December 2012

117

Threat families
The top 10 malware and potentially unwanted software families in Croatia in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc INF/Autorun Win32/Obfuscator JS/IframeRef JS/BlacoleRef Win32/Hotbar Win32/Rimecud Win32/Wpakill Win32/Conficker

Most significant category Misc. Potentially Unwanted Software Exploits Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Trojans Misc. Trojans Adware Misc. Trojans Misc. Potentially Unwanted Software Worms

% of computers with detections 19.2% 7.4% 6.7% 6.6% 4.9% 4.8% 4.5% 4.4% 4.2% 3.8%



The most common threat family in Croatia in 4Q12 was Win32/Keygen, which affected 19.2 percent of computers with detections in Croatia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Croatia in 4Q12 was Win32/Pdfjsc, which affected 7.4 percent of computers with detections in Croatia. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Croatia in 4Q12 was INF/Autorun, which affected 6.7 percent of computers with detections in Croatia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Croatia in 4Q12 was Win32/Obfuscator, which affected 6.6 percent of computers with detections in Croatia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques.







118

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Croatia

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 5.07 (5.41) 5.33 (9.46) 0.21 (0.56)

4Q12 3.47 (5.10) 11.20 (10.85) 0.19 (0.33)

July–December 2012

119

Cyprus
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Cyprus in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Cyprus

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 7.3 6.6

2Q12 6.3 7.0

3Q12 5.3 5.3

4Q12 5.4 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Cyprus and around the world, and for explanations of the methods and terms used here.

July–December 2012

121

Infection trends (CCM)
The MSRT detected malware on 5.4 of every 1,000 computers scanned in Cyprus in 4Q12 (a CCM score of 5.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Cyprus over the last six quarters, compared to the world as a whole.
CCM infection trends in Cyprus and worldwide

12.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Cyprus

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

122

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Cyprus in 4Q12, by percentage of computers reporting detections

Cyprus
Percent of computers reporting detections

Worldwide

45% Column1 40% Cyprus 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Cyprus in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.8 percent of all computers with detections there, up from 34.1 percent in 3Q12. The second most common category in Cyprus in 4Q12 was Worms. It affected 22.8 percent of all computers with detections there, up from 19.3 percent in 3Q12. The third most common category in Cyprus in 4Q12 was Miscellaneous Trojans, which affected 22.5 percent of all computers with detections there, up from 21.2 percent in 3Q12.





July–December 2012

123

Threat families
The top 10 malware and potentially unwanted software families in Cyprus in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Hotbar INF/Autorun Win32/Zwangi Win32/Conficker Win32/Pdfjsc JS/IframeRef Win32/OpenCandy Win32/DealPly ASX/Wimad

Most significant category Misc. Potentially Unwanted Software Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Exploits Misc. Trojans Adware Adware Trojan Downloaders & Droppers

% of computers with detections 16.8% 9.2% 8.6% 7.5% 4.8% 4.5% 4.3% 4.1% 3.8% 3.7%



The most common threat family in Cyprus in 4Q12 was Win32/Keygen, which affected 16.8 percent of computers with detections in Cyprus. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Cyprus in 4Q12 was Win32/Hotbar, which affected 9.2 percent of computers with detections in Cyprus. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The third most common threat family in Cyprus in 4Q12 was INF/Autorun, which affected 8.6 percent of computers with detections in Cyprus. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Cyprus in 4Q12 was Win32/Zwangi, which affected 7.5 percent of computers with detections in Cyprus. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website.







124

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Cyprus

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 14.04 (5.41) 20.21 (9.46) 6.20 (0.56)

4Q12 15.16 (5.10) 15.72 (10.85) 1.87 (0.33)

July–December 2012

125

Czech Republic
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the Czech Republic in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the Czech Republic

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 2.1 6.6

2Q12 1.8 7.0

3Q12 2.1 5.3

4Q12 1.6 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the Czech Republic and around the world, and for explanations of the methods and terms used here.

July–December 2012

127

Infection trends (CCM)
The MSRT detected malware on 1.6 of every 1,000 computers scanned in the Czech Republic in 4Q12 (a CCM score of 1.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the Czech Republic over the last six quarters, compared to the world as a whole.
CCM infection trends in the Czech Republic and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Czech Republic

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

128

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in the Czech Republic in 4Q12, by percentage of computers reporting detections

Czech Republic
Percent of computers reporting detections

Worldwide

50% Column1 45% Czech Republic
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in the Czech Republic in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.7 percent of all computers with detections there, up from 35.1 percent in 3Q12. The second most common category in the Czech Republic in 4Q12 was Miscellaneous Trojans. It affected 31.5 percent of all computers with detections there, up from 29.9 percent in 3Q12. The third most common category in the Czech Republic in 4Q12 was Exploits, which affected 16.4 percent of all computers with detections there, up from 7.8 percent in 3Q12.





July–December 2012

129

Threat families
The top 10 malware and potentially unwanted software families in the Czech Republic in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen JS/IframeRef Win32/Pdfjsc Win32/Obfuscator Win32/OpenCandy Java/Blacole Win32/Dorkbot Win32/Sirefef Win32/Reveton Win32/Dynamer

Most significant category Misc. Potentially Unwanted Software Misc. Trojans Exploits Misc. Potentially Unwanted Software Adware Exploits Worms Misc. Trojans Misc. Trojans Misc. Trojans

% of computers with detections 23.7% 11.3% 8.3% 7.9% 6.0% 5.2% 4.8% 2.9% 2.9% 2.8%



The most common threat family in the Czech Republic in 4Q12 was Win32/Keygen, which affected 23.7 percent of computers with detections in the Czech Republic. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in the Czech Republic in 4Q12 was JS/IframeRef, which affected 11.3 percent of computers with detections in the Czech Republic. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The third most common threat family in the Czech Republic in 4Q12 was Win32/Pdfjsc, which affected 8.3 percent of computers with detections in the Czech Republic. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in the Czech Republic in 4Q12 was Win32/Obfuscator, which affected 7.9 percent of computers with detections in the Czech Republic. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, antidebugging and anti-emulation techniques.







130

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the Czech Republic

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 3.55 (5.41) 5.98 (9.46) 0.56 (0.56)

4Q12 3.92 (5.10) 6.68 (10.85) 0.50 (0.33)

July–December 2012

131

Denmark
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Denmark in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Denmark

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 1.5 6.6

2Q12 1.7 7.0

3Q12 1.7 5.3

4Q12 1.5 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Denmark and around the world, and for explanations of the methods and terms used here.

July–December 2012

133

Infection trends (CCM)
The MSRT detected malware on 1.5 of every 1,000 computers scanned in Denmark in 4Q12 (a CCM score of 1.5, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Denmark over the last six quarters, compared to the world as a whole.
CCM infection trends in Denmark and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Denmark

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

134

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Denmark in 4Q12, by percentage of computers reporting detections

Denmark
Percent of computers reporting detections

Worldwide

40% Column1 35% Denmark 30%
25%

20% 15%
10%

5% 0%



The most common category in Denmark in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.2 percent of all computers with detections there, up from 30.3 percent in 3Q12. The second most common category in Denmark in 4Q12 was Miscellaneous Trojans. It affected 30.4 percent of all computers with detections there, down from 34.5 percent in 3Q12. The third most common category in Denmark in 4Q12 was Adware, which affected 24.9 percent of all computers with detections there, down from 29.4 percent in 3Q12.





July–December 2012

135

Threat families
The top 10 malware and potentially unwanted software families in Denmark in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/DealPly JS/IframeRef Win32/Pdfjsc Win32/Hotbar Win32/Sirefef Java/Blacole Win32/Zwangi Win32/Obfuscator ASX/Wimad

Most significant category Misc. Potentially Unwanted Software Adware Misc. Trojans Exploits Adware Misc. Trojans Exploits Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Trojan Downloaders & Droppers

% of computers with detections 14.8% 11.8% 7.9% 7.9% 7.8% 7.8% 5.0% 4.8% 4.3% 3.2%



The most common threat family in Denmark in 4Q12 was Win32/Keygen, which affected 14.8 percent of computers with detections in Denmark. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Denmark in 4Q12 was Win32/DealPly, which affected 11.8 percent of computers with detections in Denmark. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Denmark in 4Q12 was JS/IframeRef, which affected 7.9 percent of computers with detections in Denmark. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Denmark in 4Q12 was Win32/Pdfjsc, which affected 7.9 percent of computers with detections in Denmark. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened.







136

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Denmark

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 6.51 (5.41) 5.27 (9.46) 0.55 (0.56)

4Q12 5.98 (5.10) 6.01 (10.85) 0.38 (0.33)

July–December 2012

137

Dominican Republic
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the Dominican Republic in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the Dominican Republic

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 15.2 6.6

2Q12 13.8 7.0

3Q12 13.1 5.3

4Q12 12.4 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the Dominican Republic and around the world, and for explanations of the methods and terms used here.

July–December 2012

139

Infection trends (CCM)
The MSRT detected malware on 12.4 of every 1,000 computers scanned in the Dominican Republic in 4Q12 (a CCM score of 12.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the Dominican Republic over the last six quarters, compared to the world as a whole.
CCM infection trends in the Dominican Republic and worldwide

16.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Dominican Republic

14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

140

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in the Dominican Republic in 4Q12, by percentage of computers reporting detections

Dominican Republic
Percent of computers reporting detections

Worldwide

45% Column1 40% Dominican Republic 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in the Dominican Republic in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 42.5 percent of all computers with detections there, up from 38.4 percent in 3Q12. The second most common category in the Dominican Republic in 4Q12 was Worms. It affected 40.5 percent of all computers with detections there, up from 39.6 percent in 3Q12. The third most common category in the Dominican Republic in 4Q12 was Miscellaneous Trojans, which affected 26.2 percent of all computers with detections there, down from 27.8 percent in 3Q12.





July–December 2012

141

Threat families
The top 10 malware and potentially unwanted software families in the Dominican Republic in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Sality INF/Autorun Win32/Keygen Win32/Dorkbot Win32/Vobfus Win32/Brontok Win32/Pushbot Win32/Rimecud Win32/Conficker Win32/Silly_P2P

Most significant category Viruses Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Worms Worms Worms Misc. Trojans Worms Trojan Downloaders & Droppers

% of computers with detections 24.0% 22.1% 14.1% 10.6% 8.2% 7.6% 6.1% 4.8% 4.6% 4.4%



The most common threat family in the Dominican Republic in 4Q12 was Win32/Sality, which affected 24.0 percent of computers with detections in the Dominican Republic. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The second most common threat family in the Dominican Republic in 4Q12 was INF/Autorun, which affected 22.1 percent of computers with detections in the Dominican Republic. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in the Dominican Republic in 4Q12 was Win32/Keygen, which affected 14.1 percent of computers with detections in the Dominican Republic. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in the Dominican Republic in 4Q12 was Win32/Dorkbot, which affected 10.6 percent of computers with detections in the Dominican Republic. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the







142

Microsoft Security Intelligence Report, Volume 14

affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits.

July–December 2012

143

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the Dominican Republic

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.16 (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.04 (0.33)

144

Microsoft Security Intelligence Report, Volume 14

Ecuador
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Ecuador in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Ecuador

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 11.3 6.6

2Q12 11.1 7.0

3Q12 9.8 5.3

4Q12 8.7 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Ecuador and around the world, and for explanations of the methods and terms used here.

July–December 2012

145

Infection trends (CCM)
The MSRT detected malware on 8.7 of every 1,000 computers scanned in Ecuador in 4Q12 (a CCM score of 8.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Ecuador over the last six quarters, compared to the world as a whole.
CCM infection trends in Ecuador and worldwide

12.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Ecuador

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

146

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Ecuador in 4Q12, by percentage of computers reporting detections

Ecuador
Percent of computers reporting detections

Worldwide

60%
50%

Column1 Ecuador

40% 30% 20% 10% 0%



The most common category in Ecuador in 4Q12 was Worms. It affected 48.0 percent of all computers with detections there, up from 47.3 percent in 3Q12. The second most common category in Ecuador in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.2 percent of all computers with detections there, up from 36.9 percent in 3Q12. The third most common category in Ecuador in 4Q12 was Miscellaneous Trojans, which affected 24.5 percent of all computers with detections there, down from 26.4 percent in 3Q12.





July–December 2012

147

Threat families
The top 10 malware and potentially unwanted software families in Ecuador in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/Keygen Win32/Vobfus INF/Autorun Win32/VBInject Win32/Sality Win32/Conficker Win32/Ramnit Win32/OpenCandy Win32/CplLnk

Most significant category Worms Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Worms Misc. Trojans Adware Exploits

% of computers with detections 26.3% 17.8% 14.2% 13.0% 6.1% 5.6% 5.3% 4.5% 4.3% 4.2%



The most common threat family in Ecuador in 4Q12 was Win32/Dorkbot, which affected 26.3 percent of computers with detections in Ecuador. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Ecuador in 4Q12 was Win32/Keygen, which affected 17.8 percent of computers with detections in Ecuador. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Ecuador in 4Q12 was Win32/Vobfus, which affected 14.2 percent of computers with detections in Ecuador. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The fourth most common threat family in Ecuador in 4Q12 was INF/Autorun, which affected 13.0 percent of computers with detections in Ecuador. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.







148

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Ecuador

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 5.86 (5.41) 8.30 (9.46) 0.01 (0.56)

4Q12 5.37 (5.10) 11.72 (10.85) 0.11 (0.33)

July–December 2012

149

Egypt
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Egypt in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Egypt

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 24.7 6.6

2Q12 23.4 7.0

3Q12 20.1 5.3

4Q12 22.3 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Egypt and around the world, and for explanations of the methods and terms used here.

July–December 2012

151

Infection trends (CCM)
The MSRT detected malware on 22.3 of every 1,000 computers scanned in Egypt in 4Q12 (a CCM score of 22.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Egypt over the last six quarters, compared to the world as a whole.
CCM infection trends in Egypt and worldwide

30.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Egypt

25.0 20.0 15.0 10.0

5.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

152

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Egypt in 4Q12, by percentage of computers reporting detections

Egypt
Percent of computers reporting detections

Worldwide

50% Column1 45% Egypt
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Egypt in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 47.6 percent of all computers with detections there, up from 37.3 percent in 3Q12. The second most common category in Egypt in 4Q12 was Worms. It affected 37.2 percent of all computers with detections there, up from 29.8 percent in 3Q12. The third most common category in Egypt in 4Q12 was Viruses, which affected 35.7 percent of all computers with detections there, up from 31.7 percent in 3Q12.





July–December 2012

153

Threat families
The top 10 malware and potentially unwanted software families in Egypt in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Sality Win32/Keygen INF/Autorun Win32/Dorkbot Win32/Virut Win32/Ramnit Win32/Agent Win32/Folstart Win32/Nuqel Win32/Patch

Most significant category Viruses Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Viruses Misc. Trojans Trojan Downloaders & Droppers Worms Worms Misc. Potentially Unwanted Software

% of computers with detections 29.3% 26.6% 21.7% 9.5% 8.7% 7.4% 6.0% 5.9% 5.5% 5.0%



The most common threat family in Egypt in 4Q12 was Win32/Sality, which affected 29.3 percent of computers with detections in Egypt. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The second most common threat family in Egypt in 4Q12 was Win32/Keygen, which affected 26.6 percent of computers with detections in Egypt. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Egypt in 4Q12 was INF/Autorun, which affected 21.7 percent of computers with detections in Egypt. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Egypt in 4Q12 was Win32/Dorkbot, which affected 9.5 percent of computers with detections in Egypt. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot







154

Microsoft Security Intelligence Report, Volume 14

may be distributed from compromised or malicious websites using PDF or browser exploits.

July–December 2012

155

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Egypt

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 7.61 (5.41) 15.83 (9.46) 0.01 (0.56)

4Q12 4.61 (5.10) 14.82 (10.85) 0.00 (0.33)

156

Microsoft Security Intelligence Report, Volume 14

El Salvador
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in El Salvador in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for El Salvador

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 6.8 6.6

2Q12 6.1 7.0

3Q12 5.9 5.3

4Q12 5.4 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in El Salvador and around the world, and for explanations of the methods and terms used here.

July–December 2012

157

Infection trends (CCM)
The MSRT detected malware on 5.4 of every 1,000 computers scanned in El Salvador in 4Q12 (a CCM score of 5.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for El Salvador over the last six quarters, compared to the world as a whole.
CCM infection trends in El Salvador and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide El Salvador

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

158

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in El Salvador in 4Q12, by percentage of computers reporting detections

El Salvador
Percent of computers reporting detections

Worldwide

50% Column1 45% El Salvador
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in El Salvador in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 44.7 percent of all computers with detections there, up from 39.6 percent in 3Q12. The second most common category in El Salvador in 4Q12 was Worms. It affected 39.6 percent of all computers with detections there, down from 39.7 percent in 3Q12. The third most common category in El Salvador in 4Q12 was Miscellaneous Trojans, which affected 22.2 percent of all computers with detections there, down from 23.0 percent in 3Q12.





July–December 2012

159

Threat families
The top 10 malware and potentially unwanted software families in El Salvador in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot INF/Autorun Win32/Vobfus Win32/Conficker Win32/Brontok Win32/OpenCandy Win32/Sality Win32/Wpakill Win32/VBInject

Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Worms Worms Worms Adware Viruses Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software

% of computers with detections 21.0% 20.1% 13.7% 8.9% 5.2% 5.1% 4.7% 4.7% 4.5% 3.5%



The most common threat family in El Salvador in 4Q12 was Win32/Keygen, which affected 21.0 percent of computers with detections in El Salvador. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in El Salvador in 4Q12 was Win32/Dorkbot, which affected 20.1 percent of computers with detections in El Salvador. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in El Salvador in 4Q12 was INF/Autorun, which affected 13.7 percent of computers with detections in El Salvador. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in El Salvador in 4Q12 was Win32/Vobfus, which affected 8.9 percent of computers with detections in El Salvador. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.







160

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for El Salvador

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.15 (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.19 (0.33)

July–December 2012

161

Estonia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Estonia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Estonia

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 3.6 6.6

2Q12 3.0 7.0

3Q12 2.4 5.3

4Q12 2.3 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Estonia and around the world, and for explanations of the methods and terms used here.

July–December 2012

163

Infection trends (CCM)
The MSRT detected malware on 2.3 of every 1,000 computers scanned in Estonia in 4Q12 (a CCM score of 2.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Estonia over the last six quarters, compared to the world as a whole.
CCM infection trends in Estonia and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Estonia

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

164

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Estonia in 4Q12, by percentage of computers reporting detections

Estonia
Percent of computers reporting detections

Worldwide

60% Column1 Estonia 50% 40% 30% 20% 10% 0%



The most common category in Estonia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 50.4 percent of all computers with detections there, up from 43.2 percent in 3Q12. The second most common category in Estonia in 4Q12 was Miscellaneous Trojans. It affected 27.4 percent of all computers with detections there, up from 24.7 percent in 3Q12. The third most common category in Estonia in 4Q12 was Adware, which affected 19.0 percent of all computers with detections there, down from 26.7 percent in 3Q12.





July–December 2012

165

Threat families
The top 10 malware and potentially unwanted software families in Estonia in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Obfuscator Win32/Hotbar JS/IframeRef Win32/Zwangi ASX/Wimad Win32/Wpakill Win32/OpenCandy JS/BlacoleRef Win32/Pameseg

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Misc. Trojans Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Adware Misc. Trojans Misc. Potentially Unwanted Software

% of computers with detections 22.7% 8.4% 7.4% 7.0% 5.9% 4.3% 3.5% 3.4% 3.3% 3.2%



The most common threat family in Estonia in 4Q12 was Win32/Keygen, which affected 22.7 percent of computers with detections in Estonia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Estonia in 4Q12 was Win32/Obfuscator, which affected 8.4 percent of computers with detections in Estonia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The third most common threat family in Estonia in 4Q12 was Win32/Hotbar, which affected 7.4 percent of computers with detections in Estonia. Win32/Hotbar is adware that displays a dynamic toolbar and targeted popup ads based on its monitoring of web-browsing activity. The fourth most common threat family in Estonia in 4Q12 was JS/IframeRef, which affected 7.0 percent of computers with detections in Estonia. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.







166

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Estonia

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 3.53 (5.41) 5.70 (9.46) 1.44 (0.56)

4Q12 5.30 (5.10) 5.70 (10.85) 0.22 (0.33)

July–December 2012

167

Finland
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Finland in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Finland

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 1.1 6.6

2Q12 1.1 7.0

3Q12 1.4 5.3

4Q12 0.8 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Finland and around the world, and for explanations of the methods and terms used here.

July–December 2012

169

Infection trends (CCM)
The MSRT detected malware on 0.8 of every 1,000 computers scanned in Finland in 4Q12 (a CCM score of 0.8, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Finland over the last six quarters, compared to the world as a whole.
CCM infection trends in Finland and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Finland

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

170

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Finland in 4Q12, by percentage of computers reporting detections

Finland
Percent of computers reporting detections

Worldwide

40% Column1 35% Finland 30%
25%

20% 15%
10%

5% 0%



The most common category in Finland in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.3 percent of all computers with detections there, up from 28.8 percent in 3Q12. The second most common category in Finland in 4Q12 was Miscellaneous Trojans. It affected 26.6 percent of all computers with detections there, up from 24.3 percent in 3Q12. The third most common category in Finland in 4Q12 was Exploits, which affected 24.6 percent of all computers with detections there, up from 18.2 percent in 3Q12.





July–December 2012

171

Threat families
The top 10 malware and potentially unwanted software families in Finland in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc Java/Blacole Win32/Hotbar Win32/DealPly Win32/Zwangi Win32/Reveton JS/IframeRef Win32/Obfuscator ASX/Wimad

Most significant category Misc. Potentially Unwanted Software Exploits Exploits Adware Adware Misc. Potentially Unwanted Software Misc. Trojans Misc. Trojans Misc. Potentially Unwanted Software Trojan Downloaders & Droppers

% of computers with detections 13.4% 10.9% 10.5% 8.3% 7.6% 6.4% 5.9% 5.8% 4.8% 3.6%



The most common threat family in Finland in 4Q12 was Win32/Keygen, which affected 13.4 percent of computers with detections in Finland. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Finland in 4Q12 was Win32/Pdfjsc, which affected 10.9 percent of computers with detections in Finland. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Finland in 4Q12 was Java/Blacole, which affected 10.5 percent of computers with detections in Finland. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in Finland in 4Q12 was Win32/Hotbar, which affected 8.3 percent of computers with detections in Finland. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity.







172

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Finland

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 1.85 (5.41) 4.56 (9.46) 0.19 (0.56)

4Q12 1.85 (5.10) 3.88 (10.85) 0.03 (0.33)

July–December 2012

173

France
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in France in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for France

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 3.2 6.6

2Q12 2.9 7.0

3Q12 2.2 5.3

4Q12 1.9 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in France and around the world, and for explanations of the methods and terms used here.

July–December 2012

175

Infection trends (CCM)
The MSRT detected malware on 1.9 of every 1,000 computers scanned in France in 4Q12 (a CCM score of 1.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for France over the last six quarters, compared to the world as a whole.
CCM infection trends in France and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide France

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

176

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in France in 4Q12, by percentage of computers reporting detections

France
Percent of computers reporting detections

Worldwide

45% 40% 35% 30% 25%
20%

Column1 France

15%
10%

5% 0%

 

The most common category in France in 4Q12 was Adware. It affected 41.1 percent of all computers with detections there, up from 41.1 percent in 3Q12. The second most common category in France in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 34.1 percent of all computers with detections there, up from 27.0 percent in 3Q12. The third most common category in France in 4Q12 was Miscellaneous Trojans, which affected 20.0 percent of all computers with detections there, down from 22.3 percent in 3Q12.



July–December 2012

177

Threat families
The top 10 malware and potentially unwanted software families in France in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/DealPly Win32/Zwangi Win32/Hotbar Win32/Keygen Win32/Pdfjsc ASX/Wimad JS/IframeRef Win32/ClickPotato Win32/OpenCandy Java/Blacole

Most significant category Adware Misc. Potentially Unwanted Software Adware Misc. Potentially Unwanted Software Exploits Trojan Downloaders & Droppers Misc. Trojans Adware Adware Exploits

% of computers with detections 19.8% 11.9% 11.0% 10.5% 5.2% 4.7% 4.2% 4.0% 3.9% 3.8%



The most common threat family in France in 4Q12 was Win32/DealPly, which affected 19.8 percent of computers with detections in France. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in France in 4Q12 was Win32/Zwangi, which affected 11.9 percent of computers with detections in France. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. The third most common threat family in France in 4Q12 was Win32/Hotbar, which affected 11.0 percent of computers with detections in France. Win32/Hotbar is adware that displays a dynamic toolbar and targeted popup ads based on its monitoring of web-browsing activity. The fourth most common threat family in France in 4Q12 was Win32/Keygen, which affected 10.5 percent of computers with detections in France. Win32/Keygen is a generic detection for tools that generate product keys for various software products.







178

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for France

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 4.16 (5.41) 6.89 (9.46) 0.30 (0.56)

4Q12 3.98 (5.10) 7.51 (10.85) 0.24 (0.33)

July–December 2012

179

Georgia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Georgia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Georgia

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 23.3 6.6

2Q12 25.2 7.0

3Q12 22.9 5.3

4Q12 24.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Georgia and around the world, and for explanations of the methods and terms used here.

July–December 2012

181

Infection trends (CCM)
The MSRT detected malware on 24.2 of every 1,000 computers scanned in Georgia in 4Q12 (a CCM score of 24.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Georgia over the last six quarters, compared to the world as a whole.
CCM infection trends in Georgia and worldwide

30.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Georgia

25.0 20.0 15.0 10.0

5.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

182

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Georgia in 4Q12, by percentage of computers reporting detections

Georgia
Percent of computers reporting detections

Worldwide

50% Column1 45% Georgia
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Georgia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.0 percent of all computers with detections there, up from 43.6 percent in 3Q12. The second most common category in Georgia in 4Q12 was Worms. It affected 43.3 percent of all computers with detections there, up from 39.8 percent in 3Q12. The third most common category in Georgia in 4Q12 was Miscellaneous Trojans, which affected 33.1 percent of all computers with detections there, down from 35.2 percent in 3Q12.





