Table of Contents
Albania ....................................................................................................................................................... 1 Algeria ....................................................................................................................................................... 7 Angola ......................................................................................................................................................13 Argentina .................................................................................................................................................19 Australia .................................................................................................................................................. 25 Austria.......................................................................................................................................................31 Bahamas, The ........................................................................................................................................ 37 Bahrain .................................................................................................................................................... 43 Bangladesh............................................................................................................................................. 49 Belarus ..................................................................................................................................................... 55 Belgium ....................................................................................................................................................61 Bolivia....................................................................................................................................................... 67 Brazil ........................................................................................................................................................ 73 Bulgaria ................................................................................................................................................... 79 Canada .................................................................................................................................................... 85 Chile ..........................................................................................................................................................91 China ........................................................................................................................................................ 97 Colombia .............................................................................................................................................. 103 Costa Rica ............................................................................................................................................. 109 Croatia .................................................................................................................................................... 115 Cyprus .................................................................................................................................................... 121 Czech Republic ................................................................................................................................... 127 Denmark ............................................................................................................................................... 133 Dominican Republic........................................................................................................................... 139 Ecuador ................................................................................................................................................. 145 Egypt ....................................................................................................................................................... 151 El Salvador ............................................................................................................................................ 157 Estonia ................................................................................................................................................... 163 Finland ................................................................................................................................................... 169 France .................................................................................................................................................... 175 Georgia .................................................................................................................................................. 181
July–December 2012 iii
Germany ................................................................................................................................................ 187 Greece ....................................................................................................................................................193 Guatemala .............................................................................................................................................199 Honduras .............................................................................................................................................. 205 Hong Kong S.A.R. ................................................................................................................................ 211 Hungary ................................................................................................................................................. 217 Iceland ................................................................................................................................................... 223 India ....................................................................................................................................................... 229 Indonesia .............................................................................................................................................. 235 Iraq ..........................................................................................................................................................241 Ireland ................................................................................................................................................... 247 Israel....................................................................................................................................................... 253 Italy ......................................................................................................................................................... 259 Jamaica ................................................................................................................................................. 265 Japan ...................................................................................................................................................... 271 Jordan.................................................................................................................................................... 277 Kazakhstan ........................................................................................................................................... 283 Kenya ..................................................................................................................................................... 289 Korea ..................................................................................................................................................... 295 Kuwait .....................................................................................................................................................301 Latvia ..................................................................................................................................................... 307 Lebanon .................................................................................................................................................313 Lithuania ................................................................................................................................................319 Luxembourg ........................................................................................................................................ 325 Macao S.A.R. ........................................................................................................................................331 Malaysia ................................................................................................................................................ 337 Malta ...................................................................................................................................................... 343 Mexico ................................................................................................................................................... 349 Moldova................................................................................................................................................ 355 Morocco ................................................................................................................................................361 Nepal ..................................................................................................................................................... 367 Netherlands ......................................................................................................................................... 373 New Zealand ....................................................................................................................................... 379
iv
Microsoft Security Intelligence Report, Volume 14
Nicaragua .............................................................................................................................................385 Nigeria ................................................................................................................................................... 391 Norway ..................................................................................................................................................397 Oman .................................................................................................................................................... 403 Pakistan ................................................................................................................................................ 409 Palestinian Authority .......................................................................................................................... 415 Panama ................................................................................................................................................. 421 Paraguay ...............................................................................................................................................427 Peru ....................................................................................................................................................... 433 Philippines ........................................................................................................................................... 439 Poland .................................................................................................................................................. 445 Portugal................................................................................................................................................. 451 Puerto Rico ...........................................................................................................................................457 Qatar ..................................................................................................................................................... 463 Romania ............................................................................................................................................... 469 Russia .....................................................................................................................................................475 Saudi Arabia ......................................................................................................................................... 481 Senegal..................................................................................................................................................487 Singapore ............................................................................................................................................ 493 Slovakia ................................................................................................................................................ 499 Slovenia .................................................................................................................................................505 South Africa........................................................................................................................................... 511 Spain ...................................................................................................................................................... 517 Sri Lanka ................................................................................................................................................523 Sweden ..................................................................................................................................................529 Switzerland ...........................................................................................................................................535 Syria ........................................................................................................................................................ 541 Taiwan ...................................................................................................................................................547 Tanzania................................................................................................................................................553 Thailand ................................................................................................................................................559 Trinidad and Tobago.........................................................................................................................565 Tunisia.................................................................................................................................................... 571 Turkey .................................................................................................................................................... 577
July–December 2012
v
Uganda ................................................................................................................................................. 583 Ukraine .................................................................................................................................................. 589 United Arab Emirates ........................................................................................................................ 595 United Kingdom ..................................................................................................................................601 United States ....................................................................................................................................... 607 Uruguay .................................................................................................................................................613 Venezuela .............................................................................................................................................619 Vietnam ................................................................................................................................................ 625
vi
Microsoft Security Intelligence Report, Volume 14
Albania
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Albania in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Albania
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 27.5 6.6
2Q12 25.7 7.0
3Q12 23.2 5.3
4Q12 18.0 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Albania and around the world, and for explanations of the methods and terms used here.