July–December 2012

183

Threat families
The top 10 malware and potentially unwanted software families in Georgia in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot INF/Autorun JS/IframeRef Win32/Sality Win32/Obfuscator Win32/Brontok Win32/Verst Win32/Phorpiex Win32/Sohanad

Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Misc. Trojans Viruses Misc. Potentially Unwanted Software Worms Worms Worms Worms

% of computers with detections 19.5% 13.2% 13.0% 11.1% 9.7% 9.1% 7.1% 6.1% 5.7% 5.0%



The most common threat family in Georgia in 4Q12 was Win32/Keygen, which affected 19.5 percent of computers with detections in Georgia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Georgia in 4Q12 was Win32/Dorkbot, which affected 13.2 percent of computers with detections in Georgia. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Georgia in 4Q12 was INF/Autorun, which affected 13.0 percent of computers with detections in Georgia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Georgia in 4Q12 was JS/IframeRef, which affected 11.1 percent of computers with detections in Georgia. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.







184

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Georgia

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 13.89 (5.41) 19.10 (9.46) 4.49 (0.56)

4Q12 8.68 (5.10) 15.63 (10.85) 0.78 (0.33)

July–December 2012

185

Germany
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Germany in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Germany

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 3.5 6.6

2Q12 3.0 7.0

3Q12 2.6 5.3

4Q12 2.1 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Germany and around the world, and for explanations of the methods and terms used here.

July–December 2012

187

Infection trends (CCM)
The MSRT detected malware on 2.1 of every 1,000 computers scanned in Germany in 4Q12 (a CCM score of 2.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Germany over the last six quarters, compared to the world as a whole.
CCM infection trends in Germany and worldwide

12.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Germany

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

188

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Germany in 4Q12, by percentage of computers reporting detections

Germany
Percent of computers reporting detections

Worldwide

40% Column1 35% Germany 30%
25%

20% 15%
10%

5% 0%



The most common category in Germany in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 29.2 percent of all computers with detections there, up from 24.5 percent in 3Q12. The second most common category in Germany in 4Q12 was Miscellaneous Trojans. It affected 27.2 percent of all computers with detections there, down from 31.1 percent in 3Q12. The third most common category in Germany in 4Q12 was Exploits, which affected 27.0 percent of all computers with detections there, up from 21.9 percent in 3Q12.





July–December 2012

189

Threat families
The top 10 malware and potentially unwanted software families in Germany in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Pdfjsc Java/Blacole Win32/Keygen Win32/DealPly Win32/Sirefef JS/IframeRef Win32/OpenCandy Win32/Reveton Win32/Zbot Win32/Obfuscator

Most significant category Exploits Exploits Misc. Potentially Unwanted Software Adware Misc. Trojans Misc. Trojans Adware Misc. Trojans Password Stealers & Monitoring Tools Misc. Potentially Unwanted Software

% of computers with detections 14.4% 12.3% 11.6% 9.7% 5.4% 5.3% 4.7% 4.2% 4.1% 3.7%



The most common threat family in Germany in 4Q12 was Win32/Pdfjsc, which affected 14.4 percent of computers with detections in Germany. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The second most common threat family in Germany in 4Q12 was Java/Blacole, which affected 12.3 percent of computers with detections in Germany. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The third most common threat family in Germany in 4Q12 was Win32/Keygen, which affected 11.6 percent of computers with detections in Germany. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Germany in 4Q12 was Win32/DealPly, which affected 9.7 percent of computers with detections in Germany. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs.







190

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Germany

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 3.44 (5.41) 5.97 (9.46) 4.19 (0.56)

4Q12 3.66 (5.10) 7.71 (10.85) 1.11 (0.33)

July–December 2012

191

Greece
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Greece in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Greece

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 7.3 6.6

2Q12 6.3 7.0

3Q12 5.3 5.3

4Q12 5.7 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Greece and around the world, and for explanations of the methods and terms used here.

July–December 2012

193

Infection trends (CCM)
The MSRT detected malware on 5.7 of every 1,000 computers scanned in Greece in 4Q12 (a CCM score of 5.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Greece over the last six quarters, compared to the world as a whole.
CCM infection trends in Greece and worldwide

10.0
Computers cleaned per 1 ,000 scanned (CCM)

9.0
8.0 7.0

Worldwide Greece

6.0
5.0 4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

194

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Greece in 4Q12, by percentage of computers reporting detections

Greece
Percent of computers reporting detections

Worldwide

45% Column1 40% Greece 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Greece in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.4 percent of all computers with detections there, up from 32.6 percent in 3Q12. The second most common category in Greece in 4Q12 was Miscellaneous Trojans. It affected 27.0 percent of all computers with detections there, down from 28.7 percent in 3Q12. The third most common category in Greece in 4Q12 was Exploits, which affected 22.1 percent of all computers with detections there, up from 13.9 percent in 3Q12.





July–December 2012

195

Threat families
The top 10 malware and potentially unwanted software families in Greece in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc Java/Blacole INF/Autorun JS/IframeRef Win32/DealPly Win32/Obfuscator Win32/Reveton Win32/Hotbar Win32/Zwangi

Most significant category Misc. Potentially Unwanted Software Exploits Exploits Misc. Potentially Unwanted Software Misc. Trojans Adware Misc. Potentially Unwanted Software Misc. Trojans Adware Misc. Potentially Unwanted Software

% of computers with detections 17.1% 11.2% 10.0% 8.3% 5.8% 5.8% 5.4% 4.9% 4.9% 4.3%



The most common threat family in Greece in 4Q12 was Win32/Keygen, which affected 17.1 percent of computers with detections in Greece. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Greece in 4Q12 was Win32/Pdfjsc, which affected 11.2 percent of computers with detections in Greece. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Greece in 4Q12 was Java/Blacole, which affected 10.0 percent of computers with detections in Greece. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in Greece in 4Q12 was INF/Autorun, which affected 8.3 percent of computers with detections in Greece. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.







196

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Greece

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 3.20 (5.41) 7.70 (9.46) 0.07 (0.56)

4Q12 4.15 (5.10) 8.65 (10.85) 0.12 (0.33)

July–December 2012

197

Guatemala
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Guatemala in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Guatemala

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 8.0 6.6

2Q12 6.9 7.0

3Q12 6.8 5.3

4Q12 6.1 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Guatemala and around the world, and for explanations of the methods and terms used here.

July–December 2012

199

Infection trends (CCM)
The MSRT detected malware on 6.1 of every 1,000 computers scanned in Guatemala in 4Q12 (a CCM score of 6.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Guatemala over the last six quarters, compared to the world as a whole.
CCM infection trends in Guatemala and worldwide

10.0
Computers cleaned per 1 ,000 scanned (CCM)

9.0
8.0 7.0

Worldwide Guatemala

6.0
5.0 4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

200

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Guatemala in 4Q12, by percentage of computers reporting detections

Guatemala
Percent of computers reporting detections

Worldwide

45% Column1 40% Guatemala 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Guatemala in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.0 percent of all computers with detections there, up from 37.4 percent in 3Q12. The second most common category in Guatemala in 4Q12 was Worms. It affected 39.6 percent of all computers with detections there, down from 42.4 percent in 3Q12. The third most common category in Guatemala in 4Q12 was Miscellaneous Trojans, which affected 22.9 percent of all computers with detections there, down from 23.8 percent in 3Q12.





July–December 2012

201

Threat families
The top 10 malware and potentially unwanted software families in Guatemala in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/Keygen INF/Autorun Win32/Vobfus Win32/Sality Win32/VBInject Win32/Conficker Win32/OpenCandy Win32/Wpakill Win32/Brontok

Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Viruses Misc. Potentially Unwanted Software Worms Adware Misc. Potentially Unwanted Software Worms

% of computers with detections 18.1% 17.7% 13.6% 11.5% 5.7% 4.2% 4.2% 4.0% 3.6% 3.2%



The most common threat family in Guatemala in 4Q12 was Win32/Dorkbot, which affected 18.1 percent of computers with detections in Guatemala. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Guatemala in 4Q12 was Win32/Keygen, which affected 17.7 percent of computers with detections in Guatemala. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Guatemala in 4Q12 was INF/Autorun, which affected 13.6 percent of computers with detections in Guatemala. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Guatemala in 4Q12 was Win32/Vobfus, which affected 11.5 percent of computers with detections in Guatemala. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.







202

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Guatemala

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.00 (0.56)

4Q12 N/A (5.10) N/A (10.85) N/A (0.33)

July–December 2012

203

Honduras
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Honduras in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Honduras

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 9.1 6.6

2Q12 8.5 7.0

3Q12 7.9 5.3

4Q12 7.1 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Honduras and around the world, and for explanations of the methods and terms used here.

July–December 2012

205

Infection trends (CCM)
The MSRT detected malware on 7.1 of every 1,000 computers scanned in Honduras in 4Q12 (a CCM score of 7.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Honduras over the last six quarters, compared to the world as a whole.
CCM infection trends in Honduras and worldwide

12.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Honduras

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

206

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Honduras in 4Q12, by percentage of computers reporting detections

Honduras
Percent of computers reporting detections

Worldwide

50% Column1 45% Honduras
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Honduras in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.8 percent of all computers with detections there, up from 39.3 percent in 3Q12. The second most common category in Honduras in 4Q12 was Worms. It affected 42.1 percent of all computers with detections there, up from 42.0 percent in 3Q12. The third most common category in Honduras in 4Q12 was Miscellaneous Trojans, which affected 22.0 percent of all computers with detections there, down from 22.6 percent in 3Q12.





July–December 2012

207

Threat families
The top 10 malware and potentially unwanted software families in Honduras in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot INF/Autorun Win32/Vobfus Win32/Nuqel Win32/Conficker Win32/Sality Win32/Wpakill Win32/OpenCandy JS/IframeRef

Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Worms Worms Worms Viruses Misc. Potentially Unwanted Software Adware Misc. Trojans

% of computers with detections 20.0% 16.4% 14.8% 14.6% 8.1% 4.9% 4.8% 4.4% 4.0% 3.4%



The most common threat family in Honduras in 4Q12 was Win32/Keygen, which affected 20.0 percent of computers with detections in Honduras. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Honduras in 4Q12 was Win32/Dorkbot, which affected 16.4 percent of computers with detections in Honduras. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Honduras in 4Q12 was INF/Autorun, which affected 14.8 percent of computers with detections in Honduras. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Honduras in 4Q12 was Win32/Vobfus, which affected 14.6 percent of computers with detections in Honduras. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.







208

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Honduras

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.00 (0.56)

4Q12 N/A (5.10) N/A (10.85) N/A (0.33)

July–December 2012

209

Hong Kong S.A.R.
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Hong Kong S.A.R. in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Hong Kong S.A.R.

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 3.5 6.6

2Q12 2.6 7.0

3Q12 2.3 5.3

4Q12 2.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Hong Kong S.A.R. and around the world, and for explanations of the methods and terms used here.

July–December 2012

211

Infection trends (CCM)
The MSRT detected malware on 2.2 of every 1,000 computers scanned in Hong Kong S.A.R. in 4Q12 (a CCM score of 2.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Hong Kong S.A.R. over the last six quarters, compared to the world as a whole.
CCM infection trends in Hong Kong S.A.R. and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Hong Kong S.A.R.

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

212

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Hong Kong S.A.R. in 4Q12, by percentage of computers reporting detections

Hong Kong S.A.R.
Percent of computers reporting detections

Worldwide

45% Column1 40% Hong Kong S.A.R. 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Hong Kong S.A.R. in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 42.3 percent of all computers with detections there, up from 34.2 percent in 3Q12. The second most common category in Hong Kong S.A.R. in 4Q12 was Miscellaneous Trojans. It affected 29.5 percent of all computers with detections there, up from 26.9 percent in 3Q12. The third most common category in Hong Kong S.A.R. in 4Q12 was Worms, which affected 14.4 percent of all computers with detections there, down from 14.5 percent in 3Q12.





July–December 2012

213

Threat families
The top 10 malware and potentially unwanted software families in Hong Kong S.A.R. in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen JS/IframeRef INF/Autorun Win32/Obfuscator ASX/Wimad Win32/DealPly Win32/Injector Win32/OpenCandy Win32/Taterf Win32/Conficker

Most significant category Misc. Potentially Unwanted Software Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Adware Misc. Potentially Unwanted Software Adware Worms Worms

% of computers with detections 19.5% 6.9% 6.8% 5.8% 3.3% 3.0% 3.0% 2.9% 2.7% 2.7%



The most common threat family in Hong Kong S.A.R. in 4Q12 was Win32/Keygen, which affected 19.5 percent of computers with detections in Hong Kong S.A.R.. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Hong Kong S.A.R. in 4Q12 was JS/IframeRef, which affected 6.9 percent of computers with detections in Hong Kong S.A.R.. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The third most common threat family in Hong Kong S.A.R. in 4Q12 was INF/Autorun, which affected 6.8 percent of computers with detections in Hong Kong S.A.R.. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Hong Kong S.A.R. in 4Q12 was Win32/Obfuscator, which affected 5.8 percent of computers with detections in Hong Kong S.A.R.. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and antiemulation techniques.







214

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Hong Kong S.A.R.

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 6.01 (5.41) 10.70 (9.46) 0.28 (0.56)

4Q12 6.23 (5.10) 12.22 (10.85) 0.11 (0.33)

July–December 2012

215

Hungary
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Hungary in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Hungary

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 5.3 6.6

2Q12 5.2 7.0

3Q12 4.5 5.3

4Q12 4.7 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Hungary and around the world, and for explanations of the methods and terms used here.

July–December 2012

217

Infection trends (CCM)
The MSRT detected malware on 4.7 of every 1,000 computers scanned in Hungary in 4Q12 (a CCM score of 4.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Hungary over the last six quarters, compared to the world as a whole.
CCM infection trends in Hungary and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Hungary

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

218

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Hungary in 4Q12, by percentage of computers reporting detections

Hungary
Percent of computers reporting detections

Worldwide

50% Column1 45% Hungary
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Hungary in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.4 percent of all computers with detections there, up from 39.0 percent in 3Q12. The second most common category in Hungary in 4Q12 was Miscellaneous Trojans. It affected 25.2 percent of all computers with detections there, down from 26.4 percent in 3Q12. The third most common category in Hungary in 4Q12 was Worms, which affected 18.0 percent of all computers with detections there, up from 17.9 percent in 3Q12.





July–December 2012

219

Threat families
The top 10 malware and potentially unwanted software families in Hungary in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun Win32/Pdfjsc Win32/Obfuscator JS/IframeRef Win32/Hotbar Win32/Conficker Java/Blacole Win32/Sality Win32/Zwangi

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Exploits Misc. Potentially Unwanted Software Misc. Trojans Adware Worms Exploits Viruses Misc. Potentially Unwanted Software

% of computers with detections 23.4% 6.5% 6.5% 6.0% 5.7% 5.2% 4.8% 3.8% 3.6% 3.2%



The most common threat family in Hungary in 4Q12 was Win32/Keygen, which affected 23.4 percent of computers with detections in Hungary. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Hungary in 4Q12 was INF/Autorun, which affected 6.5 percent of computers with detections in Hungary. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Hungary in 4Q12 was Win32/Pdfjsc, which affected 6.5 percent of computers with detections in Hungary. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in Hungary in 4Q12 was Win32/Obfuscator, which affected 6.0 percent of computers with detections in Hungary. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques.







220

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Hungary

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 7.86 (5.41) 9.11 (9.46) 1.31 (0.56)

4Q12 7.86 (5.10) 10.66 (10.85) 1.34 (0.33)

July–December 2012

221

Iceland
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Iceland in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Iceland

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 3.2 6.6

2Q12 2.4 7.0

3Q12 1.7 5.3

4Q12 1.7 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Iceland and around the world, and for explanations of the methods and terms used here.

July–December 2012

223

Infection trends (CCM)
The MSRT detected malware on 1.7 of every 1,000 computers scanned in Iceland in 4Q12 (a CCM score of 1.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Iceland over the last six quarters, compared to the world as a whole.
CCM infection trends in Iceland and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Iceland

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

224

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Iceland in 4Q12, by percentage of computers reporting detections

Iceland
Percent of computers reporting detections

Worldwide

50% Column1 45% Iceland
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Iceland in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.1 percent of all computers with detections there, up from 37.5 percent in 3Q12. The second most common category in Iceland in 4Q12 was Adware. It affected 24.5 percent of all computers with detections there, down from 37.4 percent in 3Q12. The third most common category in Iceland in 4Q12 was Miscellaneous Trojans, which affected 23.8 percent of all computers with detections there, up from 21.7 percent in 3Q12.





July–December 2012

225

Threat families
The top 10 malware and potentially unwanted software families in Iceland in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Hotbar Win32/Zwangi JS/IframeRef Win32/ClickPotato Win32/Obfuscator ASX/Wimad Win95/CIH Win32/OpenCandy JS/BlacoleRef

Most significant category Misc. Potentially Unwanted Software Adware Misc. Potentially Unwanted Software Misc. Trojans Adware Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Viruses Adware Misc. Trojans

% of computers with detections 19.5% 14.3% 9.9% 8.1% 5.4% 5.2% 4.9% 4.6% 3.8% 3.2%



The most common threat family in Iceland in 4Q12 was Win32/Keygen, which affected 19.5 percent of computers with detections in Iceland. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Iceland in 4Q12 was Win32/Hotbar, which affected 14.3 percent of computers with detections in Iceland. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The third most common threat family in Iceland in 4Q12 was Win32/Zwangi, which affected 9.9 percent of computers with detections in Iceland. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. The fourth most common threat family in Iceland in 4Q12 was JS/IframeRef, which affected 8.1 percent of computers with detections in Iceland. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.







226

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Iceland

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 5.57 (5.41) 5.57 (9.46) 0.33 (0.56)

4Q12 5.57 (5.10) 5.92 (10.85) 0.35 (0.33)

July–December 2012

227

India
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in India in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for India

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 13.2 6.6

2Q12 12.5 7.0

3Q12 11.3 5.3

4Q12 10.0 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in India and around the world, and for explanations of the methods and terms used here.

July–December 2012

229

Infection trends (CCM)
The MSRT detected malware on 10.0 of every 1,000 computers scanned in India in 4Q12 (a CCM score of 10.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for India over the last six quarters, compared to the world as a whole.
CCM infection trends in India and worldwide

16.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide India

14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

230

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in India in 4Q12, by percentage of computers reporting detections

India
Percent of computers reporting detections

Worldwide

45% 40% 35% 30% 25%
20%

Column1 India

15%
10%

5% 0%



The most common category in India in 4Q12 was Worms. It affected 39.9 percent of all computers with detections there, up from 37.6 percent in 3Q12. The second most common category in India in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.6 percent of all computers with detections there, up from 35.4 percent in 3Q12. The third most common category in India in 4Q12 was Miscellaneous Trojans, which affected 34.7 percent of all computers with detections there, down from 34.8 percent in 3Q12.





July–December 2012

231

Threat families
The top 10 malware and potentially unwanted software families in India in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Sality Win32/Keygen Win32/Ramnit Win32/CplLnk Win32/Nuqel Win32/Rimecud Win32/Adkubru Win32/Virut Win32/Conficker

Most significant category Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Misc. Trojans Exploits Worms Misc. Trojans Adware Viruses Worms

% of computers with detections 22.9% 16.8% 14.8% 12.9% 10.8% 7.9% 6.2% 6.0% 5.5% 4.9%



The most common threat family in India in 4Q12 was INF/Autorun, which affected 22.9 percent of computers with detections in India. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in India in 4Q12 was Win32/Sality, which affected 16.8 percent of computers with detections in India. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in India in 4Q12 was Win32/Keygen, which affected 14.8 percent of computers with detections in India. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in India in 4Q12 was Win32/Ramnit, which affected 12.9 percent of computers with detections in India. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved







232

Microsoft Security Intelligence Report, Volume 14

FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.

July–December 2012

233

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for India

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 7.73 (5.41) 10.84 (9.46) 0.29 (0.56)

4Q12 7.70 (5.10) 13.38 (10.85) 0.15 (0.33)

234

Microsoft Security Intelligence Report, Volume 14

Indonesia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Indonesia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Indonesia

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 17.0 6.6

2Q12 16.6 7.0

3Q12 15.7 5.3

4Q12 14.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Indonesia and around the world, and for explanations of the methods and terms used here.

July–December 2012

235

Infection trends (CCM)
The MSRT detected malware on 14.2 of every 1,000 computers scanned in Indonesia in 4Q12 (a CCM score of 14.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Indonesia over the last six quarters, compared to the world as a whole.
CCM infection trends in Indonesia and worldwide

20.0
Computers cleaned per 1 ,000 scanned (CCM)

18.0
16.0 14.0

Worldwide Indonesia

12.0
10.0 8.0 6.0

4.0
2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

236

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Indonesia in 4Q12, by percentage of computers reporting detections

Indonesia
Percent of computers reporting detections

Worldwide

50% Column1 45% Indonesia
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Indonesia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.5 percent of all computers with detections there, up from 39.7 percent in 3Q12. The second most common category in Indonesia in 4Q12 was Miscellaneous Trojans. It affected 42.7 percent of all computers with detections there, up from 42.6 percent in 3Q12. The third most common category in Indonesia in 4Q12 was Viruses, which affected 40.4 percent of all computers with detections there, up from 40.0 percent in 3Q12.





July–December 2012

237

Threat families
The top 10 malware and potentially unwanted software families in Indonesia in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Ramnit Win32/Keygen Win32/CplLnk Win32/Sality INF/Autorun Win32/Virut Win32/Dorkbot Win32/Vobfus Win32/Conficker Win32/Obfuscator

Most significant category Misc. Trojans Misc. Potentially Unwanted Software Exploits Viruses Misc. Potentially Unwanted Software Viruses Worms Worms Worms Misc. Potentially Unwanted Software

% of computers with detections 33.8% 23.5% 20.6% 17.1% 14.4% 12.4% 10.8% 7.6% 7.5% 6.2%



The most common threat family in Indonesia in 4Q12 was Win32/Ramnit, which affected 33.8 percent of computers with detections in Indonesia. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The second most common threat family in Indonesia in 4Q12 was Win32/Keygen, which affected 23.5 percent of computers with detections in Indonesia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Indonesia in 4Q12 was Win32/CplLnk, which affected 20.6 percent of computers with detections in Indonesia. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046. The fourth most common threat family in Indonesia in 4Q12 was Win32/Sality, which affected 17.1 percent of computers with detections in Indonesia. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a







238

Microsoft Security Intelligence Report, Volume 14

damaging payload that deletes files with certain extensions and terminates security-related processes and services.

July–December 2012

239

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Indonesia

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 13.83 (5.41) 12.69 (9.46) 1.39 (0.56)

4Q12 14.71 (5.10) 12.60 (10.85) 0.81 (0.33)

240

Microsoft Security Intelligence Report, Volume 14

Iraq
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Iraq in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Iraq

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 23.7 6.6

2Q12 25.3 7.0

3Q12 20.7 5.3

4Q12 20.6 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Iraq and around the world, and for explanations of the methods and terms used here.

July–December 2012

241

Infection trends (CCM)
The MSRT detected malware on 20.6 of every 1,000 computers scanned in Iraq in 4Q12 (a CCM score of 20.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Iraq over the last six quarters, compared to the world as a whole.
CCM infection trends in Iraq and worldwide

30.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Iraq

25.0 20.0 15.0 10.0

5.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

242

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Iraq in 4Q12, by percentage of computers reporting detections

Iraq
Percent of computers reporting detections

Worldwide

45% 40% 35% 30% 25%
20%

Column1 Iraq

15%
10%

5% 0%



The most common category in Iraq in 4Q12 was Worms. It affected 41.6 percent of all computers with detections there, up from 31.7 percent in 3Q12. The second most common category in Iraq in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 36.4 percent of all computers with detections there, up from 28.8 percent in 3Q12. The third most common category in Iraq in 4Q12 was Miscellaneous Trojans, which affected 33.7 percent of all computers with detections there, up from 26.6 percent in 3Q12.





July–December 2012

243

Threat families
The top 10 malware and potentially unwanted software families in Iraq in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Sality Win32/Ramnit Win32/CplLnk Win32/Dorkbot Win32/Wecykler Win32/Vobfus Win32/Brontok Win32/Virut

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Misc. Trojans Exploits Worms Worms Worms Worms Viruses

% of computers with detections 20.8% 18.5% 18.4% 14.9% 11.6% 11.0% 7.2% 6.6% 6.2% 4.7%



The most common threat family in Iraq in 4Q12 was INF/Autorun, which affected 20.8 percent of computers with detections in Iraq. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Iraq in 4Q12 was Win32/Keygen, which affected 18.5 percent of computers with detections in Iraq. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Iraq in 4Q12 was Win32/Sality, which affected 18.4 percent of computers with detections in Iraq. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Iraq in 4Q12 was Win32/Ramnit, which affected 14.9 percent of computers with detections in Iraq. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved







244

Microsoft Security Intelligence Report, Volume 14

FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.

July–December 2012

245

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Iraq

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) N/A (0.56)

4Q12 N/A (5.10) N/A (10.85) N/A (0.33)

246

Microsoft Security Intelligence Report, Volume 14

Ireland
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Ireland in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Ireland

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 4.0 6.6

2Q12 2.9 7.0

3Q12 2.3 5.3

4Q12 2.0 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Ireland and around the world, and for explanations of the methods and terms used here.

July–December 2012

247

Infection trends (CCM)
The MSRT detected malware on 2.0 of every 1,000 computers scanned in Ireland in 4Q12 (a CCM score of 2.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Ireland over the last six quarters, compared to the world as a whole.
CCM infection trends in Ireland and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Ireland

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

248

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Ireland in 4Q12, by percentage of computers reporting detections

Ireland
Percent of computers reporting detections

Worldwide

40% Column1 35% Ireland 30%
25%

20% 15%
10%

5% 0%



The most common category in Ireland in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 31.4 percent of all computers with detections there, up from 25.4 percent in 3Q12. The second most common category in Ireland in 4Q12 was Miscellaneous Trojans. It affected 30.3 percent of all computers with detections there, down from 32.8 percent in 3Q12. The third most common category in Ireland in 4Q12 was Adware, which affected 25.6 percent of all computers with detections there, down from 31.7 percent in 3Q12.





July–December 2012

249

Threat families
The top 10 malware and potentially unwanted software families in Ireland in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Hotbar Win32/Keygen Win32/Zwangi Java/Blacole Win32/Pdfjsc JS/IframeRef ASX/Wimad Win32/DealPly Win32/ClickPotato Win32/Winwebsec

Most significant category Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Exploits Exploits Misc. Trojans Trojan Downloaders & Droppers Adware Adware Misc. Trojans

% of computers with detections 12.8% 10.0% 8.7% 7.3% 7.0% 6.1% 5.1% 4.5% 4.4% 4.4%



The most common threat family in Ireland in 4Q12 was Win32/Hotbar, which affected 12.8 percent of computers with detections in Ireland. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The second most common threat family in Ireland in 4Q12 was Win32/Keygen, which affected 10.0 percent of computers with detections in Ireland. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Ireland in 4Q12 was Win32/Zwangi, which affected 8.7 percent of computers with detections in Ireland. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. The fourth most common threat family in Ireland in 4Q12 was Java/Blacole, which affected 7.3 percent of computers with detections in Ireland. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run.







250

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Ireland

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 4.29 (5.41) 4.76 (9.46) 0.50 (0.56)

4Q12 3.57 (5.10) 5.00 (10.85) 0.42 (0.33)

July–December 2012

251

Israel
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Israel in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Israel

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 9.7 6.6

2Q12 8.6 7.0

3Q12 6.9 5.3

4Q12 6.9 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Israel and around the world, and for explanations of the methods and terms used here.

July–December 2012

253

Infection trends (CCM)
The MSRT detected malware on 6.9 of every 1,000 computers scanned in Israel in 4Q12 (a CCM score of 6.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Israel over the last six quarters, compared to the world as a whole.
CCM infection trends in Israel and worldwide

12.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Israel

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

254

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Israel in 4Q12, by percentage of computers reporting detections

Israel
Percent of computers reporting detections

Worldwide

60% Column1 Israel 50% 40% 30% 20% 10% 0%



The most common category in Israel in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 47.9 percent of all computers with detections there, up from 43.5 percent in 3Q12. The second most common category in Israel in 4Q12 was Miscellaneous Trojans. It affected 24.6 percent of all computers with detections there, up from 23.2 percent in 3Q12. The third most common category in Israel in 4Q12 was Worms, which affected 23.1 percent of all computers with detections there, up from 20.4 percent in 3Q12.





July–December 2012

255

Threat families
The top 10 malware and potentially unwanted software families in Israel in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/AmmyyAdmin INF/Autorun Win32/Sality Win32/Obfuscator Win32/Hotbar ASX/Wimad Win32/Brontok JS/IframeRef Win32/Dorkbot

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Adware Trojan Downloaders & Droppers Worms Misc. Trojans Worms

% of computers with detections 17.9% 9.9% 9.5% 5.8% 5.7% 5.6% 5.2% 5.0% 4.8% 3.8%



The most common threat family in Israel in 4Q12 was Win32/Keygen, which affected 17.9 percent of computers with detections in Israel. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Israel in 4Q12 was Win32/AmmyyAdmin, which affected 9.9 percent of computers with detections in Israel. Win32/AmmyyAdmin is a remote control application that allows full control of the computer in which it is installed. It can be installed for legitimate purposes, but can also be installed from a remote location by an attacker. The third most common threat family in Israel in 4Q12 was INF/Autorun, which affected 9.5 percent of computers with detections in Israel. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Israel in 4Q12 was Win32/Sality, which affected 5.8 percent of computers with detections in Israel. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.







256

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Israel

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 10.06 (5.41) 10.87 (9.46) 0.17 (0.56)

4Q12 5.88 (5.10) 10.14 (10.85) 0.11 (0.33)

July–December 2012

257

Italy
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Italy in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Italy

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 6.5 6.6

2Q12 4.5 7.0

3Q12 3.7 5.3

4Q12 3.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Italy and around the world, and for explanations of the methods and terms used here.

July–December 2012

259

Infection trends (CCM)
The MSRT detected malware on 3.2 of every 1,000 computers scanned in Italy in 4Q12 (a CCM score of 3.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Italy over the last six quarters, compared to the world as a whole.
CCM infection trends in Italy and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide

[[COUNTRY]]

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

260

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Italy in 4Q12, by percentage of computers reporting detections

Italy
Percent of computers reporting detections

Worldwide

40% Column1 35% Italy 30%
25%

20% 15%
10%

5% 0%



The most common category in Italy in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 32.2 percent of all computers with detections there, up from 27.5 percent in 3Q12. The second most common category in Italy in 4Q12 was Adware. It affected 25.6 percent of all computers with detections there, down from 29.3 percent in 3Q12. The third most common category in Italy in 4Q12 was Miscellaneous Trojans, which affected 23.8 percent of all computers with detections there, down from 28.7 percent in 3Q12.





July–December 2012

261

Threat families
The top 10 malware and potentially unwanted software families in Italy in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Pdfjsc Win32/DealPly Win32/Keygen ASX/Wimad Java/Blacole JS/IframeRef INF/Autorun Win32/Conficker Win32/Sirefef Win32/Reveton

Most significant category Exploits Adware Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Exploits Misc. Trojans Misc. Potentially Unwanted Software Worms Misc. Trojans Misc. Trojans

% of computers with detections 13.7% 13.3% 13.2% 11.1% 8.0% 5.5% 4.7% 4.6% 3.9% 3.8%



The most common threat family in Italy in 4Q12 was Win32/Pdfjsc, which affected 13.7 percent of computers with detections in Italy. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The second most common threat family in Italy in 4Q12 was Win32/DealPly, which affected 13.3 percent of computers with detections in Italy. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Italy in 4Q12 was Win32/Keygen, which affected 13.2 percent of computers with detections in Italy. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Italy in 4Q12 was ASX/Wimad, which affected 11.1 percent of computers with detections in Italy. ASX/Wimad is a detection for malicious Windows Media files that can be used to encourage users to download and execute arbitrary files on an affected machine.







262

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Italy

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 4.47 (5.41) 7.21 (9.46) 0.48 (0.56)

4Q12 4.26 (5.10) 8.04 (10.85) 0.25 (0.33)

July–December 2012

263

Jamaica
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Jamaica in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Jamaica

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 8.8 6.6

2Q12 8.2 7.0

3Q12 6.8 5.3

4Q12 6.0 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Jamaica and around the world, and for explanations of the methods and terms used here.

July–December 2012

265

Infection trends (CCM)
The MSRT detected malware on 6.0 of every 1,000 computers scanned in Jamaica in 4Q12 (a CCM score of 6.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Jamaica over the last six quarters, compared to the world as a whole.
CCM infection trends in Jamaica and worldwide

10.0
Computers cleaned per 1 ,000 scanned (CCM)

9.0
8.0 7.0

Worldwide Jamaica

6.0
5.0 4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

266

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Jamaica in 4Q12, by percentage of computers reporting detections

Jamaica
Percent of computers reporting detections

Worldwide

45% Column1 40% Jamaica 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Jamaica in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.8 percent of all computers with detections there, up from 35.3 percent in 3Q12. The second most common category in Jamaica in 4Q12 was Worms. It affected 36.1 percent of all computers with detections there, up from 31.6 percent in 3Q12. The third most common category in Jamaica in 4Q12 was Adware, which affected 24.0 percent of all computers with detections there, down from 28.7 percent in 3Q12.





July–December 2012

267

Threat families
The top 10 malware and potentially unwanted software families in Jamaica in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Vobfus INF/Autorun Win32/Keygen Win32/Hotbar Win32/Zwangi Win32/Dorkbot Win32/Brontok Win32/Rimecud JS/IframeRef ASX/Wimad

Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Misc. Potentially Unwanted Software Worms Worms Misc. Trojans Misc. Trojans Trojan Downloaders & Droppers

% of computers with detections 16.2% 14.8% 13.9% 13.6% 9.3% 5.8% 5.6% 4.4% 4.3% 4.2%



The most common threat family in Jamaica in 4Q12 was Win32/Vobfus, which affected 16.2 percent of computers with detections in Jamaica. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The second most common threat family in Jamaica in 4Q12 was INF/Autorun, which affected 14.8 percent of computers with detections in Jamaica. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Jamaica in 4Q12 was Win32/Keygen, which affected 13.9 percent of computers with detections in Jamaica. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Jamaica in 4Q12 was Win32/Hotbar, which affected 13.6 percent of computers with detections in Jamaica. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity.







268

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Jamaica

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) N/A (0.56)

4Q12 N/A (5.10) N/A (10.85) N/A (0.33)

July–December 2012

269

Japan
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Japan in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Japan

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 1.0 6.6

2Q12 0.9 7.0

3Q12 0.7 5.3

4Q12 0.7 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Japan and around the world, and for explanations of the methods and terms used here.

July–December 2012

271

Infection trends (CCM)
The MSRT detected malware on 0.7 of every 1,000 computers scanned in Japan in 4Q12 (a CCM score of 0.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Japan over the last six quarters, compared to the world as a whole.
CCM infection trends in Japan and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Japan

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

272

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Japan in 4Q12, by percentage of computers reporting detections

Japan
Percent of computers reporting detections

Worldwide

40% 35% 30%
25%

Column1 Japan

20% 15%
10%

5% 0%



The most common category in Japan in 4Q12 was Adware. It affected 37.6 percent of all computers with detections there, up from 31.7 percent in 3Q12. The second most common category in Japan in 4Q12 was Miscellaneous Trojans. It affected 26.1 percent of all computers with detections there, down from 28.7 percent in 3Q12. The third most common category in Japan in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 19.8 percent of all computers with detections there, down from 20.7 percent in 3Q12.





July–December 2012

273

Threat families
The top 10 malware and potentially unwanted software families in Japan in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/DealPly JS/IframeRef Win32/Keygen INF/Autorun Win32/OpenCandy Win32/Sirefef Win32/Conficker JS/BlacoleRef Win32/Pdfjsc Win32/Obfuscator

Most significant category Adware Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Misc. Trojans Worms Misc. Trojans Exploits Misc. Potentially Unwanted Software

% of computers with detections 29.5% 9.4% 7.7% 5.5% 5.1% 4.2% 3.1% 2.7% 2.7% 2.6%



The most common threat family in Japan in 4Q12 was Win32/DealPly, which affected 29.5 percent of computers with detections in Japan. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Japan in 4Q12 was JS/IframeRef, which affected 9.4 percent of computers with detections in Japan. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The third most common threat family in Japan in 4Q12 was Win32/Keygen, which affected 7.7 percent of computers with detections in Japan. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Japan in 4Q12 was INF/Autorun, which affected 5.5 percent of computers with detections in Japan. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.







274

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Japan

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 1.84 (5.41) 5.49 (9.46) 0.13 (0.56)

4Q12 1.78 (5.10) 5.29 (10.85) 0.08 (0.33)

July–December 2012

275

Jordan
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Jordan in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Jordan

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 15.8 6.6

2Q12 18.0 7.0

3Q12 16.0 5.3

4Q12 12.6 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Jordan and around the world, and for explanations of the methods and terms used here.

July–December 2012

277

Infection trends (CCM)
The MSRT detected malware on 12.6 of every 1,000 computers scanned in Jordan in 4Q12 (a CCM score of 12.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Jordan over the last six quarters, compared to the world as a whole.
CCM infection trends in Jordan and worldwide

20.0
Computers cleaned per 1 ,000 scanned (CCM)

18.0
16.0 14.0

Worldwide Jordan

12.0
10.0 8.0 6.0

4.0
2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

278

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Jordan in 4Q12, by percentage of computers reporting detections

Jordan
Percent of computers reporting detections

Worldwide

45% Column1 40% Jordan 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Jordan in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.8 percent of all computers with detections there, up from 29.5 percent in 3Q12. The second most common category in Jordan in 4Q12 was Worms. It affected 38.3 percent of all computers with detections there, up from 27.2 percent in 3Q12. The third most common category in Jordan in 4Q12 was Miscellaneous Trojans, which affected 35.5 percent of all computers with detections there, up from 26.2 percent in 3Q12.





July–December 2012

279

Threat families
The top 10 malware and potentially unwanted software families in Jordan in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Sality Win32/Ramnit Win32/CplLnk Win32/Dorkbot Win32/Vobfus Win32/Sulunch JS/IframeRef Win32/Virut

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Misc. Trojans Exploits Worms Worms Misc. Trojans Misc. Trojans Viruses

% of computers with detections 20.8% 16.6% 15.8% 10.7% 9.7% 9.3% 8.7% 6.8% 5.0% 4.4%



The most common threat family in Jordan in 4Q12 was INF/Autorun, which affected 20.8 percent of computers with detections in Jordan. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Jordan in 4Q12 was Win32/Keygen, which affected 16.6 percent of computers with detections in Jordan. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Jordan in 4Q12 was Win32/Sality, which affected 15.8 percent of computers with detections in Jordan. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Jordan in 4Q12 was Win32/Ramnit, which affected 10.7 percent of computers with detections in Jordan. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved







280

Microsoft Security Intelligence Report, Volume 14

FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.

July–December 2012

281

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Jordan

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.02 (0.56)

4Q12 N/A (5.10) N/A (10.85) N/A (0.33)

282

Microsoft Security Intelligence Report, Volume 14

Kazakhstan
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Kazakhstan in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Kazakhstan

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 8.8 6.6

2Q12 8.5 7.0

3Q12 7.1 5.3

4Q12 6.9 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Kazakhstan and around the world, and for explanations of the methods and terms used here.

July–December 2012

283

Infection trends (CCM)
The MSRT detected malware on 6.9 of every 1,000 computers scanned in Kazakhstan in 4Q12 (a CCM score of 6.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Kazakhstan over the last six quarters, compared to the world as a whole.
CCM infection trends in Kazakhstan and worldwide

12.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Kazakhstan

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

284

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Kazakhstan in 4Q12, by percentage of computers reporting detections

Kazakhstan
Percent of computers reporting detections

Worldwide

60% Column1 Kazakhstan 50% 40% 30% 20% 10% 0%



The most common category in Kazakhstan in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 48.6 percent of all computers with detections there, down from 52.7 percent in 3Q12. The second most common category in Kazakhstan in 4Q12 was Miscellaneous Trojans. It affected 36.6 percent of all computers with detections there, up from 35.2 percent in 3Q12. The third most common category in Kazakhstan in 4Q12 was Worms, which affected 24.7 percent of all computers with detections there, up from 20.7 percent in 3Q12.





July–December 2012

285

Threat families
The top 10 malware and potentially unwanted software families in Kazakhstan in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pameseg Win32/Vobfus INF/Autorun Win32/Obfuscator Win32/CplLnk Win32/Ramnit Win32/Webalta Win32/Pdfjsc Win32/Vundo

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Exploits Misc. Trojans Adware Exploits Misc. Trojans

% of computers with detections 17.9% 12.6% 12.3% 10.7% 8.3% 6.0% 5.7% 5.5% 5.5% 4.8%



The most common threat family in Kazakhstan in 4Q12 was Win32/Keygen, which affected 17.9 percent of computers with detections in Kazakhstan. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Kazakhstan in 4Q12 was Win32/Pameseg, which affected 12.6 percent of computers with detections in Kazakhstan. Win32/Pameseg is a fake program installer that requires the user to send SMS messages to a premium number to successfully install certain programs. The third most common threat family in Kazakhstan in 4Q12 was Win32/Vobfus, which affected 12.3 percent of computers with detections in Kazakhstan. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The fourth most common threat family in Kazakhstan in 4Q12 was INF/Autorun, which affected 10.7 percent of computers with detections in Kazakhstan. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.







286

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Kazakhstan

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 19.00 (5.41) 8.89 (9.46) 0.64 (0.56)

4Q12 11.95 (5.10) 14.40 (10.85) 0.52 (0.33)

July–December 2012

287

Kenya
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Kenya in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Kenya

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 9.5 6.6

2Q12 9.0 7.0

3Q12 7.3 5.3

4Q12 6.8 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Kenya and around the world, and for explanations of the methods and terms used here.

July–December 2012

289

Infection trends (CCM)
The MSRT detected malware on 6.8 of every 1,000 computers scanned in Kenya in 4Q12 (a CCM score of 6.8, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Kenya over the last six quarters, compared to the world as a whole.
CCM infection trends in Kenya and worldwide

12.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Kenya

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

290

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Kenya in 4Q12, by percentage of computers reporting detections

Kenya
Percent of computers reporting detections

Worldwide

45% 40% 35% 30% 25%
20%

Column1 Kenya

15%
10%

5% 0%



The most common category in Kenya in 4Q12 was Miscellaneous Trojans. It affected 40.4 percent of all computers with detections there, up from 37.0 percent in 3Q12. The second most common category in Kenya in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.2 percent of all computers with detections there, up from 35.0 percent in 3Q12. The third most common category in Kenya in 4Q12 was Worms, which affected 31.0 percent of all computers with detections there, down from 32.7 percent in 3Q12.





July–December 2012

291

Threat families
The top 10 malware and potentially unwanted software families in Kenya in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Comame INF/Autorun Win32/Sality Win32/Keygen Win32/Vobfus Win32/CplLnk Win32/Virut Win32/Ramnit Win32/Dorkbot Win32/Rimecud

Most significant category Misc. Trojans Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Worms Exploits Viruses Misc. Trojans Worms Misc. Trojans

% of computers with detections 18.4% 18.3% 17.1% 13.8% 8.8% 7.8% 7.1% 6.9% 6.3% 4.9%



The most common threat family in Kenya in 4Q12 was Win32/Comame, which affected 18.4 percent of computers with detections in Kenya. Win32/Comame is a generic detection for a variety of threats. The second most common threat family in Kenya in 4Q12 was INF/Autorun, which affected 18.3 percent of computers with detections in Kenya. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Kenya in 4Q12 was Win32/Sality, which affected 17.1 percent of computers with detections in Kenya. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Kenya in 4Q12 was Win32/Keygen, which affected 13.8 percent of computers with detections in Kenya. Win32/Keygen is a generic detection for tools that generate product keys for various software products.







292

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Kenya

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.21 (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.49 (0.33)

July–December 2012

293

Korea
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Korea in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Korea

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 27.5 6.6

2Q12 70.4 7.0

3Q12 27.5 5.3

4Q12 93.0 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Korea and around the world, and for explanations of the methods and terms used here.

July–December 2012

295

Infection trends (CCM)
The MSRT detected malware on 93.0 of every 1,000 computers scanned in Korea in 4Q12 (a CCM score of 93.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Korea over the last six quarters, compared to the world as a whole.
CCM infection trends in Korea and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide

[[COUNTRY]]

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

296

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Korea in 4Q12, by percentage of computers reporting detections

Korea
Percent of computers reporting detections

Worldwide

80% 70% 60%
50%

Column1 Korea

40% 30%
20%

10% 0%



The most common category in Korea in 4Q12 was Miscellaneous Trojans. It affected 75.6 percent of all computers with detections there, up from 35.5 percent in 3Q12. The second most common category in Korea in 4Q12 was Adware. It affected 32.6 percent of all computers with detections there, down from 55.5 percent in 3Q12. The third most common category in Korea in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 9.7 percent of all computers with detections there, down from 14.6 percent in 3Q12.





July–December 2012

297

Threat families
The top 10 malware and potentially unwanted software families in Korea in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Onescan Win32/Addendum Win32/SideOn Win32/Wingo Win32/Pluzoks Win32/WinAgir Win32/Hebogo Win32/Kremiumad JS/DonxRef Win32/Keygen

Most significant category Misc. Trojans Adware Adware Adware Trojan Downloaders & Droppers Adware Adware Adware Exploits Misc. Potentially Unwanted Software

% of computers with detections 70.6% 10.6% 10.3% 8.7% 6.4% 6.1% 3.3% 3.1% 3.0% 2.9%



The most common threat family in Korea in 4Q12 was Win32/Onescan, which affected 70.6 percent of computers with detections in Korea. Win32/Onescan is a Korean-language rogue security software family distributed under the names One Scan, Siren114, EnPrivacy, PC Trouble, Smart Vaccine, and many others. The second most common threat family in Korea in 4Q12 was Win32/Addendum, which affected 10.6 percent of computers with detections in Korea. Win32/Addendum is adware that is installed as a web browser helper object (BHO) that may display unwanted pop-up advertisements and redirect search queries when accessing certain websites. It may also download executable files to install as updates. The third most common threat family in Korea in 4Q12 was Win32/SideOn, which affected 10.3 percent of computers with detections in Korea. Win32/SideOn is a component of a program called WinPro that may redirect the user’s web browser to certain websites and display ads for certain products. The fourth most common threat family in Korea in 4Q12 was Win32/Wingo, which affected 8.7 percent of computers with detections in Korea. Win32/Wingo is a program that may install a browser helper object (BHO) that may display pop-up advertisements and download updates of itself.







298

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Korea

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 3.86 (5.41) 14.50 (9.46) 0.26 (0.56)

4Q12 3.98 (5.10) 17.88 (10.85) 0.31 (0.33)

July–December 2012

299

Kuwait
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Kuwait in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Kuwait

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 11.8 6.6

2Q12 11.6 7.0

3Q12 10.0 5.3

4Q12 9.7 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Kuwait and around the world, and for explanations of the methods and terms used here.

July–December 2012

301

Infection trends (CCM)
The MSRT detected malware on 9.7 of every 1,000 computers scanned in Kuwait in 4Q12 (a CCM score of 9.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Kuwait over the last six quarters, compared to the world as a whole.
CCM infection trends in Kuwait and worldwide

14.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Kuwait

12.0 10.0

8.0
6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

302

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Kuwait in 4Q12, by percentage of computers reporting detections

Kuwait
Percent of computers reporting detections

Worldwide

40% Column1 35% Kuwait 30%
25%

20% 15%
10%

5% 0%



The most common category in Kuwait in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 37.7 percent of all computers with detections there, up from 29.2 percent in 3Q12. The second most common category in Kuwait in 4Q12 was Worms. It affected 33.8 percent of all computers with detections there, up from 24.9 percent in 3Q12. The third most common category in Kuwait in 4Q12 was Miscellaneous Trojans, which affected 32.7 percent of all computers with detections there, up from 25.5 percent in 3Q12.





July–December 2012

303

Threat families
The top 10 malware and potentially unwanted software families in Kuwait in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun Win32/Sality Win32/Dorkbot Win32/Vobfus Win32/Rimecud JS/IframeRef Win32/Hotbar Win32/Zwangi Win32/CplLnk

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Worms Worms Misc. Trojans Misc. Trojans Adware Misc. Potentially Unwanted Software Exploits

% of computers with detections 17.1% 15.0% 9.0% 8.2% 6.5% 6.2% 5.4% 5.2% 4.2% 4.1%



The most common threat family in Kuwait in 4Q12 was Win32/Keygen, which affected 17.1 percent of computers with detections in Kuwait. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Kuwait in 4Q12 was INF/Autorun, which affected 15.0 percent of computers with detections in Kuwait. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Kuwait in 4Q12 was Win32/Sality, which affected 9.0 percent of computers with detections in Kuwait. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Kuwait in 4Q12 was Win32/Dorkbot, which affected 8.2 percent of computers with detections in Kuwait. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot







304

Microsoft Security Intelligence Report, Volume 14

may be distributed from compromised or malicious websites using PDF or browser exploits.

July–December 2012

305

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Kuwait

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 4.58 (5.41) 6.54 (9.46) 0.08 (0.56)

4Q12 2.61 (5.10) 5.88 (10.85) 0.26 (0.33)

306

Microsoft Security Intelligence Report, Volume 14

Latvia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Latvia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Latvia

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 5.1 6.6

2Q12 4.5 7.0

3Q12 3.8 5.3

4Q12 4.1 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Latvia and around the world, and for explanations of the methods and terms used here.

July–December 2012

307

Infection trends (CCM)
The MSRT detected malware on 4.1 of every 1,000 computers scanned in Latvia in 4Q12 (a CCM score of 4.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Latvia over the last six quarters, compared to the world as a whole.
CCM infection trends in Latvia and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide

[[COUNTRY]]

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

308

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Latvia in 4Q12, by percentage of computers reporting detections

Latvia
Percent of computers reporting detections

Worldwide

50% Column1 45% Latvia
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Latvia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.9 percent of all computers with detections there, up from 45.6 percent in 3Q12. The second most common category in Latvia in 4Q12 was Miscellaneous Trojans. It affected 31.9 percent of all computers with detections there, up from 28.7 percent in 3Q12. The third most common category in Latvia in 4Q12 was Worms, which affected 20.1 percent of all computers with detections there, up from 14.1 percent in 3Q12.





July–December 2012

309

Threat families
The top 10 malware and potentially unwanted software families in Latvia in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot Win32/Obfuscator JS/IframeRef INF/Autorun Java/Blacole Win32/Pdfjsc Win32/Hotbar Win32/Pameseg Win32/Wpakill

Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Misc. Trojans Misc. Potentially Unwanted Software Exploits Exploits Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software

% of computers with detections 21.2% 7.7% 7.3% 7.2% 5.1% 4.9% 4.7% 4.0% 3.7% 3.6%



The most common threat family in Latvia in 4Q12 was Win32/Keygen, which affected 21.2 percent of computers with detections in Latvia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Latvia in 4Q12 was Win32/Dorkbot, which affected 7.7 percent of computers with detections in Latvia. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Latvia in 4Q12 was Win32/Obfuscator, which affected 7.3 percent of computers with detections in Latvia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The fourth most common threat family in Latvia in 4Q12 was JS/IframeRef, which affected 7.2 percent of computers with detections in Latvia.