July–December 2012
1
Infection trends (CCM)
The MSRT detected malware on 18.0 of every 1,000 computers scanned in Albania in 4Q12 (a CCM score of 18.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Albania over the last six quarters, compared to the world as a whole.
CCM infection trends in Albania and worldwide
30.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Albania
25.0 20.0 15.0 10.0
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
2
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Albania in 4Q12, by percentage of computers reporting detections
Albania
Percent of computers reporting detections
Worldwide
60%
50%
Column1 Albania
40% 30% 20% 10% 0%
The most common category in Albania in 4Q12 was Worms. It affected 48.1 percent of all computers with detections there, up from 47.8 percent in 3Q12. The second most common category in Albania in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.2 percent of all computers with detections there, up from 38.8 percent in 3Q12. The third most common category in Albania in 4Q12 was Miscellaneous Trojans, which affected 23.9 percent of all computers with detections there, down from 24.8 percent in 3Q12.
July–December 2012
3
Threat families
The top 10 malware and potentially unwanted software families in Albania in 4Q12
% of computers with detections 22.9% 17.4% 17.0% 15.3% 11.6% 8.9% 7.0% 5.2% 5.0% 3.9%
The most common threat family in Albania in 4Q12 was INF/Autorun, which affected 22.9 percent of computers with detections in Albania. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Albania in 4Q12 was Win32/Sality, which affected 17.4 percent of computers with detections in Albania. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Albania in 4Q12 was Win32/Helompy, which affected 17.0 percent of computers with detections in Albania. Win32/Helompy is a worm that spreads via removable drives and attempts to capture and steal authentication details for a number of different websites or online services. The fourth most common threat family in Albania in 4Q12 was Win32/Keygen, which affected 15.3 percent of computers with detections in Albania. Win32/Keygen is a generic detection for tools that generate product keys for various software products.
4
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Albania
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) N/A (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.00 (0.33)
July–December 2012
5
Algeria
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Algeria in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Algeria
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 20.1 6.6
2Q12 19.0 7.0
3Q12 16.4 5.3
4Q12 17.9 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Algeria and around the world, and for explanations of the methods and terms used here.
July–December 2012
7
Infection trends (CCM)
The MSRT detected malware on 17.9 of every 1,000 computers scanned in Algeria in 4Q12 (a CCM score of 17.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Algeria over the last six quarters, compared to the world as a whole.
CCM infection trends in Algeria and worldwide
25.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Algeria
20.0
15.0
10.0
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
8
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Algeria in 4Q12, by percentage of computers reporting detections
Algeria
Percent of computers reporting detections
Worldwide
50% Column1 45% Algeria
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Algeria in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 44.8 percent of all computers with detections there, up from 36.2 percent in 3Q12. The second most common category in Algeria in 4Q12 was Worms. It affected 41.0 percent of all computers with detections there, up from 34.8 percent in 3Q12. The third most common category in Algeria in 4Q12 was Miscellaneous Trojans, which affected 37.8 percent of all computers with detections there, up from 32.7 percent in 3Q12.
July–December 2012
9
Threat families
The top 10 malware and potentially unwanted software families in Algeria in 4Q12
% of computers with detections 20.6% 20.3% 19.3% 17.2% 14.2% 12.5% 10.6% 6.1% 5.1% 4.9%
The most common threat family in Algeria in 4Q12 was Win32/Keygen, which affected 20.6 percent of computers with detections in Algeria. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Algeria in 4Q12 was Win32/Ramnit, which affected 20.3 percent of computers with detections in Algeria. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The third most common threat family in Algeria in 4Q12 was INF/Autorun, which affected 19.3 percent of computers with detections in Algeria. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Algeria in 4Q12 was Win32/Sality, which affected 17.2 percent of computers with detections in Algeria. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload
10
Microsoft Security Intelligence Report, Volume 14
that deletes files with certain extensions and terminates security-related processes and services.