310

Microsoft Security Intelligence Report, Volume 14

JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.

July–December 2012

311

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Latvia

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 3.85 (5.41) 8.06 (9.46) 0.51 (0.56)

4Q12 5.43 (5.10) 13.66 (10.85) 1.52 (0.33)

312

Microsoft Security Intelligence Report, Volume 14

Lebanon
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Lebanon in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Lebanon

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 13.3 6.6

2Q12 13.9 7.0

3Q12 10.4 5.3

4Q12 13.0 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Lebanon and around the world, and for explanations of the methods and terms used here.

July–December 2012

313

Infection trends (CCM)
The MSRT detected malware on 13.0 of every 1,000 computers scanned in Lebanon in 4Q12 (a CCM score of 13.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Lebanon over the last six quarters, compared to the world as a whole.
CCM infection trends in Lebanon and worldwide

16.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Lebanon

14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

314

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Lebanon in 4Q12, by percentage of computers reporting detections

Lebanon
Percent of computers reporting detections

Worldwide

45% 40% 35% 30% 25%
20%

Column1 Lebanon

15%
10%

5% 0%



The most common category in Lebanon in 4Q12 was Worms. It affected 39.1 percent of all computers with detections there, up from 29.9 percent in 3Q12. The second most common category in Lebanon in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.2 percent of all computers with detections there, up from 30.4 percent in 3Q12. The third most common category in Lebanon in 4Q12 was Miscellaneous Trojans, which affected 30.1 percent of all computers with detections there, up from 24.5 percent in 3Q12.





July–December 2012

315

Threat families
The top 10 malware and potentially unwanted software families in Lebanon in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun Win32/Sality Win32/CplLnk Win32/Dorkbot Win32/Ramnit Win32/Folstart Win32/Nuqel JS/IframeRef Win32/Rimecud

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Exploits Worms Misc. Trojans Worms Worms Misc. Trojans Misc. Trojans

% of computers with detections 17.5% 16.3% 11.2% 11.2% 8.8% 8.6% 8.3% 6.0% 5.8% 5.5%



The most common threat family in Lebanon in 4Q12 was Win32/Keygen, which affected 17.5 percent of computers with detections in Lebanon. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Lebanon in 4Q12 was INF/Autorun, which affected 16.3 percent of computers with detections in Lebanon. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Lebanon in 4Q12 was Win32/Sality, which affected 11.2 percent of computers with detections in Lebanon. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Lebanon in 4Q12 was Win32/CplLnk, which affected 11.2 percent of computers with detections in Lebanon. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046.







316

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Lebanon

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.05 (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.00 (0.33)

July–December 2012

317

Lithuania
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Lithuania in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Lithuania

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 7.4 6.6

2Q12 6.4 7.0

3Q12 5.8 5.3

4Q12 6.4 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Lithuania and around the world, and for explanations of the methods and terms used here.

July–December 2012

319

Infection trends (CCM)
The MSRT detected malware on 6.4 of every 1,000 computers scanned in Lithuania in 4Q12 (a CCM score of 6.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Lithuania over the last six quarters, compared to the world as a whole.
CCM infection trends in Lithuania and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Lithuania

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

320

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Lithuania in 4Q12, by percentage of computers reporting detections

Lithuania
Percent of computers reporting detections

Worldwide

50% Column1 45% Lithuania
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Lithuania in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.2 percent of all computers with detections there, up from 42.0 percent in 3Q12. The second most common category in Lithuania in 4Q12 was Miscellaneous Trojans. It affected 33.2 percent of all computers with detections there, up from 29.6 percent in 3Q12. The third most common category in Lithuania in 4Q12 was Worms, which affected 21.4 percent of all computers with detections there, up from 18.2 percent in 3Q12.





July–December 2012

321

Threat families
The top 10 malware and potentially unwanted software families in Lithuania in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen JS/IframeRef Win32/Obfuscator INF/Autorun Win32/Dorkbot JS/BlacoleRef Win32/Hotbar Win32/DealPly Win32/Killav Win32/OpenCandy

Most significant category Misc. Potentially Unwanted Software Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Trojans Adware Adware Misc. Trojans Adware

% of computers with detections 23.1% 8.4% 7.3% 5.2% 5.1% 3.9% 3.7% 3.6% 3.2% 3.2%



The most common threat family in Lithuania in 4Q12 was Win32/Keygen, which affected 23.1 percent of computers with detections in Lithuania. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Lithuania in 4Q12 was JS/IframeRef, which affected 8.4 percent of computers with detections in Lithuania. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The third most common threat family in Lithuania in 4Q12 was Win32/Obfuscator, which affected 7.3 percent of computers with detections in Lithuania. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The fourth most common threat family in Lithuania in 4Q12 was INF/Autorun, which affected 5.2 percent of computers with detections in Lithuania. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.







322

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Lithuania

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 4.43 (5.41) 7.89 (9.46) 4.43 (0.56)

4Q12 5.54 (5.10) 12.88 (10.85) 0.22 (0.33)

July–December 2012

323

Luxembourg
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Luxembourg in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Luxembourg

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 2.8 6.6

2Q12 2.0 7.0

3Q12 2.2 5.3

4Q12 2.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Luxembourg and around the world, and for explanations of the methods and terms used here.

July–December 2012

325

Infection trends (CCM)
The MSRT detected malware on 2.2 of every 1,000 computers scanned in Luxembourg in 4Q12 (a CCM score of 2.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Luxembourg over the last six quarters, compared to the world as a whole.
CCM infection trends in Luxembourg and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Luxembourg

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

326

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Luxembourg in 4Q12, by percentage of computers reporting detections

Luxembourg
Percent of computers reporting detections

Worldwide

40% Column1 35% Luxembourg 30%
25%

20% 15%
10%

5% 0%



The most common category in Luxembourg in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.5 percent of all computers with detections there, up from 29.4 percent in 3Q12. The second most common category in Luxembourg in 4Q12 was Miscellaneous Trojans. It affected 28.4 percent of all computers with detections there, up from 26.6 percent in 3Q12. The third most common category in Luxembourg in 4Q12 was Exploits, which affected 21.6 percent of all computers with detections there, up from 7.6 percent in 3Q12.





July–December 2012

327

Threat families
The top 10 malware and potentially unwanted software families in Luxembourg in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc Java/Blacole Win32/Reveton Win32/Zwangi Win32/DealPly Win32/Hotbar ASX/Wimad JS/IframeRef Win32/OpenCandy

Most significant category Misc. Potentially Unwanted Software Exploits Exploits Misc. Trojans Misc. Potentially Unwanted Software Adware Adware Trojan Downloaders & Droppers Misc. Trojans Adware

% of computers with detections 12.9% 10.4% 8.9% 7.6% 5.8% 5.6% 5.3% 5.2% 4.9% 4.3%



The most common threat family in Luxembourg in 4Q12 was Win32/Keygen, which affected 12.9 percent of computers with detections in Luxembourg. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Luxembourg in 4Q12 was Win32/Pdfjsc, which affected 10.4 percent of computers with detections in Luxembourg. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Luxembourg in 4Q12 was Java/Blacole, which affected 8.9 percent of computers with detections in Luxembourg. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in Luxembourg in 4Q12 was Win32/Reveton, which affected 7.6 percent of computers with detections in Luxembourg. Win32/Reveton is a ransomware family that targets users from certain countries. It locks the computer and displays a location-specific







328

Microsoft Security Intelligence Report, Volume 14

webpage that covers the desktop and demands that the user pay a fine for the supposed possession of illicit material.

July–December 2012

329

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Luxembourg

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 5.70 (5.41) 8.92 (9.46) 0.17 (0.56)

4Q12 5.95 (5.10) 19.33 (10.85) 1.08 (0.33)

330

Microsoft Security Intelligence Report, Volume 14

Macao S.A.R.
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Macao S.A.R. in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Macao S.A.R.

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 3.0 6.6

2Q12 2.2 7.0

3Q12 1.9 5.3

4Q12 1.9 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Macao S.A.R. and around the world, and for explanations of the methods and terms used here.

July–December 2012

331

Infection trends (CCM)
The MSRT detected malware on 1.9 of every 1,000 computers scanned in Macao S.A.R. in 4Q12 (a CCM score of 1.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Macao S.A.R. over the last six quarters, compared to the world as a whole.
CCM infection trends in Macao S.A.R. and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Macao S.A.R.

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

332

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Macao S.A.R. in 4Q12, by percentage of computers reporting detections

Macao S.A.R.
Percent of computers reporting detections

Worldwide

50% Column1 45% Macao S.A.R.
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Macao S.A.R. in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.7 percent of all computers with detections there, up from 35.4 percent in 3Q12. The second most common category in Macao S.A.R. in 4Q12 was Miscellaneous Trojans. It affected 28.8 percent of all computers with detections there, up from 28.5 percent in 3Q12. The third most common category in Macao S.A.R. in 4Q12 was Worms, which affected 19.0 percent of all computers with detections there, up from 17.0 percent in 3Q12.





July–December 2012

333

Threat families
The top 10 malware and potentially unwanted software families in Macao S.A.R. in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun JS/IframeRef Win32/Obfuscator Win32/Conficker Win32/Hotbar Win32/FlyAgent Win32/BaiduSobar Win32/Zwangi Win32/Taterf

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Trojans Misc. Potentially Unwanted Software Worms Adware Backdoors Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms

% of computers with detections 20.6% 7.5% 5.9% 5.6% 5.0% 3.5% 3.0% 3.0% 3.0% 2.6%



The most common threat family in Macao S.A.R. in 4Q12 was Win32/Keygen, which affected 20.6 percent of computers with detections in Macao S.A.R.. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Macao S.A.R. in 4Q12 was INF/Autorun, which affected 7.5 percent of computers with detections in Macao S.A.R.. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Macao S.A.R. in 4Q12 was JS/IframeRef, which affected 5.9 percent of computers with detections in Macao S.A.R.. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Macao S.A.R. in 4Q12 was Win32/Obfuscator, which affected 5.6 percent of computers with detections in Macao S.A.R.. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques.







334

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Macao S.A.R.

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.08 (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.09 (0.33)

July–December 2012

335

Malaysia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Malaysia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Malaysia

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 9.3 6.6

2Q12 8.7 7.0

3Q12 8.1 5.3

4Q12 7.9 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Malaysia and around the world, and for explanations of the methods and terms used here.

July–December 2012

337

Infection trends (CCM)
The MSRT detected malware on 7.9 of every 1,000 computers scanned in Malaysia in 4Q12 (a CCM score of 7.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Malaysia over the last six quarters, compared to the world as a whole.
CCM infection trends in Malaysia and worldwide

12.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Malaysia

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

338

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Malaysia in 4Q12, by percentage of computers reporting detections

Malaysia
Percent of computers reporting detections

Worldwide

45% Column1 40% Malaysia 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Malaysia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 39.6 percent of all computers with detections there, up from 32.4 percent in 3Q12. The second most common category in Malaysia in 4Q12 was Worms. It affected 38.6 percent of all computers with detections there, up from 37.3 percent in 3Q12. The third most common category in Malaysia in 4Q12 was Miscellaneous Trojans, which affected 24.5 percent of all computers with detections there, down from 24.6 percent in 3Q12.





July–December 2012

339

Threat families
The top 10 malware and potentially unwanted software families in Malaysia in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot INF/Autorun Win32/Sality Win32/Conficker Win32/Obfuscator Win32/Hotbar Win32/Zwangi Win32/Nuqel Win32/Ramnit

Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Viruses Worms Misc. Potentially Unwanted Software Adware Misc. Potentially Unwanted Software Worms Misc. Trojans

% of computers with detections 15.9% 15.9% 15.1% 9.1% 5.9% 5.1% 4.6% 3.4% 3.4% 3.4%



The most common threat family in Malaysia in 4Q12 was Win32/Keygen, which affected 15.9 percent of computers with detections in Malaysia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Malaysia in 4Q12 was Win32/Dorkbot, which affected 15.9 percent of computers with detections in Malaysia. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Malaysia in 4Q12 was INF/Autorun, which affected 15.1 percent of computers with detections in Malaysia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Malaysia in 4Q12 was Win32/Sality, which affected 9.1 percent of computers with detections in Malaysia. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a







340

Microsoft Security Intelligence Report, Volume 14

damaging payload that deletes files with certain extensions and terminates security-related processes and services.

July–December 2012

341

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Malaysia

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 17.15 (5.41) 11.63 (9.46) 1.76 (0.56)

4Q12 17.66 (5.10) 13.87 (10.85) 0.95 (0.33)

342

Microsoft Security Intelligence Report, Volume 14

Malta
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Malta in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Malta

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 4.1 6.6

2Q12 3.6 7.0

3Q12 2.5 5.3

4Q12 2.3 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Malta and around the world, and for explanations of the methods and terms used here.

July–December 2012

343

Infection trends (CCM)
The MSRT detected malware on 2.3 of every 1,000 computers scanned in Malta in 4Q12 (a CCM score of 2.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Malta over the last six quarters, compared to the world as a whole.
CCM infection trends in Malta and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Malta

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

344

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Malta in 4Q12, by percentage of computers reporting detections

Malta
Percent of computers reporting detections

Worldwide

50% Column1 45% Malta
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Malta in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 46.6 percent of all computers with detections there, up from 34.0 percent in 3Q12. The second most common category in Malta in 4Q12 was Adware. It affected 29.6 percent of all computers with detections there, down from 39.5 percent in 3Q12. The third most common category in Malta in 4Q12 was Miscellaneous Trojans, which affected 19.7 percent of all computers with detections there, up from 18.9 percent in 3Q12.





July–December 2012

345

Threat families
The top 10 malware and potentially unwanted software families in Malta in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Hotbar Win32/Zwangi ASX/Wimad INF/Autorun JS/IframeRef Win32/ClickPotato Win32/OpenCandy Win32/Obfuscator Win32/Wpakill

Most significant category Misc. Potentially Unwanted Software Adware Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Misc. Trojans Adware Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software

% of computers with detections 18.5% 16.8% 12.6% 7.8% 6.4% 5.3% 4.9% 4.0% 3.7% 3.6%



The most common threat family in Malta in 4Q12 was Win32/Keygen, which affected 18.5 percent of computers with detections in Malta. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Malta in 4Q12 was Win32/Hotbar, which affected 16.8 percent of computers with detections in Malta. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The third most common threat family in Malta in 4Q12 was Win32/Zwangi, which affected 12.6 percent of computers with detections in Malta. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. The fourth most common threat family in Malta in 4Q12 was ASX/Wimad, which affected 7.8 percent of computers with detections in Malta. ASX/Wimad is a detection for malicious Windows Media files that can be used to encourage users to download and execute arbitrary files on an affected machine.







346

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Malta

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 0.78 (5.41) 0.78 (9.46) 0.07 (0.56)

4Q12 3.12 (5.10) 4.68 (10.85) 0.04 (0.33)

July–December 2012

347

Mexico
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Mexico in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Mexico

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 11.2 6.6

2Q12 10.0 7.0

3Q12 9.3 5.3

4Q12 7.8 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Mexico and around the world, and for explanations of the methods and terms used here.

July–December 2012

349

Infection trends (CCM)
The MSRT detected malware on 7.8 of every 1,000 computers scanned in Mexico in 4Q12 (a CCM score of 7.8, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Mexico over the last six quarters, compared to the world as a whole.
CCM infection trends in Mexico and worldwide

12.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Mexico

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

350

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Mexico in 4Q12, by percentage of computers reporting detections

Mexico
Percent of computers reporting detections

Worldwide

50%
45% 40%

Column1 Mexico

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Mexico in 4Q12 was Worms. It affected 43.2 percent of all computers with detections there, down from 45.5 percent in 3Q12. The second most common category in Mexico in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 34.8 percent of all computers with detections there, up from 34.5 percent in 3Q12. The third most common category in Mexico in 4Q12 was Adware, which affected 21.7 percent of all computers with detections there, up from 16.7 percent in 3Q12.





July–December 2012

351

Threat families
The top 10 malware and potentially unwanted software families in Mexico in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/DealPly Win32/Keygen INF/Autorun Win32/Vobfus Win32/Conficker Win32/Brontok Win32/VBInject Win32/OpenCandy JS/IframeRef

Most significant category Worms Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Worms Worms Misc. Potentially Unwanted Software Adware Misc. Trojans

% of computers with detections 22.5% 15.3% 14.2% 13.3% 7.9% 6.3% 5.0% 4.6% 3.4% 3.3%



The most common threat family in Mexico in 4Q12 was Win32/Dorkbot, which affected 22.5 percent of computers with detections in Mexico. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Mexico in 4Q12 was Win32/DealPly, which affected 15.3 percent of computers with detections in Mexico. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Mexico in 4Q12 was Win32/Keygen, which affected 14.2 percent of computers with detections in Mexico. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Mexico in 4Q12 was INF/Autorun, which affected 13.3 percent of computers with detections in Mexico. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.







352

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Mexico

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 12.36 (5.41) 13.33 (9.46) 0.03 (0.56)

4Q12 6.16 (5.10) 10.95 (10.85) 0.05 (0.33)

July–December 2012

353

Moldova
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Moldova in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Moldova

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 5.9 6.6

2Q12 6.7 7.0

3Q12 6.1 5.3

4Q12 7.8 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Moldova and around the world, and for explanations of the methods and terms used here.

July–December 2012

355

Infection trends (CCM)
The MSRT detected malware on 7.8 of every 1,000 computers scanned in Moldova in 4Q12 (a CCM score of 7.8, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Moldova over the last six quarters, compared to the world as a whole.
CCM infection trends in Moldova and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Moldova

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

356

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Moldova in 4Q12, by percentage of computers reporting detections

Moldova
Percent of computers reporting detections

Worldwide

60% Column1 Moldova 50% 40% 30% 20% 10% 0%



The most common category in Moldova in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 49.6 percent of all computers with detections there, down from 49.7 percent in 3Q12. The second most common category in Moldova in 4Q12 was Miscellaneous Trojans. It affected 35.1 percent of all computers with detections there, down from 38.2 percent in 3Q12. The third most common category in Moldova in 4Q12 was Worms, which affected 30.2 percent of all computers with detections there, up from 16.6 percent in 3Q12.





July–December 2012

357

Threat families
The top 10 malware and potentially unwanted software families in Moldova in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot Win32/Obfuscator Win32/Pameseg INF/Autorun JS/Tadtruss Win32/Sality Win32/Brontok Win32/Wpakill Win32/Killav

Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Trojans Viruses Worms Misc. Potentially Unwanted Software Misc. Trojans

% of computers with detections 23.1% 16.3% 7.9% 7.2% 5.3% 4.1% 3.9% 3.8% 3.5% 3.3%



The most common threat family in Moldova in 4Q12 was Win32/Keygen, which affected 23.1 percent of computers with detections in Moldova. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Moldova in 4Q12 was Win32/Dorkbot, which affected 16.3 percent of computers with detections in Moldova. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Moldova in 4Q12 was Win32/Obfuscator, which affected 7.9 percent of computers with detections in Moldova. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The fourth most common threat family in Moldova in 4Q12 was Win32/Pameseg, which affected 7.2 percent of computers with detections in Moldova. Win32/Pameseg is a fake program installer that requires the user







358

Microsoft Security Intelligence Report, Volume 14

to send SMS messages to a premium number to successfully install certain programs.

July–December 2012

359

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Moldova

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 3.71 (5.41) 7.88 (9.46) 0.17 (0.56)

4Q12 1.39 (5.10) 12.98 (10.85) 0.08 (0.33)

360

Microsoft Security Intelligence Report, Volume 14

Morocco
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Morocco in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Morocco

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 15.6 6.6

2Q12 20.1 7.0

3Q12 21.1 5.3

4Q12 20.1 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Morocco and around the world, and for explanations of the methods and terms used here.

July–December 2012

361

Infection trends (CCM)
The MSRT detected malware on 20.1 of every 1,000 computers scanned in Morocco in 4Q12 (a CCM score of 20.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Morocco over the last six quarters, compared to the world as a whole.
CCM infection trends in Morocco and worldwide

25.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Morocco

20.0

15.0

10.0

5.0

0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

362

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Morocco in 4Q12, by percentage of computers reporting detections

Morocco
Percent of computers reporting detections

Worldwide

45% 40% 35% 30% 25%
20%

Column1 Morocco

15%
10%

5% 0%



The most common category in Morocco in 4Q12 was Worms. It affected 41.1 percent of all computers with detections there, up from 38.7 percent in 3Q12. The second most common category in Morocco in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 36.4 percent of all computers with detections there, up from 26.6 percent in 3Q12. The third most common category in Morocco in 4Q12 was Miscellaneous Trojans, which affected 29.8 percent of all computers with detections there, up from 24.6 percent in 3Q12.





July–December 2012

363

Threat families
The top 10 malware and potentially unwanted software families in Morocco in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Sality Win32/Yeltminky INF/Autorun Win32/Dorkbot Win32/Ramnit Win32/CplLnk Win32/Mabezat Win32/Vobfus Win32/Zwangi

Most significant category Misc. Potentially Unwanted Software Viruses Worms Misc. Potentially Unwanted Software Worms Misc. Trojans Exploits Viruses Worms Misc. Potentially Unwanted Software

% of computers with detections 16.3% 13.8% 13.1% 12.1% 10.1% 9.9% 7.2% 5.5% 4.6% 4.3%



The most common threat family in Morocco in 4Q12 was Win32/Keygen, which affected 16.3 percent of computers with detections in Morocco. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Morocco in 4Q12 was Win32/Sality, which affected 13.8 percent of computers with detections in Morocco. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Morocco in 4Q12 was Win32/Yeltminky, which affected 13.1 percent of computers with detections in Morocco. Win32/Yeltminky is a family of worms that spreads by making copies of itself on all available drives and creating an autorun.inf file to execute that copy. The fourth most common threat family in Morocco in 4Q12 was INF/Autorun, which affected 12.1 percent of computers with detections in Morocco. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.







364

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Morocco

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 21.48 (5.41) 12.61 (9.46) 0.12 (0.56)

4Q12 8.40 (5.10) 10.27 (10.85) 0.13 (0.33)

July–December 2012

365

Nepal
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Nepal in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Nepal

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 20.0 6.6

2Q12 19.3 7.0

3Q12 18.2 5.3

4Q12 16.5 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Nepal and around the world, and for explanations of the methods and terms used here.

July–December 2012

367

Infection trends (CCM)
The MSRT detected malware on 16.5 of every 1,000 computers scanned in Nepal in 4Q12 (a CCM score of 16.5, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Nepal over the last six quarters, compared to the world as a whole.
CCM infection trends in Nepal and worldwide

30.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Nepal

25.0 20.0 15.0 10.0

5.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

368

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Nepal in 4Q12, by percentage of computers reporting detections

Nepal
Percent of computers reporting detections

Worldwide

60%
50%

Column1 Nepal

40% 30% 20% 10% 0%



The most common category in Nepal in 4Q12 was Miscellaneous Trojans. It affected 48.6 percent of all computers with detections there, down from 48.8 percent in 3Q12. The second most common category in Nepal in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 40.4 percent of all computers with detections there, up from 38.0 percent in 3Q12. The third most common category in Nepal in 4Q12 was Worms, which affected 39.3 percent of all computers with detections there, down from 42.0 percent in 3Q12.





July–December 2012

369

Threat families
The top 10 malware and potentially unwanted software families in Nepal in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Ramnit INF/Autorun Win32/CplLnk Win32/Sality Win32/Finodes Win32/Keygen Win32/Virut Win32/Nuqel Win32/Rimecud Win32/Conficker

Most significant category Misc. Trojans Misc. Potentially Unwanted Software Exploits Viruses Misc. Trojans Misc. Potentially Unwanted Software Viruses Worms Misc. Trojans Worms

% of computers with detections 28.6% 25.6% 22.1% 21.1% 18.4% 18.1% 16.0% 9.3% 5.6% 5.1%



The most common threat family in Nepal in 4Q12 was Win32/Ramnit, which affected 28.6 percent of computers with detections in Nepal. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The second most common threat family in Nepal in 4Q12 was INF/Autorun, which affected 25.6 percent of computers with detections in Nepal. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Nepal in 4Q12 was Win32/CplLnk, which affected 22.1 percent of computers with detections in Nepal. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046. The fourth most common threat family in Nepal in 4Q12 was Win32/Sality, which affected 21.1 percent of computers with detections in Nepal. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload







370

Microsoft Security Intelligence Report, Volume 14

that deletes files with certain extensions and terminates security-related processes and services.

July–December 2012

371

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Nepal

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 1.18 (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.50 (0.33)

372

Microsoft Security Intelligence Report, Volume 14

Netherlands
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the Netherlands in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the Netherlands

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 6.3 6.6

2Q12 4.8 7.0

3Q12 5.6 5.3

4Q12 2.6 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the Netherlands and around the world, and for explanations of the methods and terms used here.

July–December 2012

373

Infection trends (CCM)
The MSRT detected malware on 2.6 of every 1,000 computers scanned in the Netherlands in 4Q12 (a CCM score of 2.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the Netherlands over the last six quarters, compared to the world as a whole.
CCM infection trends in the Netherlands and worldwide

14.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Netherlands

12.0 10.0

8.0
6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

374

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in the Netherlands in 4Q12, by percentage of computers reporting detections

Netherlands
Percent of computers reporting detections

Worldwide

40% Column1 35% Netherlands 30%
25%

20% 15%
10%

5% 0%



The most common category in the Netherlands in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.0 percent of all computers with detections there, up from 30.5 percent in 3Q12. The second most common category in the Netherlands in 4Q12 was Miscellaneous Trojans. It affected 26.7 percent of all computers with detections there, down from 27.2 percent in 3Q12. The third most common category in the Netherlands in 4Q12 was Adware, which affected 25.8 percent of all computers with detections there, up from 22.6 percent in 3Q12.





July–December 2012

375

Threat families
The top 10 malware and potentially unwanted software families in the Netherlands in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/DealPly Win32/Pdfjsc Java/Blacole JS/IframeRef ASX/Wimad Win32/Hotbar Win32/Zbot Win32/Obfuscator Win32/Zwangi

Most significant category Misc. Potentially Unwanted Software Adware Exploits Exploits Misc. Trojans Trojan Downloaders & Droppers Adware Password Stealers & Monitoring Tools Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software

% of computers with detections 15.3% 15.1% 11.1% 10.5% 9.5% 5.9% 5.1% 4.4% 4.1% 4.1%



The most common threat family in the Netherlands in 4Q12 was Win32/Keygen, which affected 15.3 percent of computers with detections in the Netherlands. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in the Netherlands in 4Q12 was Win32/DealPly, which affected 15.1 percent of computers with detections in the Netherlands. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third -party software installation programs. The third most common threat family in the Netherlands in 4Q12 was Win32/Pdfjsc, which affected 11.1 percent of computers with detections in the Netherlands. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in the Netherlands in 4Q12 was Java/Blacole, which affected 10.5 percent of computers with detections in the Netherlands. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run.







376

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the Netherlands

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 4.05 (5.41) 6.53 (9.46) 0.64 (0.56)

4Q12 4.01 (5.10) 7.35 (10.85) 0.35 (0.33)

July–December 2012

377

New Zealand
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in New Zealand in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for New Zealand

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 3.5 6.6

2Q12 3.1 7.0

3Q12 3.3 5.3

4Q12 3.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in New Zealand and around the world, and for explanations of the methods and terms used here.

July–December 2012

379

Infection trends (CCM)
The MSRT detected malware on 3.2 of every 1,000 computers scanned in New Zealand in 4Q12 (a CCM score of 3.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for New Zealand over the last six quarters, compared to the world as a whole.
CCM infection trends in New Zealand and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide New Zealand

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

380

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in New Zealand in 4Q12, by percentage of computers reporting detections

New Zealand
Percent of computers reporting detections

Worldwide

40% Column1 35% Zealand New 30%
25%

20% 15%
10%

5% 0%



The most common category in New Zealand in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.1 percent of all computers with detections there, up from 25.4 percent in 3Q12. The second most common category in New Zealand in 4Q12 was Miscellaneous Trojans. It affected 28.9 percent of all computers with detections there, down from 31.1 percent in 3Q12. The third most common category in New Zealand in 4Q12 was Adware, which affected 20.4 percent of all computers with detections there, down from 25.9 percent in 3Q12.





July–December 2012

381

Threat families
The top 10 malware and potentially unwanted software families in New Zealand in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Hotbar JS/IframeRef Win32/Sirefef INF/Autorun Win32/Zwangi Win32/Vobfus ASX/Wimad Win32/Obfuscator Win32/OpenCandy

Most significant category Misc. Potentially Unwanted Software Adware Misc. Trojans Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Adware

% of computers with detections 11.4% 9.3% 7.2% 6.6% 6.4% 5.9% 5.0% 4.5% 4.4% 3.6%



The most common threat family in New Zealand in 4Q12 was Win32/Keygen, which affected 11.4 percent of computers with detections in New Zealand. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in New Zealand in 4Q12 was Win32/Hotbar, which affected 9.3 percent of computers with detections in New Zealand. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The third most common threat family in New Zealand in 4Q12 was JS/IframeRef, which affected 7.2 percent of computers with detections in New Zealand. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in New Zealand in 4Q12 was Win32/Sirefef, which affected 6.6 percent of computers with detections in New Zealand. Win32/Sirefef is a rogue security software family distributed under the name Antivirus 2010 and others.







382

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for New Zealand

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 6.90 (5.41) 11.76 (9.46) 0.19 (0.56)

4Q12 4.86 (5.10) 7.28 (10.85) 0.08 (0.33)

July–December 2012

383

Nicaragua
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Nicaragua in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Nicaragua

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 6.2 6.6

2Q12 6.3 7.0

3Q12 6.2 5.3

4Q12 4.7 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Nicaragua and around the world, and for explanations of the methods and terms used here.

July–December 2012

385

Infection trends (CCM)
The MSRT detected malware on 4.7 of every 1,000 computers scanned in Nicaragua in 4Q12 (a CCM score of 4.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Nicaragua over the last six quarters, compared to the world as a whole.
CCM infection trends in Nicaragua and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Nicaragua

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

386

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Nicaragua in 4Q12, by percentage of computers reporting detections

Nicaragua
Percent of computers reporting detections

Worldwide

50% Column1 45% Nicaragua
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Nicaragua in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.1 percent of all computers with detections there, up from 39.9 percent in 3Q12. The second most common category in Nicaragua in 4Q12 was Worms. It affected 38.2 percent of all computers with detections there, down from 40.1 percent in 3Q12. The third most common category in Nicaragua in 4Q12 was Miscellaneous Trojans, which affected 22.1 percent of all computers with detections there, down from 24.5 percent in 3Q12.





July–December 2012

387

Threat families
The top 10 malware and potentially unwanted software families in Nicaragua in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot INF/Autorun Win32/Vobfus Win32/Conficker Win32/Wpakill Win32/Sality Win32/Yeltminky Win32/Nuqel Win32/OpenCandy

Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Worms Worms Misc. Potentially Unwanted Software Viruses Worms Worms Adware

% of computers with detections 25.9% 17.6% 8.2% 7.3% 7.2% 4.7% 4.5% 4.4% 4.0% 3.8%



The most common threat family in Nicaragua in 4Q12 was Win32/Keygen, which affected 25.9 percent of computers with detections in Nicaragua. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Nicaragua in 4Q12 was Win32/Dorkbot, which affected 17.6 percent of computers with detections in Nicaragua. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Nicaragua in 4Q12 was INF/Autorun, which affected 8.2 percent of computers with detections in Nicaragua. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Nicaragua in 4Q12 was Win32/Vobfus, which affected 7.3 percent of computers with detections in Nicaragua. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.







388

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Nicaragua

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.06 (0.56)

4Q12 N/A (5.10) N/A (10.85) N/A (0.33)

July–December 2012

389

Nigeria
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Nigeria in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Nigeria

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 8.1 6.6

2Q12 8.1 7.0

3Q12 7.2 5.3

4Q12 7.0 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Nigeria and around the world, and for explanations of the methods and terms used here.

July–December 2012

391

Infection trends (CCM)
The MSRT detected malware on 7.0 of every 1,000 computers scanned in Nigeria in 4Q12 (a CCM score of 7.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Nigeria over the last six quarters, compared to the world as a whole.
CCM infection trends in Nigeria and worldwide

10.0
Computers cleaned per 1 ,000 scanned (CCM)

9.0
8.0 7.0

Worldwide Nigeria

6.0
5.0 4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

392

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Nigeria in 4Q12, by percentage of computers reporting detections

Nigeria
Percent of computers reporting detections

Worldwide

45% 40% 35% 30% 25%
20%

Column1 Nigeria

15%
10%

5% 0%



The most common category in Nigeria in 4Q12 was Worms. It affected 41.2 percent of all computers with detections there, up from 40.8 percent in 3Q12. The second most common category in Nigeria in 4Q12 was Miscellaneous Trojans. It affected 29.7 percent of all computers with detections there, up from 29.5 percent in 3Q12. The third most common category in Nigeria in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 28.8 percent of all computers with detections there, up from 26.9 percent in 3Q12.





July–December 2012

393

Threat families
The top 10 malware and potentially unwanted software families in Nigeria in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Vobfus INF/Autorun Win32/Sality Win32/Ramnit Win32/CplLnk Win32/Keygen Win32/Virut Win32/Rimecud Win32/Dorkbot Win32/Conficker

Most significant category Worms Misc. Potentially Unwanted Software Viruses Misc. Trojans Exploits Misc. Potentially Unwanted Software Viruses Misc. Trojans Worms Worms

% of computers with detections 17.1% 16.1% 11.4% 10.7% 10.1% 9.4% 8.6% 7.8% 6.1% 5.3%



The most common threat family in Nigeria in 4Q12 was Win32/Vobfus, which affected 17.1 percent of computers with detections in Nigeria. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The second most common threat family in Nigeria in 4Q12 was INF/Autorun, which affected 16.1 percent of computers with detections in Nigeria. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Nigeria in 4Q12 was Win32/Sality, which affected 11.4 percent of computers with detections in Nigeria. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Nigeria in 4Q12 was Win32/Ramnit, which affected 10.7 percent of computers with detections in Nigeria. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved







394

Microsoft Security Intelligence Report, Volume 14

FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.

July–December 2012

395

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Nigeria

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.45 (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.52 (0.33)

396

Microsoft Security Intelligence Report, Volume 14

Norway
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Norway in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Norway

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 1.6 6.6

2Q12 1.9 7.0

3Q12 3.0 5.3

4Q12 2.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Norway and around the world, and for explanations of the methods and terms used here.

July–December 2012

397

Infection trends (CCM)
The MSRT detected malware on 2.2 of every 1,000 computers scanned in Norway in 4Q12 (a CCM score of 2.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Norway over the last six quarters, compared to the world as a whole.
CCM infection trends in Norway and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Norway

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

398

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Norway in 4Q12, by percentage of computers reporting detections

Norway
Percent of computers reporting detections

Worldwide

40% Column1 35% Norway 30%
25%

20% 15%
10%

5% 0%



The most common category in Norway in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 32.4 percent of all computers with detections there, up from 28.9 percent in 3Q12. The second most common category in Norway in 4Q12 was Miscellaneous Trojans. It affected 25.8 percent of all computers with detections there, down from 28.0 percent in 3Q12. The third most common category in Norway in 4Q12 was Adware, which affected 24.5 percent of all computers with detections there, down from 28.9 percent in 3Q12.





July–December 2012

399

Threat families
The top 10 malware and potentially unwanted software families in Norway in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/DealPly JS/IframeRef Win32/Hotbar Win32/Pdfjsc Java/Blacole Win32/Zwangi ASX/Wimad Win32/Obfuscator Win32/Sinowal

Most significant category Misc. Potentially Unwanted Software Adware Misc. Trojans Adware Exploits Exploits Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Password Stealers & Monitoring Tools

% of computers with detections 13.1% 9.9% 8.5% 8.2% 8.1% 7.3% 5.4% 4.6% 4.1% 3.5%



The most common threat family in Norway in 4Q12 was Win32/Keygen, which affected 13.1 percent of computers with detections in Norway. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Norway in 4Q12 was Win32/DealPly, which affected 9.9 percent of computers with detections in Norway. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Norway in 4Q12 was JS/IframeRef, which affected 8.5 percent of computers with detections in Norway. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Norway in 4Q12 was Win32/Hotbar, which affected 8.2 percent of computers with detections in Norway. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity.







400

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Norway

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 2.97 (5.41) 5.28 (9.46) 0.27 (0.56)

4Q12 2.88 (5.10) 5.67 (10.85) 0.18 (0.33)

July–December 2012

401

Oman
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Oman in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Oman

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 14.9 6.6

2Q12 16.2 7.0

3Q12 12.2 5.3

4Q12 13.4 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Oman and around the world, and for explanations of the methods and terms used here.

July–December 2012

403

Infection trends (CCM)
The MSRT detected malware on 13.4 of every 1,000 computers scanned in Oman in 4Q12 (a CCM score of 13.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Oman over the last six quarters, compared to the world as a whole.
CCM infection trends in Oman and worldwide

18.0

Computers cleaned per 1 ,000 scanned (CCM)

16.0 14.0 12.0

Worldwide Oman

10.0
8.0 6.0

4.0
2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

404

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Oman in 4Q12, by percentage of computers reporting detections

Oman
Percent of computers reporting detections

Worldwide

50%
45% 40%

Column1 Oman

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Oman in 4Q12 was Worms. It affected 46.8 percent of all computers with detections there, up from 33.0 percent in 3Q12. The second most common category in Oman in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 39.7 percent of all computers with detections there, up from 30.3 percent in 3Q12. The third most common category in Oman in 4Q12 was Miscellaneous Trojans, which affected 28.9 percent of all computers with detections there, up from 24.1 percent in 3Q12.





July–December 2012

405

Threat families
The top 10 malware and potentially unwanted software families in Oman in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Vobfus INF/Autorun Win32/Keygen Win32/Sality Win32/Nuqel Win32/Dorkbot JS/IframeRef Win32/Ramnit Win32/CplLnk Win32/Folstart

Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Worms Worms Misc. Trojans Misc. Trojans Exploits Worms

% of computers with detections 22.5% 22.5% 15.2% 8.0% 6.9% 6.4% 5.8% 4.8% 4.6% 4.3%



The most common threat family in Oman in 4Q12 was Win32/Vobfus, which affected 22.5 percent of computers with detections in Oman. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The second most common threat family in Oman in 4Q12 was INF/Autorun, which affected 22.5 percent of computers with detections in Oman. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Oman in 4Q12 was Win32/Keygen, which affected 15.2 percent of computers with detections in Oman. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Oman in 4Q12 was Win32/Sality, which affected 8.0 percent of computers with detections in Oman. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.







406

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Oman

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.00 (0.56)

4Q12 N/A (5.10) N/A (10.85) N/A (0.33)

July–December 2012

407

Pakistan
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Pakistan in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Pakistan

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 32.8 6.6

2Q12 35.3 7.0

3Q12 30.6 5.3

4Q12 26.8 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Pakistan and around the world, and for explanations of the methods and terms used here.

July–December 2012

409

Infection trends (CCM)
The MSRT detected malware on 26.8 of every 1,000 computers scanned in Pakistan in 4Q12 (a CCM score of 26.8, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Pakistan over the last six quarters, compared to the world as a whole.
CCM infection trends in Pakistan and worldwide

40.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Pakistan

35.0 30.0 25.0
20.0 15.0 10.0 5.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

410

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Pakistan in 4Q12, by percentage of computers reporting detections

Pakistan
Percent of computers reporting detections

Worldwide

60%
50%

Column1 Pakistan

40% 30% 20% 10% 0%



The most common category in Pakistan in 4Q12 was Worms. It affected 50.2 percent of all computers with detections there, up from 47.0 percent in 3Q12. The second most common category in Pakistan in 4Q12 was Viruses. It affected 44.2 percent of all computers with detections there, up from 42.1 percent in 3Q12. The third most common category in Pakistan in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 42.0 percent of all computers with detections there, up from 37.6 percent in 3Q12.





July–December 2012

411

Threat families
The top 10 malware and potentially unwanted software families in Pakistan in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Sality Win32/Ramnit Win32/Keygen Win32/CplLnk Win32/Virut Win32/Chir Win32/VB Win32/Bifrose Win32/Conficker

Most significant category Misc. Potentially Unwanted Software Viruses Misc. Trojans Misc. Potentially Unwanted Software Exploits Viruses Viruses Worms Backdoors Worms

% of computers with detections 34.9% 27.5% 21.3% 18.1% 16.3% 16.2% 13.9% 11.0% 8.0% 7.1%



The most common threat family in Pakistan in 4Q12 was INF/Autorun, which affected 34.9 percent of computers with detections in Pakistan. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Pakistan in 4Q12 was Win32/Sality, which affected 27.5 percent of computers with detections in Pakistan. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Pakistan in 4Q12 was Win32/Ramnit, which affected 21.3 percent of computers with detections in Pakistan. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The fourth most common threat family in Pakistan in 4Q12 was Win32/Keygen, which affected 18.1 percent of computers with detections in







412

Microsoft Security Intelligence Report, Volume 14

Pakistan. Win32/Keygen is a generic detection for tools that generate product keys for various software products.

July–December 2012

413

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Pakistan

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 17.60 (5.41) 18.38 (9.46) 0.64 (0.56)

4Q12 4.69 (5.10) 16.03 (10.85) 0.26 (0.33)

414

Microsoft Security Intelligence Report, Volume 14

Palestinian Authority
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the Palestinian territories (West Bank and Gaza Strip) in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the Palestinian territories

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 29.1 6.6

2Q12 29.8 7.0

3Q12 24.4 5.3

4Q12 26.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the Palestinian territories and around the world, and for explanations of the methods and terms used here.

July–December 2012

415

Infection trends (CCM)
The MSRT detected malware on 26.2 of every 1,000 computers scanned in the Palestinian territories in 4Q12 (a CCM score of 26.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the Palestinian territories over the last six quarters, compared to the world as a whole.
CCM infection trends in the Palestinian territories and worldwide

35.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Palestinian Authority

30.0 25.0

20.0
15.0 10.0

5.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

416

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in the Palestinian territories in 4Q12, by percentage of computers reporting detections

Palestinian Authority
Percent of computers reporting detections

Worldwide

50% Column1 45% Palestinian Authority
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in the Palestinian territories in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 44.2 percent of all computers with detections there, up from 36.8 percent in 3Q12. The second most common category in the Palestinian territories in 4Q12 was Worms. It affected 40.4 percent of all computers with detections there, up from 31.4 percent in 3Q12. The third most common category in the Palestinian territories in 4Q12 was Miscellaneous Trojans, which affected 39.8 percent of all computers with detections there, up from 31.9 percent in 3Q12.





July–December 2012

417

Threat families
The top 10 malware and potentially unwanted software families in the Palestinian territories in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Sality Win32/Keygen INF/Autorun Win32/CplLnk Win32/Ramnit Win32/Vobfus Win32/Sulunch Win32/Virut Win32/Nuqel Win32/Dorkbot

Most significant category Viruses Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Exploits Misc. Trojans Worms Misc. Trojans Viruses Worms Worms

% of computers with detections 23.7% 22.9% 21.3% 13.3% 12.7% 11.1% 10.0% 8.9% 6.1% 5.9%



The most common threat family in the Palestinian territories in 4Q12 was Win32/Sality, which affected 23.7 percent of computers with detections in the Palestinian territories. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The second most common threat family in the Palestinian territories in 4Q12 was Win32/Keygen, which affected 22.9 percent of computers with detections in the Palestinian territories. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in the Palestinian territories in 4Q12 was INF/Autorun, which affected 21.3 percent of computers with detections in the Palestinian territories. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in the Palestinian territories in 4Q12 was Win32/CplLnk, which affected 13.3 percent of computers with detections in the Palestinian territories. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046.







418

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the Palestinian territories

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.22 (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.02 (0.33)

July–December 2012

419

Panama
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Panama in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Panama

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 9.9 6.6

2Q12 7.6 7.0

3Q12 6.4 5.3

4Q12 5.7 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Panama and around the world, and for explanations of the methods and terms used here.

July–December 2012

421

Infection trends (CCM)
The MSRT detected malware on 5.7 of every 1,000 computers scanned in Panama in 4Q12 (a CCM score of 5.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Panama over the last six quarters, compared to the world as a whole.
CCM infection trends in Panama and worldwide

12.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Panama

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

422

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Panama in 4Q12, by percentage of computers reporting detections

Panama
Percent of computers reporting detections

Worldwide

45% Column1 40% Panama 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Panama in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.3 percent of all computers with detections there, up from 34.2 percent in 3Q12. The second most common category in Panama in 4Q12 was Worms. It affected 35.6 percent of all computers with detections there, down from 36.9 percent in 3Q12. The third most common category in Panama in 4Q12 was Miscellaneous Trojans, which affected 24.6 percent of all computers with detections there, down from 25.3 percent in 3Q12.





July–December 2012

423

Threat families
The top 10 malware and potentially unwanted software families in Panama in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/Keygen INF/Autorun Win32/Vobfus Win32/Sality JS/IframeRef Win32/Conficker Win32/VBInject Win32/Nuqel Win32/OpenCandy

Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Viruses Misc. Trojans Worms Misc. Potentially Unwanted Software Worms Adware

% of computers with detections 17.5% 14.3% 11.0% 10.1% 5.9% 5.2% 4.5% 3.9% 3.8% 3.7%



The most common threat family in Panama in 4Q12 was Win32/Dorkbot, which affected 17.5 percent of computers with detections in Panama. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Panama in 4Q12 was Win32/Keygen, which affected 14.3 percent of computers with detections in Panama. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Panama in 4Q12 was INF/Autorun, which affected 11.0 percent of computers with detections in Panama. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Panama in 4Q12 was Win32/Vobfus, which affected 10.1 percent of computers with detections in Panama. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.







424

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Panama

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 9.50 (5.41) 10.52 (9.46) 0.29 (0.56)

4Q12 6.45 (5.10) 8.82 (10.85) 0.33 (0.33)

July–December 2012

425

Paraguay
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Paraguay in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Paraguay

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 6.1 6.6

2Q12 4.9 7.0

3Q12 5.8 5.3

4Q12 4.9 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Paraguay and around the world, and for explanations of the methods and terms used here.

July–December 2012

427

Infection trends (CCM)
The MSRT detected malware on 4.9 of every 1,000 computers scanned in Paraguay in 4Q12 (a CCM score of 4.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Paraguay over the last six quarters, compared to the world as a whole.
CCM infection trends in Paraguay and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Paraguay

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

428

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Paraguay in 4Q12, by percentage of computers reporting detections

Paraguay
Percent of computers reporting detections

Worldwide

45% Column1 40% Paraguay 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Paraguay in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 40.4 percent of all computers with detections there, up from 34.5 percent in 3Q12. The second most common category in Paraguay in 4Q12 was Worms. It affected 37.7 percent of all computers with detections there, up from 34.9 percent in 3Q12. The third most common category in Paraguay in 4Q12 was Miscellaneous Trojans, which affected 19.9 percent of all computers with detections there, down from 21.5 percent in 3Q12.





July–December 2012

429

Threat families
The top 10 malware and potentially unwanted software families in Paraguay in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/Keygen INF/Autorun Win32/DealPly Win32/Sality Win32/OpenCandy Win32/Obfuscator Win32/Brontok Win32/Wpakill Win32/Conficker

Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Viruses Adware Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Worms

% of computers with detections 21.2% 17.6% 11.3% 5.0% 4.8% 4.7% 4.0% 3.8% 3.6% 3.4%



The most common threat family in Paraguay in 4Q12 was Win32/Dorkbot, which affected 21.2 percent of computers with detections in Paraguay. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Paraguay in 4Q12 was Win32/Keygen, which affected 17.6 percent of computers with detections in Paraguay. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Paraguay in 4Q12 was INF/Autorun, which affected 11.3 percent of computers with detections in Paraguay. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Paraguay in 4Q12 was Win32/DealPly, which affected 5.0 percent of computers with detections in Paraguay. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs.







430

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Paraguay

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.01 (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.05 (0.33)

July–December 2012

431

Peru
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Peru in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Peru

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 10.7 6.6

2Q12 10.3 7.0

3Q12 9.6 5.3

4Q12 8.4 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Peru and around the world, and for explanations of the methods and terms used here.

July–December 2012

433

Infection trends (CCM)
The MSRT detected malware on 8.4 of every 1,000 computers scanned in Peru in 4Q12 (a CCM score of 8.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Peru over the last six quarters, compared to the world as a whole.
CCM infection trends in Peru and worldwide

12.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Peru

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

434

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Peru in 4Q12, by percentage of computers reporting detections

Peru
Percent of computers reporting detections

Worldwide

50%
45% 40%

Column1 Peru

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Peru in 4Q12 was Worms. It affected 45.1 percent of all computers with detections there, up from 43.0 percent in 3Q12. The second most common category in Peru in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.9 percent of all computers with detections there, up from 38.4 percent in 3Q12. The third most common category in Peru in 4Q12 was Miscellaneous Trojans, which affected 23.1 percent of all computers with detections there, down from 24.6 percent in 3Q12.





July–December 2012

435

Threat families
The top 10 malware and potentially unwanted software families in Peru in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot INF/Autorun Win32/Vobfus Win32/Conficker Win32/Yeltminky Win32/Sality Win32/Obfuscator Win32/Nuqel JS/IframeRef

Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Worms Worms Worms Viruses Misc. Potentially Unwanted Software Worms Misc. Trojans

% of computers with detections 20.6% 19.6% 11.9% 11.3% 6.9% 6.0% 5.9% 5.0% 4.6% 4.5%



The most common threat family in Peru in 4Q12 was Win32/Keygen, which affected 20.6 percent of computers with detections in Peru. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Peru in 4Q12 was Win32/Dorkbot, which affected 19.6 percent of computers with detections in Peru. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Peru in 4Q12 was INF/Autorun, which affected 11.9 percent of computers with detections in Peru. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Peru in 4Q12 was Win32/Vobfus, which affected 11.3 percent of computers with detections in Peru. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.







436

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Peru

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 14.89 (5.41) 11.91 (9.46) 0.02 (0.56)

4Q12 3.64 (5.10) 16.55 (10.85) 0.02 (0.33)

July–December 2012

437

Philippines
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Philippines in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Philippines

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 10.2 6.6

2Q12 9.8 7.0

3Q12 9.9 5.3

4Q12 10.7 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Philippines and around the world, and for explanations of the methods and terms used here.

July–December 2012

439

Infection trends (CCM)
The MSRT detected malware on 10.7 of every 1,000 computers scanned in Philippines in 4Q12 (a CCM score of 10.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Philippines over the last six quarters, compared to the world as a whole.
CCM infection trends in Philippines and worldwide

12.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Philippines

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

440

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Philippines in 4Q12, by percentage of computers reporting detections

Philippines
Percent of computers reporting detections

Worldwide

45% Column1 40% Philippines 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Philippines in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.7 percent of all computers with detections there, up from 38.7 percent in 3Q12. The second most common category in Philippines in 4Q12 was Worms. It affected 41.5 percent of all computers with detections there, up from 40.8 percent in 3Q12. The third most common category in Philippines in 4Q12 was Miscellaneous Trojans, which affected 30.4 percent of all computers with detections there, up from 30.0 percent in 3Q12.





July–December 2012

441

Threat families
The top 10 malware and potentially unwanted software families in Philippines in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Sality Win32/Keygen Win32/Dorkbot Win32/Conficker Win32/Ramnit Win32/CplLnk Win32/Nuqel Win32/Hotbar Win32/Vobfus

Most significant category Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Worms Worms Misc. Trojans Exploits Worms Adware Worms

% of computers with detections 19.0% 18.1% 15.9% 12.1% 9.5% 8.4% 7.9% 6.5% 6.3% 5.8%



The most common threat family in Philippines in 4Q12 was INF/Autorun, which affected 19.0 percent of computers with detections in Philippines. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Philippines in 4Q12 was Win32/Sality, which affected 18.1 percent of computers with detections in Philippines. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Philippines in 4Q12 was Win32/Keygen, which affected 15.9 percent of computers with detections in Philippines. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Philippines in 4Q12 was Win32/Dorkbot, which affected 12.1 percent of computers with detections in Philippines. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot







442

Microsoft Security Intelligence Report, Volume 14

may be distributed from compromised or malicious websites using PDF or browser exploits.

July–December 2012

443

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Philippines

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 11.23 (5.41) 13.18 (9.46) 0.06 (0.56)

4Q12 8.43 (5.10) 11.88 (10.85) 0.05 (0.33)

444

Microsoft Security Intelligence Report, Volume 14

Poland
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Poland in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Poland

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 9.0 6.6

2Q12 8.0 7.0

3Q12 7.8 5.3

4Q12 7.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Poland and around the world, and for explanations of the methods and terms used here.

July–December 2012

445

Infection trends (CCM)
The MSRT detected malware on 7.2 of every 1,000 computers scanned in Poland in 4Q12 (a CCM score of 7.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Poland over the last six quarters, compared to the world as a whole.
CCM infection trends in Poland and worldwide

10.0

Computers cleaned per 1 ,000 scanned (CCM)

9.0
8.0 7.0

Worldwide Poland

6.0
5.0 4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

446

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Poland in 4Q12, by percentage of computers reporting detections

Poland
Percent of computers reporting detections

Worldwide

40% Column1 35% Poland 30%
25%

20% 15%
10%

5% 0%



The most common category in Poland in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 31.5 percent of all computers with detections there, down from 32.7 percent in 3Q12. The second most common category in Poland in 4Q12 was Miscellaneous Trojans. It affected 25.4 percent of all computers with detections there, up from 25.2 percent in 3Q12. The third most common category in Poland in 4Q12 was Worms, which affected 21.2 percent of all computers with detections there, down from 23.3 percent in 3Q12.





July–December 2012

447

Threat families
The top 10 malware and potentially unwanted software families in Poland in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/DealPly Win32/Keygen Win32/Pdfjsc INF/Autorun Java/Blacole Win32/OpenCandy Win32/Obfuscator Win32/Zbot Win32/Vobfus Win32/Reveton

Most significant category Adware Misc. Potentially Unwanted Software Exploits Misc. Potentially Unwanted Software Exploits Adware Misc. Potentially Unwanted Software Password Stealers & Monitoring Tools Worms Misc. Trojans

% of computers with detections 10.6% 10.6% 8.4% 6.9% 6.4% 4.7% 4.6% 4.4% 4.3% 4.2%



The most common threat family in Poland in 4Q12 was Win32/DealPly, which affected 10.6 percent of computers with detections in Poland. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Poland in 4Q12 was Win32/Keygen, which affected 10.6 percent of computers with detections in Poland. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Poland in 4Q12 was Win32/Pdfjsc, which affected 8.4 percent of computers with detections in Poland. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in Poland in 4Q12 was INF/Autorun, which affected 6.9 percent of computers with detections in Poland. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.







448

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Poland

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 5.51 (5.41) 4.35 (9.46) 0.38 (0.56)

4Q12 4.21 (5.10) 6.37 (10.85) 0.52 (0.33)

July–December 2012

449

Portugal
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Portugal in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Portugal

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 6.4 6.6

2Q12 5.1 7.0

3Q12 3.8 5.3

4Q12 3.3 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Portugal and around the world, and for explanations of the methods and terms used here.

July–December 2012

451

Infection trends (CCM)
The MSRT detected malware on 3.3 of every 1,000 computers scanned in Portugal in 4Q12 (a CCM score of 3.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Portugal over the last six quarters, compared to the world as a whole.
CCM infection trends in Portugal and worldwide

10.0

Computers cleaned per 1 ,000 scanned (CCM)

9.0
8.0 7.0

Worldwide Portugal

6.0
5.0 4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

452

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Portugal in 4Q12, by percentage of computers reporting detections

Portugal
Percent of computers reporting detections

Worldwide

45% Column1 40% Portugal 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Portugal in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.8 percent of all computers with detections there, up from 34.5 percent in 3Q12. The second most common category in Portugal in 4Q12 was Miscellaneous Trojans. It affected 25.9 percent of all computers with detections there, down from 30.0 percent in 3Q12. The third most common category in Portugal in 4Q12 was Exploits, which affected 25.7 percent of all computers with detections there, up from 15.8 percent in 3Q12.





July–December 2012

453

Threat families
The top 10 malware and potentially unwanted software families in Portugal in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc Win32/DealPly Java/Blacole JS/IframeRef Win32/Reveton Win32/Obfuscator INF/Autorun Win32/OpenCandy ASX/Wimad

Most significant category Misc. Potentially Unwanted Software Exploits Adware Exploits Misc. Trojans Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Trojan Downloaders & Droppers

% of computers with detections 17.5% 15.7% 15.2% 9.3% 7.0% 6.0% 5.8% 5.5% 3.4% 3.4%



The most common threat family in Portugal in 4Q12 was Win32/Keygen, which affected 17.5 percent of computers with detections in Portugal. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Portugal in 4Q12 was Win32/Pdfjsc, which affected 15.7 percent of computers with detections in Portugal. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Portugal in 4Q12 was Win32/DealPly, which affected 15.2 percent of computers with detections in Portugal. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The fourth most common threat family in Portugal in 4Q12 was Java/Blacole, which affected 9.3 percent of computers with detections in Portugal. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run.







454

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Portugal

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 8.14 (5.41) 6.94 (9.46) 0.95 (0.56)

4Q12 5.31 (5.10) 6.51 (10.85) 0.58 (0.33)

July–December 2012

455

Puerto Rico
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Puerto Rico in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Puerto Rico

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 6.7 6.6

2Q12 5.9 7.0

3Q12 4.9 5.3

4Q12 4.7 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Puerto Rico and around the world, and for explanations of the methods and terms used here.

July–December 2012

457

Infection trends (CCM)
The MSRT detected malware on 4.7 of every 1,000 computers scanned in Puerto Rico in 4Q12 (a CCM score of 4.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Puerto Rico over the last six quarters, compared to the world as a whole.
CCM infection trends in Puerto Rico and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Puerto Rico

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

458

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Puerto Rico in 4Q12, by percentage of computers reporting detections

Puerto Rico
Percent of computers reporting detections

Worldwide

40% Column1 35% Puerto Rico 30%
25%

20% 15%
10%

5% 0%



The most common category in Puerto Rico in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 32.7 percent of all computers with detections there, up from 27.2 percent in 3Q12. The second most common category in Puerto Rico in 4Q12 was Worms. It affected 32.6 percent of all computers with detections there, up from 29.5 percent in 3Q12. The third most common category in Puerto Rico in 4Q12 was Miscellaneous Trojans, which affected 24.8 percent of all computers with detections there, up from 22.6 percent in 3Q12.





July–December 2012

459

Threat families
The top 10 malware and potentially unwanted software families in Puerto Rico in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Vobfus Win32/Keygen Win32/Hotbar JS/IframeRef Win32/Zwangi Win32/Brontok Win32/OpenCandy Win32/Dorkbot Win32/Hamweq

Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Adware Misc. Trojans Misc. Potentially Unwanted Software Worms Adware Worms Worms

% of computers with detections 12.3% 11.4% 11.0% 8.3% 8.1% 7.6% 6.7% 4.1% 3.2% 3.2%



The most common threat family in Puerto Rico in 4Q12 was INF/Autorun, which affected 12.3 percent of computers with detections in Puerto Rico. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Puerto Rico in 4Q12 was Win32/Vobfus, which affected 11.4 percent of computers with detections in Puerto Rico. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The third most common threat family in Puerto Rico in 4Q12 was Win32/Keygen, which affected 11.0 percent of computers with detections in Puerto Rico. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Puerto Rico in 4Q12 was Win32/Hotbar, which affected 8.3 percent of computers with detections in Puerto Rico. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity.







460

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Puerto Rico

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 6.98 (5.41) 9.51 (9.46) 0.19 (0.56)

4Q12 1.90 (5.10) 13.95 (10.85) 0.12 (0.33)

July–December 2012

461

Qatar
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Qatar in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Qatar

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 12.1 6.6

2Q12 11.6 7.0

3Q12 9.0 5.3

4Q12 8.6 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Qatar and around the world, and for explanations of the methods and terms used here.

July–December 2012

463

Infection trends (CCM)
The MSRT detected malware on 8.6 of every 1,000 computers scanned in Qatar in 4Q12 (a CCM score of 8.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Qatar over the last six quarters, compared to the world as a whole.
CCM infection trends in Qatar and worldwide

16.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Qatar

14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

464

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Qatar in 4Q12, by percentage of computers reporting detections

Qatar
Percent of computers reporting detections

Worldwide

40% Column1 35% Qatar 30%
25%

20% 15%
10%

5% 0%



The most common category in Qatar in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 36.5 percent of all computers with detections there, up from 29.5 percent in 3Q12. The second most common category in Qatar in 4Q12 was Worms. It affected 35.4 percent of all computers with detections there, up from 28.2 percent in 3Q12. The third most common category in Qatar in 4Q12 was Miscellaneous Trojans, which affected 30.0 percent of all computers with detections there, up from 24.3 percent in 3Q12.





July–December 2012

465

Threat families
The top 10 malware and potentially unwanted software families in Qatar in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Hotbar Win32/Nuqel Win32/Sality Win32/Dorkbot Win32/Zwangi JS/IframeRef Win32/Rimecud Win32/Conficker

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Worms Viruses Worms Misc. Potentially Unwanted Software Misc. Trojans Misc. Trojans Worms

% of computers with detections 15.8% 15.2% 7.6% 7.5% 7.4% 5.7% 5.7% 5.6% 4.2% 4.0%



The most common threat family in Qatar in 4Q12 was INF/Autorun, which affected 15.8 percent of computers with detections in Qatar. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Qatar in 4Q12 was Win32/Keygen, which affected 15.2 percent of computers with detections in Qatar. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Qatar in 4Q12 was Win32/Hotbar, which affected 7.6 percent of computers with detections in Qatar. Win32/Hotbar is adware that displays a dynamic toolbar and targeted popup ads based on its monitoring of web-browsing activity. The fourth most common threat family in Qatar in 4Q12 was Win32/Nuqel, which affected 7.5 percent of computers with detections in Qatar. Win32/Nuqel is a worm that spreads via mapped drives and certain instant messaging applications. It may modify system settings, connect to certain websites, download arbitrary files, or take other malicious actions.







466

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Qatar

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) N/A (0.56)

4Q12 N/A (5.10) N/A (10.85) N/A (0.33)

July–December 2012

467

Romania
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Romania in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Romania

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 14.9 6.6

2Q12 15.0 7.0

3Q12 12.9 5.3

4Q12 12.4 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Romania and around the world, and for explanations of the methods and terms used here.

July–December 2012

469

Infection trends (CCM)
The MSRT detected malware on 12.4 of every 1,000 computers scanned in Romania in 4Q12 (a CCM score of 12.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Romania over the last six quarters, compared to the world as a whole.
CCM infection trends in Romania and worldwide

16.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Romania

14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

470

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Romania in 4Q12, by percentage of computers reporting detections

Romania
Percent of computers reporting detections

Worldwide

50% Column1 45% Romania
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Romania in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.3 percent of all computers with detections there, up from 37.4 percent in 3Q12. The second most common category in Romania in 4Q12 was Miscellaneous Trojans. It affected 30.1 percent of all computers with detections there, up from 29.3 percent in 3Q12. The third most common category in Romania in 4Q12 was Worms, which affected 22.1 percent of all computers with detections there, up from 21.9 percent in 3Q12.





July–December 2012

471

Threat families
The top 10 malware and potentially unwanted software families in Romania in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Sality INF/Autorun Win32/Conficker JS/IframeRef Win32/Obfuscator Win32/Wpakill Win32/Brontok Win32/Pdfjsc Win32/Dorkbot

Most significant category Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Worms Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Exploits Worms

% of computers with detections 20.0% 12.7% 11.1% 5.8% 5.8% 5.5% 4.4% 3.9% 3.8% 3.2%



The most common threat family in Romania in 4Q12 was Win32/Keygen, which affected 20.0 percent of computers with detections in Romania. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Romania in 4Q12 was Win32/Sality, which affected 12.7 percent of computers with detections in Romania. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Romania in 4Q12 was INF/Autorun, which affected 11.1 percent of computers with detections in Romania. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Romania in 4Q12 was Win32/Conficker, which affected 5.8 percent of computers with detections in Romania. Win32/Conficker is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables







472

Microsoft Security Intelligence Report, Volume 14

several important system services and security products, and downloads arbitrary files.

July–December 2012

473

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Romania

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 9.58 (5.41) 13.93 (9.46) 0.57 (0.56)

4Q12 8.00 (5.10) 16.50 (10.85) 0.39 (0.33)

474

Microsoft Security Intelligence Report, Volume 14

Russia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Russia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Russia

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 6.2 6.6

2Q12 6.7 7.0

3Q12 5.5 5.3

4Q12 5.0 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Russia and around the world, and for explanations of the methods and terms used here.

July–December 2012

475

Infection trends (CCM)
The MSRT detected malware on 5.0 of every 1,000 computers scanned in Russia in 4Q12 (a CCM score of 5.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Russia over the last six quarters, compared to the world as a whole.
CCM infection trends in Russia and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Russia

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

476

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Russia in 4Q12, by percentage of computers reporting detections

Russia
Percent of computers reporting detections

Worldwide

60% Column1 Russia 50% 40% 30% 20% 10% 0%



The most common category in Russia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 50.0 percent of all computers with detections there, down from 52.3 percent in 3Q12. The second most common category in Russia in 4Q12 was Miscellaneous Trojans. It affected 37.1 percent of all computers with detections there, up from 36.6 percent in 3Q12. The third most common category in Russia in 4Q12 was Worms, which affected 17.5 percent of all computers with detections there, up from 15.1 percent in 3Q12.





July–December 2012

477

Threat families
The top 10 malware and potentially unwanted software families in Russia in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pameseg Win32/Obfuscator JS/Redirector Win32/Vundo Win32/Dorkbot Win32/Pdfjsc Java/Blacole INF/Autorun Win32/Webalta

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Trojans Misc. Trojans Worms Exploits Exploits Misc. Potentially Unwanted Software Adware

% of computers with detections 18.7% 11.5% 10.4% 7.9% 7.3% 6.9% 5.9% 5.3% 5.0% 4.7%



The most common threat family in Russia in 4Q12 was Win32/Keygen, which affected 18.7 percent of computers with detections in Russia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Russia in 4Q12 was Win32/Pameseg, which affected 11.5 percent of computers with detections in Russia. Win32/Pameseg is a fake program installer that requires the user to send SMS messages to a premium number to successfully install certain programs. The third most common threat family in Russia in 4Q12 was Win32/Obfuscator, which affected 10.4 percent of computers with detections in Russia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and antiemulation techniques. The fourth most common threat family in Russia in 4Q12 was JS/Redirector, which affected 7.9 percent of computers with detections in Russia. JS/Redirector is a detection for a class of JavaScript trojans that redirect users to unexpected websites, which may contain drive-by downloads.







478

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Russia

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 6.06 (5.41) 12.30 (9.46) 1.10 (0.56)

4Q12 8.32 (5.10) 15.87 (10.85) 1.03 (0.33)

July–December 2012

479

Saudi Arabia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Saudi Arabia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Saudi Arabia

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 14.0 6.6

2Q12 13.4 7.0

3Q12 10.7 5.3

4Q12 11.4 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Saudi Arabia and around the world, and for explanations of the methods and terms used here.

July–December 2012

481

Infection trends (CCM)
The MSRT detected malware on 11.4 of every 1,000 computers scanned in Saudi Arabia in 4Q12 (a CCM score of 11.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Saudi Arabia over the last six quarters, compared to the world as a whole.
CCM infection trends in Saudi Arabia and worldwide

16.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Saudi Arabia

14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

482

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Saudi Arabia in 4Q12, by percentage of computers reporting detections

Saudi Arabia
Percent of computers reporting detections

Worldwide

45% Column1 40% Saudi Arabia 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Saudi Arabia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 40.4 percent of all computers with detections there, up from 29.9 percent in 3Q12. The second most common category in Saudi Arabia in 4Q12 was Miscellaneous Trojans. It affected 33.0 percent of all computers with detections there, up from 27.3 percent in 3Q12. The third most common category in Saudi Arabia in 4Q12 was Worms, which affected 31.8 percent of all computers with detections there, up from 21.3 percent in 3Q12.





July–December 2012

483

Threat families
The top 10 malware and potentially unwanted software families in Saudi Arabia in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun Win32/Sality Win32/Ramnit Win32/Dorkbot Win32/CplLnk JS/IframeRef Win32/Vobfus Win32/Hotbar Win32/Mabezat

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Misc. Trojans Worms Exploits Misc. Trojans Worms Adware Viruses

% of computers with detections 19.9% 14.4% 10.8% 7.4% 6.9% 6.7% 6.1% 4.0% 3.8% 3.5%



The most common threat family in Saudi Arabia in 4Q12 was Win32/Keygen, which affected 19.9 percent of computers with detections in Saudi Arabia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Saudi Arabia in 4Q12 was INF/Autorun, which affected 14.4 percent of computers with detections in Saudi Arabia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Saudi Arabia in 4Q12 was Win32/Sality, which affected 10.8 percent of computers with detections in Saudi Arabia. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Saudi Arabia in 4Q12 was Win32/Ramnit, which affected 7.4 percent of computers with detections in Saudi Arabia. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved







484

Microsoft Security Intelligence Report, Volume 14

FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.

July–December 2012

485

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Saudi Arabia

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 20.02 (5.41) 19.14 (9.46) 0.38 (0.56)

4Q12 3.74 (5.10) 13.86 (10.85) 0.01 (0.33)

486

Microsoft Security Intelligence Report, Volume 14

Senegal
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Senegal in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Senegal

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 11.5 6.6

2Q12 9.7 7.0

3Q12 8.5 5.3

4Q12 9.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Senegal and around the world, and for explanations of the methods and terms used here.

July–December 2012

487

Infection trends (CCM)
The MSRT detected malware on 9.2 of every 1,000 computers scanned in Senegal in 4Q12 (a CCM score of 9.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Senegal over the last six quarters, compared to the world as a whole.
CCM infection trends in Senegal and worldwide

14.0

Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Senegal

12.0 10.0

8.0
6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

488

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Senegal in 4Q12, by percentage of computers reporting detections

Senegal
Percent of computers reporting detections

Worldwide

50%
45% 40%

Column1 Senegal

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Senegal in 4Q12 was Worms. It affected 45.3 percent of all computers with detections there, down from 48.8 percent in 3Q12. The second most common category in Senegal in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 37.9 percent of all computers with detections there, up from 35.7 percent in 3Q12. The third most common category in Senegal in 4Q12 was Miscellaneous Trojans, which affected 27.7 percent of all computers with detections there, up from 26.0 percent in 3Q12.





July–December 2012

489

Threat families
The top 10 malware and potentially unwanted software families in Senegal in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Sality Win32/Keygen Win32/Vobfus VBS/Cinera Win32/Ramnit Win32/CplLnk Win32/Dorkbot Win32/DealPly Win32/Virut

Most significant category Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Worms Worms Misc. Trojans Exploits Worms Adware Viruses

% of computers with detections 27.6% 15.1% 13.0% 11.1% 11.1% 7.9% 6.4% 5.9% 5.3% 4.8%



The most common threat family in Senegal in 4Q12 was INF/Autorun, which affected 27.6 percent of computers with detections in Senegal. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Senegal in 4Q12 was Win32/Sality, which affected 15.1 percent of computers with detections in Senegal. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Senegal in 4Q12 was Win32/Keygen, which affected 13.0 percent of computers with detections in Senegal. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Senegal in 4Q12 was Win32/Vobfus, which affected 11.1 percent of computers with detections in Senegal. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.







490

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Senegal

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) N/A (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.44 (0.33)

July–December 2012

491

Singapore
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Singapore in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Singapore

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 5.6 6.6

2Q12 4.4 7.0

3Q12 3.9 5.3

4Q12 3.7 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Singapore and around the world, and for explanations of the methods and terms used here.

July–December 2012

493

Infection trends (CCM)
The MSRT detected malware on 3.7 of every 1,000 computers scanned in Singapore in 4Q12 (a CCM score of 3.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Singapore over the last six quarters, compared to the world as a whole.
CCM infection trends in Singapore and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Singapore

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

494

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Singapore in 4Q12, by percentage of computers reporting detections

Singapore
Percent of computers reporting detections

Worldwide

45% Column1 40% Singapore 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Singapore in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.4 percent of all computers with detections there, up from 28.4 percent in 3Q12. The second most common category in Singapore in 4Q12 was Miscellaneous Trojans. It affected 27.5 percent of all computers with detections there, up from 25.6 percent in 3Q12. The third most common category in Singapore in 4Q12 was Worms, which affected 23.4 percent of all computers with detections there, up from 21.9 percent in 3Q12.





July–December 2012

495

Threat families
The top 10 malware and potentially unwanted software families in Singapore in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun Win32/Hotbar Win32/Zwangi JS/IframeRef Win32/Dorkbot Win32/OpenCandy Win32/Obfuscator Win32/Sality Win32/Ramnit

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Misc. Potentially Unwanted Software Misc. Trojans Worms Adware Misc. Potentially Unwanted Software Viruses Misc. Trojans

% of computers with detections 14.6% 9.8% 9.2% 7.9% 6.2% 5.8% 4.6% 4.3% 4.0% 3.3%



The most common threat family in Singapore in 4Q12 was Win32/Keygen, which affected 14.6 percent of computers with detections in Singapore. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Singapore in 4Q12 was INF/Autorun, which affected 9.8 percent of computers with detections in Singapore. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Singapore in 4Q12 was Win32/Hotbar, which affected 9.2 percent of computers with detections in Singapore. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The fourth most common threat family in Singapore in 4Q12 was Win32/Zwangi, which affected 7.9 percent of computers with detections in Singapore. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website.







496

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Singapore

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 6.05 (5.41) 7.72 (9.46) 0.76 (0.56)

4Q12 5.98 (5.10) 9.76 (10.85) 0.50 (0.33)

July–December 2012

497

Slovakia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Slovakia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Slovakia

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 3.4 6.6

2Q12 3.0 7.0

3Q12 2.8 5.3

4Q12 2.6 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Slovakia and around the world, and for explanations of the methods and terms used here.

July–December 2012

499

Infection trends (CCM)
The MSRT detected malware on 2.6 of every 1,000 computers scanned in Slovakia in 4Q12 (a CCM score of 2.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Slovakia over the last six quarters, compared to the world as a whole.
CCM infection trends in Slovakia and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Slovakia

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

500

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Slovakia in 4Q12, by percentage of computers reporting detections

Slovakia
Percent of computers reporting detections

Worldwide

50% Column1 45% Slovakia
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Slovakia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 44.3 percent of all computers with detections there, up from 37.3 percent in 3Q12. The second most common category in Slovakia in 4Q12 was Miscellaneous Trojans. It affected 26.9 percent of all computers with detections there, down from 27.3 percent in 3Q12. The third most common category in Slovakia in 4Q12 was Adware, which affected 16.9 percent of all computers with detections there, down from 29.0 percent in 3Q12.





July–December 2012

501

Threat families
The top 10 malware and potentially unwanted software families in Slovakia in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc JS/IframeRef Win32/Obfuscator INF/Autorun Java/Blacole Win32/OpenCandy Win32/Dorkbot Win32/Hotbar Win32/Reveton

Most significant category Misc. Potentially Unwanted Software Exploits Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Exploits Adware Worms Adware Misc. Trojans

% of computers with detections 23.1% 7.4% 7.1% 6.4% 5.8% 5.5% 4.8% 4.1% 3.9% 3.4%



The most common threat family in Slovakia in 4Q12 was Win32/Keygen, which affected 23.1 percent of computers with detections in Slovakia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Slovakia in 4Q12 was Win32/Pdfjsc, which affected 7.4 percent of computers with detections in Slovakia. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Slovakia in 4Q12 was JS/IframeRef, which affected 7.1 percent of computers with detections in Slovakia. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Slovakia in 4Q12 was Win32/Obfuscator, which affected 6.4 percent of computers with detections in Slovakia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques.







502

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Slovakia

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 2.83 (5.41) 6.28 (9.46) 0.16 (0.56)

4Q12 5.81 (5.10) 8.01 (10.85) 0.22 (0.33)

July–December 2012

503

Slovenia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Slovenia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Slovenia

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 4.2 6.6

2Q12 4.0 7.0

3Q12 4.3 5.3

4Q12 3.4 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Slovenia and around the world, and for explanations of the methods and terms used here.

July–December 2012

505

Infection trends (CCM)
The MSRT detected malware on 3.4 of every 1,000 computers scanned in Slovenia in 4Q12 (a CCM score of 3.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Slovenia over the last six quarters, compared to the world as a whole.
CCM infection trends in Slovenia and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Slovenia

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

506

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Slovenia in 4Q12, by percentage of computers reporting detections

Slovenia
Percent of computers reporting detections

Worldwide

50% Column1 45% Slovenia
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Slovenia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.5 percent of all computers with detections there, up from 37.9 percent in 3Q12. The second most common category in Slovenia in 4Q12 was Miscellaneous Trojans. It affected 27.1 percent of all computers with detections there, up from 26.6 percent in 3Q12. The third most common category in Slovenia in 4Q12 was Exploits, which affected 15.7 percent of all computers with detections there, up from 4.6 percent in 3Q12.





July–December 2012

507

Threat families
The top 10 malware and potentially unwanted software families in Slovenia in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc Win32/Obfuscator JS/IframeRef JS/BlacoleRef Win32/Hotbar ASX/Wimad INF/Autorun Win32/Zwangi Java/Blacole

Most significant category Misc. Potentially Unwanted Software Exploits Misc. Potentially Unwanted Software Misc. Trojans Misc. Trojans Adware Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Exploits

% of computers with detections 23.0% 11.2% 6.5% 5.3% 5.2% 4.9% 4.8% 4.3% 3.9% 3.6%



The most common threat family in Slovenia in 4Q12 was Win32/Keygen, which affected 23.0 percent of computers with detections in Slovenia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Slovenia in 4Q12 was Win32/Pdfjsc, which affected 11.2 percent of computers with detections in Slovenia. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Slovenia in 4Q12 was Win32/Obfuscator, which affected 6.5 percent of computers with detections in Slovenia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The fourth most common threat family in Slovenia in 4Q12 was JS/IframeRef, which affected 5.3 percent of computers with detections in Slovenia. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.







508

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Slovenia

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 4.02 (5.41) 2.72 (9.46) 0.69 (0.56)

4Q12 4.02 (5.10) 4.02 (10.85) 0.86 (0.33)

July–December 2012

509

South Africa
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in South Africa in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for South Africa

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 7.9 6.6

2Q12 6.9 7.0

3Q12 6.4 5.3

4Q12 6.5 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in South Africa and around the world, and for explanations of the methods and terms used here.

July–December 2012

511

Infection trends (CCM)
The MSRT detected malware on 6.5 of every 1,000 computers scanned in South Africa in 4Q12 (a CCM score of 6.5, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for South Africa over the last six quarters, compared to the world as a whole.
CCM infection trends in South Africa and worldwide

10.0
Computers cleaned per 1 ,000 scanned (CCM)

9.0
8.0 7.0

Worldwide South Africa

6.0
5.0 4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

512

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in South Africa in 4Q12, by percentage of computers reporting detections

South Africa
Percent of computers reporting detections

Worldwide

45% 40% 35% 30% 25%
20%

Column1 South Africa

15%
10%

5% 0%



The most common category in South Africa in 4Q12 was Worms. It affected 41.2 percent of all computers with detections there, up from 39.9 percent in 3Q12. The second most common category in South Africa in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 36.1 percent of all computers with detections there, up from 32.9 percent in 3Q12. The third most common category in South Africa in 4Q12 was Miscellaneous Trojans, which affected 26.8 percent of all computers with detections there, up from 26.0 percent in 3Q12.





July–December 2012

513

Threat families
The top 10 malware and potentially unwanted software families in South Africa in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Vobfus Win32/Keygen Win32/Rimecud Win32/Dorkbot Win32/Nuqel Win32/Virut JS/IframeRef Win32/Folstart Win32/Sality

Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Misc. Trojans Worms Worms Viruses Misc. Trojans Worms Viruses

% of computers with detections 18.0% 12.9% 12.4% 6.7% 5.6% 5.5% 5.2% 5.2% 4.7% 4.7%



The most common threat family in South Africa in 4Q12 was INF/Autorun, which affected 18.0 percent of computers with detections in South Africa. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in South Africa in 4Q12 was Win32/Vobfus, which affected 12.9 percent of computers with detections in South Africa. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The third most common threat family in South Africa in 4Q12 was Win32/Keygen, which affected 12.4 percent of computers with detections in South Africa. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in South Africa in 4Q12 was Win32/Rimecud, which affected 6.7 percent of computers with detections in South Africa. Win32/Rimecud is a family of worms with multiple components that spread via fixed and removable drives and via instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected system.







514

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for South Africa

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 8.26 (5.41) 12.18 (9.46) 0.50 (0.56)

4Q12 8.98 (5.10) 13.68 (10.85) 0.36 (0.33)

July–December 2012

515

Spain
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Spain in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Spain

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 7.3 6.6

2Q12 5.4 7.0

3Q12 4.0 5.3

4Q12 3.6 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Spain and around the world, and for explanations of the methods and terms used here.

July–December 2012

517

Infection trends (CCM)
The MSRT detected malware on 3.6 of every 1,000 computers scanned in Spain in 4Q12 (a CCM score of 3.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Spain over the last six quarters, compared to the world as a whole.
CCM infection trends in Spain and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Spain

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

518

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Spain in 4Q12, by percentage of computers reporting detections

Spain
Percent of computers reporting detections

Worldwide

40% Column1 35% Spain 30%
25%

20% 15%
10%

5% 0%



The most common category in Spain in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 35.0 percent of all computers with detections there, up from 26.0 percent in 3Q12. The second most common category in Spain in 4Q12 was Adware. It affected 32.4 percent of all computers with detections there, down from 35.9 percent in 3Q12. The third most common category in Spain in 4Q12 was Miscellaneous Trojans, which affected 22.4 percent of all computers with detections there, down from 25.7 percent in 3Q12.





July–December 2012

519

Threat families
The top 10 malware and potentially unwanted software families in Spain in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/DealPly Win32/Keygen Win32/Pdfjsc ASX/Wimad INF/Autorun Win32/Zwangi Java/Blacole Win32/Pameseg JS/IframeRef Win32/Sirefef

Most significant category Adware Misc. Potentially Unwanted Software Exploits Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Exploits Misc. Potentially Unwanted Software Misc. Trojans Misc. Trojans

% of computers with detections 17.2% 13.5% 7.9% 5.5% 5.5% 4.9% 4.8% 4.2% 4.0% 4.0%



The most common threat family in Spain in 4Q12 was Win32/DealPly, which affected 17.2 percent of computers with detections in Spain. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Spain in 4Q12 was Win32/Keygen, which affected 13.5 percent of computers with detections in Spain. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Spain in 4Q12 was Win32/Pdfjsc, which affected 7.9 percent of computers with detections in Spain. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in Spain in 4Q12 was ASX/Wimad, which affected 5.5 percent of computers with detections in Spain. ASX/Wimad is a detection for malicious Windows Media files that can be used to encourage users to download and execute arbitrary files on an affected machine.







520

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Spain

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 4.90 (5.41) 7.70 (9.46) 0.86 (0.56)

4Q12 4.80 (5.10) 8.73 (10.85) 0.23 (0.33)

July–December 2012

521

Sri Lanka
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Sri Lanka in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Sri Lanka

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 10.5 6.6

2Q12 10.0 7.0

3Q12 9.9 5.3

4Q12 8.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Sri Lanka and around the world, and for explanations of the methods and terms used here.

July–December 2012

523

Infection trends (CCM)
The MSRT detected malware on 8.2 of every 1,000 computers scanned in Sri Lanka in 4Q12 (a CCM score of 8.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Sri Lanka over the last six quarters, compared to the world as a whole.
CCM infection trends in Sri Lanka and worldwide

12.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Sri Lanka

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

524

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Sri Lanka in 4Q12, by percentage of computers reporting detections

Sri Lanka
Percent of computers reporting detections

Worldwide

50% Column1 45% Sri Lanka
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Sri Lanka in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 46.1 percent of all computers with detections there, up from 41.6 percent in 3Q12. The second most common category in Sri Lanka in 4Q12 was Worms. It affected 40.2 percent of all computers with detections there, up from 37.7 percent in 3Q12. The third most common category in Sri Lanka in 4Q12 was Miscellaneous Trojans, which affected 32.7 percent of all computers with detections there, up from 30.8 percent in 3Q12.





July–December 2012

525

Threat families
The top 10 malware and potentially unwanted software families in Sri Lanka in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Sality Win32/Ramnit Win32/CplLnk Win32/Nuqel Win32/Dorkbot Win32/Delicium Win32/Rimecud Win32/Virut

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Misc. Trojans Exploits Worms Worms Viruses Misc. Trojans Viruses

% of computers with detections 27.5% 22.1% 18.8% 13.1% 12.6% 11.4% 10.1% 9.1% 5.9% 4.9%



The most common threat family in Sri Lanka in 4Q12 was INF/Autorun, which affected 27.5 percent of computers with detections in Sri Lanka. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Sri Lanka in 4Q12 was Win32/Keygen, which affected 22.1 percent of computers with detections in Sri Lanka. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Sri Lanka in 4Q12 was Win32/Sality, which affected 18.8 percent of computers with detections in Sri Lanka. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Sri Lanka in 4Q12 was Win32/Ramnit, which affected 13.1 percent of computers with detections in Sri Lanka. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved







526

Microsoft Security Intelligence Report, Volume 14

FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.

July–December 2012

527

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Sri Lanka

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.01 (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.06 (0.33)

528

Microsoft Security Intelligence Report, Volume 14

Sweden
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Sweden in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Sweden

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 1.8 6.6

2Q12 2.1 7.0

3Q12 2.8 5.3

4Q12 1.6 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Sweden and around the world, and for explanations of the methods and terms used here.

July–December 2012

529

Infection trends (CCM)
The MSRT detected malware on 1.6 of every 1,000 computers scanned in Sweden in 4Q12 (a CCM score of 1.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Sweden over the last six quarters, compared to the world as a whole.
CCM infection trends in Sweden and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide

[[COUNTRY]]

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

530

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Sweden in 4Q12, by percentage of computers reporting detections

Sweden
Percent of computers reporting detections

Worldwide

40% Column1 35% Sweden 30%
25%

20% 15%
10%

5% 0%



The most common category in Sweden in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 32.6 percent of all computers with detections there, up from 27.7 percent in 3Q12. The second most common category in Sweden in 4Q12 was Miscellaneous Trojans. It affected 30.0 percent of all computers with detections there, down from 32.2 percent in 3Q12. The third most common category in Sweden in 4Q12 was Adware, which affected 25.4 percent of all computers with detections there, down from 27.9 percent in 3Q12.





July–December 2012

531

Threat families
The top 10 malware and potentially unwanted software families in Sweden in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/DealPly Win32/Pdfjsc JS/IframeRef Java/Blacole Win32/Hotbar Win32/Sirefef Win32/Obfuscator Win32/Zwangi Win32/OpenCandy

Most significant category Misc. Potentially Unwanted Software Adware Exploits Misc. Trojans Exploits Adware Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware

% of computers with detections 14.5% 12.0% 10.5% 8.0% 7.2% 6.7% 5.3% 4.7% 4.6% 3.0%



The most common threat family in Sweden in 4Q12 was Win32/Keygen, which affected 14.5 percent of computers with detections in Sweden. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Sweden in 4Q12 was Win32/DealPly, which affected 12.0 percent of computers with detections in Sweden. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Sweden in 4Q12 was Win32/Pdfjsc, which affected 10.5 percent of computers with detections in Sweden. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in Sweden in 4Q12 was JS/IframeRef, which affected 8.0 percent of computers with detections in Sweden. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.







532

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Sweden

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 3.24 (5.41) 5.08 (9.46) 0.12 (0.56)

4Q12 2.77 (5.10) 5.36 (10.85) 0.12 (0.33)

July–December 2012

533

Switzerland
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Switzerland in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Switzerland

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 1.8 6.6

2Q12 1.7 7.0

3Q12 2.3 5.3

4Q12 1.6 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Switzerland and around the world, and for explanations of the methods and terms used here.

July–December 2012

535

Infection trends (CCM)
The MSRT detected malware on 1.6 of every 1,000 computers scanned in Switzerland in 4Q12 (a CCM score of 1.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Switzerland over the last six quarters, compared to the world as a whole.
CCM infection trends in Switzerland and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Switzerland

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

536

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Switzerland in 4Q12, by percentage of computers reporting detections

Switzerland
Percent of computers reporting detections

Worldwide

40% Column1 35% Switzerland 30%
25%

20% 15%
10%

5% 0%



The most common category in Switzerland in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.0 percent of all computers with detections there, up from 25.1 percent in 3Q12. The second most common category in Switzerland in 4Q12 was Miscellaneous Trojans. It affected 27.6 percent of all computers with detections there, down from 32.2 percent in 3Q12. The third most common category in Switzerland in 4Q12 was Adware, which affected 20.8 percent of all computers with detections there, down from 29.0 percent in 3Q12.





July–December 2012

537

Threat families
The top 10 malware and potentially unwanted software families in Switzerland in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc JS/IframeRef Win32/DealPly Java/Blacole Win32/Zwangi Win32/Hotbar ASX/Wimad Win32/OpenCandy Win32/Obfuscator

Most significant category Misc. Potentially Unwanted Software Exploits Misc. Trojans Adware Exploits Misc. Potentially Unwanted Software Adware Trojan Downloaders & Droppers Adware Misc. Potentially Unwanted Software

% of computers with detections 12.2% 9.3% 7.7% 6.8% 6.4% 5.7% 5.4% 4.7% 4.2% 3.4%



The most common threat family in Switzerland in 4Q12 was Win32/Keygen, which affected 12.2 percent of computers with detections in Switzerland. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Switzerland in 4Q12 was Win32/Pdfjsc, which affected 9.3 percent of computers with detections in Switzerland. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Switzerland in 4Q12 was JS/IframeRef, which affected 7.7 percent of computers with detections in Switzerland. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Switzerland in 4Q12 was Win32/DealPly, which affected 6.8 percent of computers with detections in Switzerland. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third -party software installation programs.







538

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Switzerland

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 3.01 (5.41) 5.95 (9.46) 0.33 (0.56)

4Q12 3.36 (5.10) 7.14 (10.85) 0.36 (0.33)

July–December 2012

539

Syria
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Syria in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Syria

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 16.2 6.6

2Q12 19.8 7.0

3Q12 19.1 5.3

4Q12 23.1 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Syria and around the world, and for explanations of the methods and terms used here.

July–December 2012

541

Infection trends (CCM)
The MSRT detected malware on 23.1 of every 1,000 computers scanned in Syria in 4Q12 (a CCM score of 23.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Syria over the last six quarters, compared to the world as a whole.
CCM infection trends in Syria and worldwide

9.0

Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide

[[COUNTRY]]

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

542

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Syria in 4Q12, by percentage of computers reporting detections

Syria
Percent of computers reporting detections

Worldwide

50% Column1 45% Syria
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Syria in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 46.4 percent of all computers with detections there, up from 37.8 percent in 3Q12. The second most common category in Syria in 4Q12 was Worms. It affected 42.3 percent of all computers with detections there, up from 33.7 percent in 3Q12. The third most common category in Syria in 4Q12 was Miscellaneous Trojans, which affected 35.4 percent of all computers with detections there, up from 30.9 percent in 3Q12.





July–December 2012

543

Threat families
The top 10 malware and potentially unwanted software families in Syria in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Sality INF/Autorun Win32/Ramnit Win32/CplLnk Win32/Dorkbot Win32/Virut Win32/Folstart Win32/Nuqel JS/IframeRef

Most significant category Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Misc. Trojans Exploits Worms Viruses Worms Worms Misc. Trojans

% of computers with detections 26.1% 20.5% 18.9% 17.3% 13.3% 12.4% 9.1% 9.0% 6.4% 5.4%



The most common threat family in Syria in 4Q12 was Win32/Keygen, which affected 26.1 percent of computers with detections in Syria. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Syria in 4Q12 was Win32/Sality, which affected 20.5 percent of computers with detections in Syria. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Syria in 4Q12 was INF/Autorun, which affected 18.9 percent of computers with detections in Syria. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Syria in 4Q12 was Win32/Ramnit, which affected 17.3 percent of computers with detections in Syria. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved







544

Microsoft Security Intelligence Report, Volume 14

FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.

July–December 2012

545

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Syria

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 3.76 (0.56)

4Q12 N/A (5.10) N/A (10.85) 3.71 (0.33)

546

Microsoft Security Intelligence Report, Volume 14

Taiwan
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Taiwan in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Taiwan

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 6.9 6.6

2Q12 5.3 7.0

3Q12 4.8 5.3

4Q12 5.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Taiwan and around the world, and for explanations of the methods and terms used here.

July–December 2012

547

Infection trends (CCM)
The MSRT detected malware on 5.2 of every 1,000 computers scanned in Taiwan in 4Q12 (a CCM score of 5.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Taiwan over the last six quarters, compared to the world as a whole.
CCM infection trends in Taiwan and worldwide

12.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Taiwan

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

548

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Taiwan in 4Q12, by percentage of computers reporting detections

Taiwan
Percent of computers reporting detections

Worldwide

50% Column1 45% Taiwan
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Taiwan in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 44.4 percent of all computers with detections there, up from 40.2 percent in 3Q12. The second most common category in Taiwan in 4Q12 was Miscellaneous Trojans. It affected 32.9 percent of all computers with detections there, up from 29.6 percent in 3Q12. The third most common category in Taiwan in 4Q12 was Worms, which affected 21.0 percent of all computers with detections there, down from 21.4 percent in 3Q12.





July–December 2012

549

Threat families
The top 10 malware and potentially unwanted software families in Taiwan in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun JS/IframeRef Win32/Conficker Win32/Taterf Win32/Nitol Win32/Rimecud Win32/Obfuscator Win32/FlyAgent ASX/Wimad

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Trojans Worms Worms Misc. Trojans Misc. Trojans Misc. Potentially Unwanted Software Backdoors Trojan Downloaders & Droppers

% of computers with detections 22.5% 12.1% 6.5% 6.0% 4.9% 4.9% 4.4% 4.0% 3.8% 3.6%



The most common threat family in Taiwan in 4Q12 was Win32/Keygen, which affected 22.5 percent of computers with detections in Taiwan. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Taiwan in 4Q12 was INF/Autorun, which affected 12.1 percent of computers with detections in Taiwan. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Taiwan in 4Q12 was JS/IframeRef, which affected 6.5 percent of computers with detections in Taiwan. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Taiwan in 4Q12 was Win32/Conficker, which affected 6.0 percent of computers with detections in Taiwan. Win32/Conficker is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables several important system services and security products, and downloads arbitrary files.







550

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Taiwan

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 2.96 (5.41) 15.37 (9.46) 0.39 (0.56)

4Q12 3.30 (5.10) 15.67 (10.85) 0.33 (0.33)

July–December 2012

551

Tanzania
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Tanzania in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Tanzania

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 10.1 6.6

2Q12 9.8 7.0

3Q12 7.8 5.3

4Q12 7.3 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Tanzania and around the world, and for explanations of the methods and terms used here.

July–December 2012

553

Infection trends (CCM)
The MSRT detected malware on 7.3 of every 1,000 computers scanned in Tanzania in 4Q12 (a CCM score of 7.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Tanzania over the last six quarters, compared to the world as a whole.
CCM infection trends in Tanzania and worldwide

14.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Tanzania

12.0 10.0

8.0
6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

554

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Tanzania in 4Q12, by percentage of computers reporting detections

Tanzania
Percent of computers reporting detections

Worldwide

45% 40% 35% 30% 25%
20%

Column1 Tanzania

15%
10%

5% 0%



The most common category in Tanzania in 4Q12 was Worms. It affected 39.1 percent of all computers with detections there, down from 41.8 percent in 3Q12. The second most common category in Tanzania in 4Q12 was Miscellaneous Trojans. It affected 38.3 percent of all computers with detections there, up from 35.2 percent in 3Q12. The third most common category in Tanzania in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 34.4 percent of all computers with detections there, up from 33.5 percent in 3Q12.





July–December 2012

555

Threat families
The top 10 malware and potentially unwanted software families in Tanzania in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Ramnit Win32/Vobfus Win32/Sality Win32/Keygen Win32/CplLnk Win32/Dorkbot Win32/Virut Win32/Rimecud Win32/Enosch

Most significant category Misc. Potentially Unwanted Software Misc. Trojans Worms Viruses Misc. Potentially Unwanted Software Exploits Worms Viruses Misc. Trojans Misc. Trojans

% of computers with detections 19.6% 14.9% 13.8% 13.1% 11.3% 10.2% 9.9% 9.9% 8.6% 6.8%



The most common threat family in Tanzania in 4Q12 was INF/Autorun, which affected 19.6 percent of computers with detections in Tanzania. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Tanzania in 4Q12 was Win32/Ramnit, which affected 14.9 percent of computers with detections in Tanzania. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The third most common threat family in Tanzania in 4Q12 was Win32/Vobfus, which affected 13.8 percent of computers with detections in Tanzania. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The fourth most common threat family in Tanzania in 4Q12 was Win32/Sality, which affected 13.1 percent of computers with detections in Tanzania. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a







556

Microsoft Security Intelligence Report, Volume 14

damaging payload that deletes files with certain extensions and terminates security-related processes and services.

July–December 2012

557

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Tanzania

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 1.97 (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.66 (0.33)

558

Microsoft Security Intelligence Report, Volume 14

Thailand
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Thailand in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Thailand

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 18.9 6.6

2Q12 17.3 7.0

3Q12 18.0 5.3

4Q12 21.0 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Thailand and around the world, and for explanations of the methods and terms used here.

July–December 2012

559

Infection trends (CCM)
The MSRT detected malware on 21.0 of every 1,000 computers scanned in Thailand in 4Q12 (a CCM score of 21.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Thailand over the last six quarters, compared to the world as a whole.
CCM infection trends in Thailand and worldwide

25.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Thailand

20.0

15.0

10.0

5.0

0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

560

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Thailand in 4Q12, by percentage of computers reporting detections

Thailand
Percent of computers reporting detections

Worldwide

50% Column1 45% Thailand
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Thailand in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.0 percent of all computers with detections there, up from 41.0 percent in 3Q12. The second most common category in Thailand in 4Q12 was Miscellaneous Trojans. It affected 37.0 percent of all computers with detections there, up from 36.8 percent in 3Q12. The third most common category in Thailand in 4Q12 was Worms, which affected 29.3 percent of all computers with detections there, down from 32.5 percent in 3Q12.





July–December 2012

561

Threat families
The top 10 malware and potentially unwanted software families in Thailand in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Sality INF/Autorun Win32/Dorkbot JS/IframeRef Win32/Ramnit Win32/Nitol Win32/Obfuscator Win32/Nuqel Win32/Conficker

Most significant category Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Worms Misc. Trojans Misc. Trojans Misc. Trojans Misc. Potentially Unwanted Software Worms Worms

% of computers with detections 24.4% 17.0% 12.2% 8.0% 7.6% 6.7% 6.1% 5.6% 4.7% 4.7%



The most common threat family in Thailand in 4Q12 was Win32/Keygen, which affected 24.4 percent of computers with detections in Thailand. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Thailand in 4Q12 was Win32/Sality, which affected 17.0 percent of computers with detections in Thailand. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Thailand in 4Q12 was INF/Autorun, which affected 12.2 percent of computers with detections in Thailand. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Thailand in 4Q12 was Win32/Dorkbot, which affected 8.0 percent of computers with detections in Thailand. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot







562

Microsoft Security Intelligence Report, Volume 14

may be distributed from compromised or malicious websites using PDF or browser exploits.

July–December 2012

563

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Thailand

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 13.59 (5.41) 23.23 (9.46) 1.79 (0.56)

4Q12 11.23 (5.10) 23.09 (10.85) 0.66 (0.33)

564

Microsoft Security Intelligence Report, Volume 14

Trinidad and Tobago
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Trinidad and Tobago in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Trinidad and Tobago

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 8.5 6.6

2Q12 7.2 7.0

3Q12 5.8 5.3

4Q12 5.0 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Trinidad and Tobago and around the world, and for explanations of the methods and terms used here.

July–December 2012

565

Infection trends (CCM)
The MSRT detected malware on 5.0 of every 1,000 computers scanned in Trinidad and Tobago in 4Q12 (a CCM score of 5.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Trinidad and Tobago over the last six quarters, compared to the world as a whole.
CCM infection trends in Trinidad and Tobago and worldwide

12.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Trinidad and Tobago

10.0 8.0 6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

566

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Trinidad and Tobago in 4Q12, by percentage of computers reporting detections

Trinidad and Tobago
Percent of computers reporting detections

Worldwide

50% Column1 45% Trinidad and Tobago
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Trinidad and Tobago in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.3 percent of all computers with detections there, up from 34.5 percent in 3Q12. The second most common category in Trinidad and Tobago in 4Q12 was Worms. It affected 31.1 percent of all computers with detections there, up from 28.7 percent in 3Q12. The third most common category in Trinidad and Tobago in 4Q12 was Adware, which affected 24.5 percent of all computers with detections there, down from 32.5 percent in 3Q12.





July–December 2012

567

Threat families
The top 10 malware and potentially unwanted software families in Trinidad and Tobago in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Hotbar Win32/Vobfus Win32/Zwangi Win32/Dorkbot Win32/Brontok Win32/VBInject Win32/OpenCandy JS/IframeRef

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Worms Misc. Potentially Unwanted Software Worms Worms Misc. Potentially Unwanted Software Adware Misc. Trojans

% of computers with detections 14.6% 14.1% 13.2% 10.5% 9.6% 6.3% 4.9% 4.8% 4.1% 4.0%



The most common threat family in Trinidad and Tobago in 4Q12 was INF/Autorun, which affected 14.6 percent of computers with detections in Trinidad and Tobago. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Trinidad and Tobago in 4Q12 was Win32/Keygen, which affected 14.1 percent of computers with detections in Trinidad and Tobago. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Trinidad and Tobago in 4Q12 was Win32/Hotbar, which affected 13.2 percent of computers with detections in Trinidad and Tobago. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The fourth most common threat family in Trinidad and Tobago in 4Q12 was Win32/Vobfus, which affected 10.5 percent of computers with detections in Trinidad and Tobago. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.







568

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Trinidad and Tobago

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) N/A (0.56)

4Q12 N/A (5.10) N/A (10.85) N/A (0.33)

July–December 2012

569

Tunisia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Tunisia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Tunisia

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 15.3 6.6

2Q12 14.3 7.0

3Q12 10.9 5.3

4Q12 12.9 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Tunisia and around the world, and for explanations of the methods and terms used here.

July–December 2012

571

Infection trends (CCM)
The MSRT detected malware on 12.9 of every 1,000 computers scanned in Tunisia in 4Q12 (a CCM score of 12.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Tunisia over the last six quarters, compared to the world as a whole.
CCM infection trends in Tunisia and worldwide

18.0
Computers cleaned per 1 ,000 scanned (CCM)

16.0 14.0 12.0

Worldwide Tunisia

10.0
8.0 6.0

4.0
2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

572

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Tunisia in 4Q12, by percentage of computers reporting detections

Tunisia
Percent of computers reporting detections

Worldwide

50% Column1 45% Tunisia
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Tunisia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.3 percent of all computers with detections there, up from 35.9 percent in 3Q12. The second most common category in Tunisia in 4Q12 was Worms. It affected 34.9 percent of all computers with detections there, up from 30.9 percent in 3Q12. The third most common category in Tunisia in 4Q12 was Miscellaneous Trojans, which affected 29.3 percent of all computers with detections there, up from 24.6 percent in 3Q12.





July–December 2012

573

Threat families
The top 10 malware and potentially unwanted software families in Tunisia in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Ramnit Win32/Sality Win32/Vobfus Win32/CplLnk Win32/Zwangi Win32/Mabezat Win32/Hotbar Win32/Dorkbot

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Trojans Viruses Worms Exploits Misc. Potentially Unwanted Software Viruses Adware Worms

% of computers with detections 19.0% 19.0% 13.4% 11.5% 11.0% 10.9% 6.6% 6.4% 6.1% 5.7%



The most common threat family in Tunisia in 4Q12 was INF/Autorun, which affected 19.0 percent of computers with detections in Tunisia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Tunisia in 4Q12 was Win32/Keygen, which affected 19.0 percent of computers with detections in Tunisia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Tunisia in 4Q12 was Win32/Ramnit, which affected 13.4 percent of computers with detections in Tunisia. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The fourth most common threat family in Tunisia in 4Q12 was Win32/Sality, which affected 11.5 percent of computers with detections in Tunisia. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload







574

Microsoft Security Intelligence Report, Volume 14

that deletes files with certain extensions and terminates security-related processes and services.

July–December 2012

575

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Tunisia

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 8.05 (5.41) 15.37 (9.46) 0.04 (0.56)

4Q12 5.12 (5.10) 10.25 (10.85) 0.00 (0.33)

576

Microsoft Security Intelligence Report, Volume 14

Turkey
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Turkey in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Turkey

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 31.9 6.6

2Q12 26.7 7.0

3Q12 20.9 5.3

4Q12 20.7 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Turkey and around the world, and for explanations of the methods and terms used here.

July–December 2012

577

Infection trends (CCM)
The MSRT detected malware on 20.7 of every 1,000 computers scanned in Turkey in 4Q12 (a CCM score of 20.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Turkey over the last six quarters, compared to the world as a whole.
CCM infection trends in Turkey and worldwide

35.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Turkey

30.0 25.0

20.0
15.0 10.0

5.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

578

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Turkey in 4Q12, by percentage of computers reporting detections

Turkey
Percent of computers reporting detections

Worldwide

45% Column1 40% Turkey 35% 30% 25%
20%

15%
10%

5% 0%



The most common category in Turkey in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.7 percent of all computers with detections there, up from 29.3 percent in 3Q12. The second most common category in Turkey in 4Q12 was Miscellaneous Trojans. It affected 34.7 percent of all computers with detections there, up from 33.6 percent in 3Q12. The third most common category in Turkey in 4Q12 was Worms, which affected 34.7 percent of all computers with detections there, up from 28.7 percent in 3Q12.





July–December 2012

579

Threat families
The top 10 malware and potentially unwanted software families in Turkey in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun Win32/Sality Win32/Helompy Win32/Nuqel JS/BlacoleRef Win32/DealPly Win32/Obfuscator Win32/Brontok JS/IframeRef

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Worms Worms Misc. Trojans Adware Misc. Potentially Unwanted Software Worms Misc. Trojans

% of computers with detections 15.0% 13.7% 12.0% 10.3% 7.9% 6.4% 6.1% 5.7% 5.1% 5.1%



The most common threat family in Turkey in 4Q12 was Win32/Keygen, which affected 15.0 percent of computers with detections in Turkey. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Turkey in 4Q12 was INF/Autorun, which affected 13.7 percent of computers with detections in Turkey. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Turkey in 4Q12 was Win32/Sality, which affected 12.0 percent of computers with detections in Turkey. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Turkey in 4Q12 was Win32/Helompy, which affected 10.3 percent of computers with detections in Turkey. Win32/Helompy is a worm that spreads via removable drives and attempts to capture and steal authentication details for a number of different websites or online services.







580

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Turkey

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 9.03 (5.41) 13.35 (9.46) 1.41 (0.56)

4Q12 7.77 (5.10) 13.03 (10.85) 0.46 (0.33)

July–December 2012

581

Uganda
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Uganda in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Uganda

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 11.4 6.6

2Q12 11.1 7.0

3Q12 8.2 5.3

4Q12 8.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Uganda and around the world, and for explanations of the methods and terms used here.

July–December 2012

583

Infection trends (CCM)
The MSRT detected malware on 8.2 of every 1,000 computers scanned in Uganda in 4Q12 (a CCM score of 8.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Uganda over the last six quarters, compared to the world as a whole.
CCM infection trends in Uganda and worldwide

14.0
Computers cleaned per 1 ,000 scanned (CCM)

Worldwide Uganda

12.0 10.0

8.0
6.0 4.0

2.0
0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

584

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Uganda in 4Q12, by percentage of computers reporting detections

Uganda
Percent of computers reporting detections

Worldwide

50%
45% 40%

Column1 Uganda

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Uganda in 4Q12 was Worms. It affected 43.9 percent of all computers with detections there, down from 46.2 percent in 3Q12. The second most common category in Uganda in 4Q12 was Miscellaneous Trojans. It affected 39.3 percent of all computers with detections there, up from 34.8 percent in 3Q12. The third most common category in Uganda in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 33.9 percent of all computers with detections there, up from 33.6 percent in 3Q12.





July–December 2012

585

Threat families
The top 10 malware and potentially unwanted software families in Uganda in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Vobfus Win32/Sality Win32/Ramnit Win32/CplLnk Win32/Dorkbot Win32/Keygen Win32/Virut Win32/Rimecud Win32/Enosch

Most significant category Misc. Potentially Unwanted Software Worms Viruses Misc. Trojans Exploits Worms Misc. Potentially Unwanted Software Viruses Misc. Trojans Misc. Trojans

% of computers with detections 20.0% 19.3% 14.3% 14.0% 11.5% 11.1% 10.0% 7.2% 6.8% 6.4%



The most common threat family in Uganda in 4Q12 was INF/Autorun, which affected 20.0 percent of computers with detections in Uganda. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Uganda in 4Q12 was Win32/Vobfus, which affected 19.3 percent of computers with detections in Uganda. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The third most common threat family in Uganda in 4Q12 was Win32/Sality, which affected 14.3 percent of computers with detections in Uganda. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Uganda in 4Q12 was Win32/Ramnit, which affected 14.0 percent of computers with detections in Uganda. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved







586

Microsoft Security Intelligence Report, Volume 14

FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.

July–December 2012

587

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Uganda

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 N/A (5.41) N/A (9.46) 0.35 (0.56)

4Q12 N/A (5.10) N/A (10.85) 0.43 (0.33)

588

Microsoft Security Intelligence Report, Volume 14

Ukraine
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Ukraine in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Ukraine

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 6.6 6.6

2Q12 7.0 7.0

3Q12 7.9 5.3

4Q12 7.2 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Ukraine and around the world, and for explanations of the methods and terms used here.

July–December 2012

589

Infection trends (CCM)
The MSRT detected malware on 7.2 of every 1,000 computers scanned in Ukraine in 4Q12 (a CCM score of 7.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Ukraine over the last six quarters, compared to the world as a whole.
CCM infection trends in Ukraine and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Ukraine

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

590

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Ukraine in 4Q12, by percentage of computers reporting detections

Ukraine
Percent of computers reporting detections

Worldwide

60% Column1 Ukraine 50% 40% 30% 20% 10% 0%



The most common category in Ukraine in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 51.6 percent of all computers with detections there, down from 54.3 percent in 3Q12. The second most common category in Ukraine in 4Q12 was Miscellaneous Trojans. It affected 43.5 percent of all computers with detections there, up from 38.9 percent in 3Q12. The third most common category in Ukraine in 4Q12 was Worms, which affected 20.6 percent of all computers with detections there, up from 17.2 percent in 3Q12.





July–December 2012

591

Threat families
The top 10 malware and potentially unwanted software families in Ukraine in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Obfuscator Win32/Pameseg Win32/Dorkbot JS/IframeRef Win32/Vundo INF/Autorun JS/Redirector Win32/Webalta Win32/Dynamer

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Trojans Misc. Trojans Misc. Potentially Unwanted Software Misc. Trojans Adware Misc. Trojans

% of computers with detections 22.5% 10.7% 10.5% 9.9% 9.3% 6.4% 5.5% 4.6% 4.6% 4.0%



The most common threat family in Ukraine in 4Q12 was Win32/Keygen, which affected 22.5 percent of computers with detections in Ukraine. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Ukraine in 4Q12 was Win32/Obfuscator, which affected 10.7 percent of computers with detections in Ukraine. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, antidebugging and anti-emulation techniques. The third most common threat family in Ukraine in 4Q12 was Win32/Pameseg, which affected 10.5 percent of computers with detections in Ukraine. Win32/Pameseg is a fake program installer that requires the user to send SMS messages to a premium number to successfully install certain programs. The fourth most common threat family in Ukraine in 4Q12 was Win32/Dorkbot, which affected 9.9 percent of computers with detections in Ukraine. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot







592

Microsoft Security Intelligence Report, Volume 14

may be distributed from compromised or malicious websites using PDF or browser exploits.

July–December 2012

593

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Ukraine

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 10.86 (5.41) 15.82 (9.46) 1.25 (0.56)

4Q12 13.11 (5.10) 26.78 (10.85) 0.78 (0.33)

594

Microsoft Security Intelligence Report, Volume 14

United Arab Emirates
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the United Arab Emirates in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the United Arab Emirates

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 16.1 6.6

2Q12 14.6 7.0

3Q12 11.9 5.3

4Q12 11.0 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the United Arab Emirates and around the world, and for explanations of the methods and terms used here.

July–December 2012

595

Infection trends (CCM)
The MSRT detected malware on 11.0 of every 1,000 computers scanned in the United Arab Emirates in 4Q12 (a CCM score of 11.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the United Arab Emirates over the last six quarters, compared to the world as a whole.
CCM infection trends in the United Arab Emirates and worldwide

18.0
Computers cleaned per 1 ,000 scanned (CCM)

16.0 14.0 12.0

Worldwide United Arab Emirates

10.0
8.0 6.0

4.0
2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

596

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in the United Arab Emirates in 4Q12, by percentage of computers reporting detections

United Arab Emirates
Percent of computers reporting detections

Worldwide

40% Column1 35% United Arab Emirates 30%
25%

20% 15%
10%

5% 0%



The most common category in the United Arab Emirates in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 36.0 percent of all computers with detections there, up from 29.6 percent in 3Q12. The second most common category in the United Arab Emirates in 4Q12 was Worms. It affected 34.5 percent of all computers with detections there, up from 29.6 percent in 3Q12. The third most common category in the United Arab Emirates in 4Q12 was Miscellaneous Trojans, which affected 28.4 percent of all computers with detections there, up from 26.3 percent in 3Q12.





July–December 2012

597

Threat families
The top 10 malware and potentially unwanted software families in the United Arab Emirates in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Sality Win32/Nuqel Win32/Hotbar Win32/Ramnit Win32/Vobfus Win32/Zwangi Win32/Dorkbot ASX/Wimad

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Worms Adware Misc. Trojans Worms Misc. Potentially Unwanted Software Worms Trojan Downloaders & Droppers

% of computers with detections 15.7% 14.0% 8.8% 7.7% 6.6% 5.0% 4.7% 4.7% 4.7% 4.1%



The most common threat family in the United Arab Emirates in 4Q12 was INF/Autorun, which affected 15.7 percent of computers with detections in the United Arab Emirates. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in the United Arab Emirates in 4Q12 was Win32/Keygen, which affected 14.0 percent of computers with detections in the United Arab Emirates. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in the United Arab Emirates in 4Q12 was Win32/Sality, which affected 8.8 percent of computers with detections in the United Arab Emirates. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in the United Arab Emirates in 4Q12 was Win32/Nuqel, which affected 7.7 percent of computers with detections in the United Arab Emirates. Win32/Nuqel is a worm that spreads via mapped drives and certain instant messaging applications. It may modify system settings, connect to certain websites, download arbitrary files, or take other malicious actions.







598

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the United Arab Emirates

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 3.23 (5.41) 8.54 (9.46) 0.10 (0.56)

4Q12 2.47 (5.10) 11.38 (10.85) 0.09 (0.33)

July–December 2012

599

United Kingdom
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the United Kingdom in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the United Kingdom

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 3.9 6.6

2Q12 3.2 7.0

3Q12 3.0 5.3

4Q12 2.3 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the United Kingdom and around the world, and for explanations of the methods and terms used here.

July–December 2012

601

Infection trends (CCM)
The MSRT detected malware on 2.3 of every 1,000 computers scanned in the United Kingdom in 4Q12 (a CCM score of 2.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the United Kingdom over the last six quarters, compared to the world as a whole.
CCM infection trends in the United Kingdom and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide United Kingdom

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

602

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in the United Kingdom in 4Q12, by percentage of computers reporting detections

United Kingdom
Percent of computers reporting detections

Worldwide

40% Column1 35% United Kingdom 30%
25%

20% 15%
10%

5% 0%



The most common category in the United Kingdom in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 30.5 percent of all computers with detections there, up from 25.3 percent in 3Q12. The second most common category in the United Kingdom in 4Q12 was Miscellaneous Trojans. It affected 29.8 percent of all computers with detections there, down from 34.5 percent in 3Q12. The third most common category in the United Kingdom in 4Q12 was Adware, which affected 23.9 percent of all computers with detections there, down from 28.0 percent in 3Q12.





July–December 2012

603

Threat families
The top 10 malware and potentially unwanted software families in the United Kingdom in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Pdfjsc Win32/Keygen Java/Blacole Win32/Hotbar JS/IframeRef Win32/Zwangi Win32/DealPly Win32/Sirefef ASX/Wimad Win32/Obfuscator

Most significant category Exploits Misc. Potentially Unwanted Software Exploits Adware Misc. Trojans Misc. Potentially Unwanted Software Adware Misc. Trojans Trojan Downloaders & Droppers Misc. Potentially Unwanted Software

% of computers with detections 11.3% 10.5% 10.2% 9.8% 8.0% 7.5% 6.9% 6.1% 4.4% 3.4%



The most common threat family in the United Kingdom in 4Q12 was Win32/Pdfjsc, which affected 11.3 percent of computers with detections in the United Kingdom. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The second most common threat family in the United Kingdom in 4Q12 was Win32/Keygen, which affected 10.5 percent of computers with detections in the United Kingdom. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in the United Kingdom in 4Q12 was Java/Blacole, which affected 10.2 percent of computers with detections in the United Kingdom. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in the United Kingdom in 4Q12 was Win32/Hotbar, which affected 9.8 percent of computers with detections in the United Kingdom. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity.







604

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the United Kingdom

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 6.20 (5.41) 7.12 (9.46) 0.23 (0.56)

4Q12 6.47 (5.10) 7.89 (10.85) 0.19 (0.33)

July–December 2012

605

United States
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the United States in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the United States

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 5.0 6.6

2Q12 6.0 7.0

3Q12 5.0 5.3

4Q12 3.3 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the United States and around the world, and for explanations of the methods and terms used here.

July–December 2012

607

Infection trends (CCM)
The MSRT detected malware on 3.3 of every 1,000 computers scanned in the United States in 4Q12 (a CCM score of 3.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the United States over the last six quarters, compared to the world as a whole.
CCM infection trends in the United States and worldwide

10.0
Computers cleaned per 1 ,000 scanned (CCM)

9.0
8.0 7.0

Worldwide United States

6.0
5.0 4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

608

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in the United States in 4Q12, by percentage of computers reporting detections

United States
Percent of computers reporting detections

Worldwide

50%
45% 40%

Column1 United States

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in the United States in 4Q12 was Miscellaneous Trojans. It affected 43.9 percent of all computers with detections there, down from 45.3 percent in 3Q12. The second most common category in the United States in 4Q12 was Exploits. It affected 23.0 percent of all computers with detections there, up from 16.4 percent in 3Q12. The third most common category in the United States in 4Q12 was Adware, which affected 20.8 percent of all computers with detections there, down from 28.8 percent in 3Q12.





July–December 2012

609

Threat families
The top 10 malware and potentially unwanted software families in the United States in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 JS/IframeRef Win32/Sirefef Java/Blacole Win32/Pdfjsc Win32/Tracur Win32/Keygen Win32/Hotbar Win32/GameVance Win32/Zwangi Win32/Adkubru

Most significant category Misc. Trojans Misc. Trojans Exploits Exploits Misc. Trojans Misc. Potentially Unwanted Software Adware Adware Misc. Potentially Unwanted Software Adware

% of computers with detections 13.8% 9.0% 8.8% 8.8% 6.4% 5.6% 5.0% 5.0% 4.5% 3.9%



The most common threat family in the United States in 4Q12 was JS/IframeRef, which affected 13.8 percent of computers with detections in the United States. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The second most common threat family in the United States in 4Q12 was Win32/Sirefef, which affected 9.0 percent of computers with detections in the United States. Win32/Sirefef is a rogue security software family distributed under the name Antivirus 2010 and others. The third most common threat family in the United States in 4Q12 was Java/Blacole, which affected 8.8 percent of computers with detections in the United States. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in the United States in 4Q12 was Win32/Pdfjsc, which affected 8.8 percent of computers with detections in the United States. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened.







610

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the United States

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 6.07 (5.41) 7.68 (9.46) 0.38 (0.56)

4Q12 5.56 (5.10) 9.82 (10.85) 0.31 (0.33)

July–December 2012

611

Uruguay
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Uruguay in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Uruguay

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 4.3 6.6

2Q12 4.0 7.0

3Q12 3.9 5.3

4Q12 3.1 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Uruguay and around the world, and for explanations of the methods and terms used here.

July–December 2012

613

Infection trends (CCM)
The MSRT detected malware on 3.1 of every 1,000 computers scanned in Uruguay in 4Q12 (a CCM score of 3.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Uruguay over the last six quarters, compared to the world as a whole.
CCM infection trends in Uruguay and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Uruguay

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

614

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Uruguay in 4Q12, by percentage of computers reporting detections

Uruguay
Percent of computers reporting detections

Worldwide

50% Column1 45% Uruguay
40%

35% 30% 25% 20% 15% 10% 5% 0%



The most common category in Uruguay in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.5 percent of all computers with detections there, up from 34.7 percent in 3Q12. The second most common category in Uruguay in 4Q12 was Miscellaneous Trojans. It affected 21.8 percent of all computers with detections there, down from 24.7 percent in 3Q12. The third most common category in Uruguay in 4Q12 was Worms, which affected 21.4 percent of all computers with detections there, up from 21.1 percent in 3Q12.





July–December 2012

615

Threat families
The top 10 malware and potentially unwanted software families in Uruguay in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun Win32/Dorkbot Win32/Obfuscator Win32/Conficker Win32/DealPly ASX/Wimad Win32/OpenCandy Win32/Zwangi JS/IframeRef

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Worms Adware Trojan Downloaders & Droppers Adware Misc. Potentially Unwanted Software Misc. Trojans

% of computers with detections 18.3% 8.2% 7.2% 6.1% 6.0% 5.2% 5.0% 4.5% 4.1% 3.9%



The most common threat family in Uruguay in 4Q12 was Win32/Keygen, which affected 18.3 percent of computers with detections in Uruguay. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Uruguay in 4Q12 was INF/Autorun, which affected 8.2 percent of computers with detections in Uruguay. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Uruguay in 4Q12 was Win32/Dorkbot, which affected 7.2 percent of computers with detections in Uruguay. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The fourth most common threat family in Uruguay in 4Q12 was Win32/Obfuscator, which affected 6.1 percent of computers with detections in Uruguay. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods,







616

Microsoft Security Intelligence Report, Volume 14

including encryption, compression, anti-debugging and anti-emulation techniques.

July–December 2012

617

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Uruguay

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 6.94 (5.41) 9.54 (9.46) N/A (0.56)

4Q12 1.73 (5.10) 5.20 (10.85) N/A (0.33)

618

Microsoft Security Intelligence Report, Volume 14

Venezuela
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Venezuela in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Venezuela

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 7.0 6.6

2Q12 6.0 7.0

3Q12 5.8 5.3

4Q12 5.3 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Venezuela and around the world, and for explanations of the methods and terms used here.

July–December 2012

619

Infection trends (CCM)
The MSRT detected malware on 5.3 of every 1,000 computers scanned in Venezuela in 4Q12 (a CCM score of 5.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Venezuela over the last six quarters, compared to the world as a whole.
CCM infection trends in Venezuela and worldwide

9.0
Computers cleaned per 1 ,000 scanned (CCM)

8.0 7.0 6.0

Worldwide Venezuela

5.0
4.0 3.0

2.0
1.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

620

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Venezuela in 4Q12, by percentage of computers reporting detections

Venezuela
Percent of computers reporting detections

Worldwide

45% 40% 35% 30% 25%
20%

Column1 Venezuela

15%
10%

5% 0%



The most common category in Venezuela in 4Q12 was Worms. It affected 42.3 percent of all computers with detections there, up from 41.0 percent in 3Q12. The second most common category in Venezuela in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.8 percent of all computers with detections there, up from 37.8 percent in 3Q12. The third most common category in Venezuela in 4Q12 was Miscellaneous Trojans, which affected 24.0 percent of all computers with detections there, down from 25.3 percent in 3Q12.





July–December 2012

621

Threat families
The top 10 malware and potentially unwanted software families in Venezuela in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Dorkbot Win32/Conficker Win32/Sality Win32/Vobfus Win32/Nuqel Win32/Lamin Win32/Rimecud Win32/Silly_P2P

Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Worms Viruses Worms Worms Backdoors Misc. Trojans Trojan Downloaders & Droppers

% of computers with detections 17.4% 15.4% 15.2% 9.0% 8.5% 7.3% 6.7% 5.2% 4.8% 4.2%



The most common threat family in Venezuela in 4Q12 was INF/Autorun, which affected 17.4 percent of computers with detections in Venezuela. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Venezuela in 4Q12 was Win32/Keygen, which affected 15.4 percent of computers with detections in Venezuela. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Venezuela in 4Q12 was Win32/Dorkbot, which affected 15.2 percent of computers with detections in Venezuela. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The fourth most common threat family in Venezuela in 4Q12 was Win32/Conficker, which affected 9.0 percent of computers with detections in Venezuela. Win32/Conficker is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables







622

Microsoft Security Intelligence Report, Volume 14

several important system services and security products, and downloads arbitrary files.

July–December 2012

623

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Venezuela

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 4.07 (5.41) 25.15 (9.46) 0.38 (0.56)

4Q12 4.07 (5.10) 21.56 (10.85) 0.04 (0.33)

624

Microsoft Security Intelligence Report, Volume 14

Vietnam
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Vietnam in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Vietnam

Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM

1Q12 17.0 6.6

2Q12 18.1 7.0

3Q12 16.9 5.3

4Q12 16.9 6.0

See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Vietnam and around the world, and for explanations of the methods and terms used here.

July–December 2012

625

Infection trends (CCM)
The MSRT detected malware on 16.9 of every 1,000 computers scanned in Vietnam in 4Q12 (a CCM score of 16.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Vietnam over the last six quarters, compared to the world as a whole.
CCM infection trends in Vietnam and worldwide

20.0
Computers cleaned per 1 ,000 scanned (CCM)

18.0
16.0 14.0

Worldwide Vietnam

12.0
10.0 8.0 6.0

4.0
2.0 0.0

3Q11

4Q11

1Q12

2Q12

3Q12

4Q12

626

Microsoft Security Intelligence Report, Volume 14

Threat categories
Malware and potentially unwanted software categories in Vietnam in 4Q12, by percentage of computers reporting detections

Vietnam
Percent of computers reporting detections

Worldwide

70% Column1 60% Vietnam
50%

40%
30%

20% 10% 0%



The most common category in Vietnam in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 57.8 percent of all computers with detections there, up from 56.8 percent in 3Q12. The second most common category in Vietnam in 4Q12 was Miscellaneous Trojans. It affected 38.4 percent of all computers with detections there, up from 38.2 percent in 3Q12. The third most common category in Vietnam in 4Q12 was Worms, which affected 31.2 percent of all computers with detections there, up from 29.5 percent in 3Q12.





July–December 2012

627

Threat families
The top 10 malware and potentially unwanted software families in Vietnam in 4Q12

Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Ramnit Win32/CplLnk INF/Autorun Win32/Sality Win32/PossibleHostsFileHijack Win32/Patch Win32/Conficker Win32/VB Win32/Dorkbot

Most significant category Misc. Potentially Unwanted Software Misc. Trojans Exploits Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Worms Worms

% of computers with detections 33.8% 24.2% 20.3% 17.0% 15.4% 15.0% 11.6% 9.0% 8.1% 5.9%



The most common threat family in Vietnam in 4Q12 was Win32/Keygen, which affected 33.8 percent of computers with detections in Vietnam. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Vietnam in 4Q12 was Win32/Ramnit, which affected 24.2 percent of computers with detections in Vietnam. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The third most common threat family in Vietnam in 4Q12 was Win32/CplLnk, which affected 20.3 percent of computers with detections in Vietnam. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046. The fourth most common threat family in Vietnam in 4Q12 was INF/Autorun, which affected 17.0 percent of computers with detections in Vietnam. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.







628

Microsoft Security Intelligence Report, Volume 14

Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Vietnam

Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)

3Q12 11.42 (5.41) 20.32 (9.46) 1.29 (0.56)

4Q12 7.76 (5.10) 25.11 (10.85) 0.52 (0.33)

July–December 2012

629

One Microsoft Way Redmond, WA 98052-6399 microsoft.com/security

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close