July–December 2012
11
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Algeria
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 3.55 (5.41) 8.52 (9.46) 0.01 (0.56)
4Q12 9.94 (5.10) 14.91 (10.85) N/A (0.33)
12
Microsoft Security Intelligence Report, Volume 14
Angola
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Angola in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Angola
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 15.0 6.6
2Q12 14.8 7.0
3Q12 12.9 5.3
4Q12 10.6 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Angola and around the world, and for explanations of the methods and terms used here.
July–December 2012
13
Infection trends (CCM)
The MSRT detected malware on 10.6 of every 1,000 computers scanned in Angola in 4Q12 (a CCM score of 10.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Angola over the last six quarters, compared to the world as a whole.
CCM infection trends in Angola and worldwide
20.0
Computers cleaned per 1 ,000 scanned (CCM)
18.0
16.0 14.0
Worldwide Angola
12.0
10.0 8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
14
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Angola in 4Q12, by percentage of computers reporting detections
Angola
Percent of computers reporting detections
Worldwide
45% 40% 35% 30% 25%
20%
Column1 Angola
15%
10%
5% 0%
The most common category in Angola in 4Q12 was Worms. It affected 41.8 percent of all computers with detections there, down from 42.7 percent in 3Q12. The second most common category in Angola in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 30.5 percent of all computers with detections there, down from 31.4 percent in 3Q12. The third most common category in Angola in 4Q12 was Miscellaneous Trojans, which affected 23.2 percent of all computers with detections there, down from 24.9 percent in 3Q12.
July–December 2012
15
Threat families
The top 10 malware and potentially unwanted software families in Angola in 4Q12
% of computers with detections 24.7% 15.0% 13.0% 9.5% 7.5% 7.2% 6.7% 6.7% 6.2% 4.2%
The most common threat family in Angola in 4Q12 was Win32/Vobfus, which affected 24.7 percent of computers with detections in Angola. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The second most common threat family in Angola in 4Q12 was INF/Autorun, which affected 15.0 percent of computers with detections in Angola. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Angola in 4Q12 was Win32/DealPly, which affected 13.0 percent of computers with detections in Angola. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The fourth most common threat family in Angola in 4Q12 was Win32/Ramnit, which affected 9.5 percent of computers with detections in Angola. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
16
Microsoft Security Intelligence Report, Volume 14
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
July–December 2012
17
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Angola
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) N/A (0.56)
4Q12 N/A (5.10) N/A (10.85) N/A (0.33)
18
Microsoft Security Intelligence Report, Volume 14
Argentina
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Argentina in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Argentina
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 8.7 6.6
2Q12 7.2 7.0
3Q12 6.5 5.3
4Q12 5.7 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Argentina and around the world, and for explanations of the methods and terms used here.
July–December 2012
19
Infection trends (CCM)
The MSRT detected malware on 5.7 of every 1,000 computers scanned in Argentina in 4Q12 (a CCM score of 5.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Argentina over the last six quarters, compared to the world as a whole.
CCM infection trends in Argentina and worldwide
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
Worldwide Argentina
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
20
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Argentina in 4Q12, by percentage of computers reporting detections
Argentina
Percent of computers reporting detections
Worldwide
40% Column1 35% Argentina 30%
25%
20% 15%
10%
5% 0%
The most common category in Argentina in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 32.6 percent of all computers with detections there, down from 33.0 percent in 3Q12. The second most common category in Argentina in 4Q12 was Adware. It affected 31.3 percent of all computers with detections there, up from 18.0 percent in 3Q12. The third most common category in Argentina in 4Q12 was Worms, which affected 29.0 percent of all computers with detections there, down from 32.9 percent in 3Q12.
July–December 2012
21
Threat families
The top 10 malware and potentially unwanted software families in Argentina in 4Q12
% of computers with detections 25.3% 14.7% 12.3% 8.5% 5.6% 3.9% 3.5% 3.3% 3.0% 2.9%
The most common threat family in Argentina in 4Q12 was Win32/DealPly, which affected 25.3 percent of computers with detections in Argentina. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Argentina in 4Q12 was Win32/Dorkbot, which affected 14.7 percent of computers with detections in Argentina. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Argentina in 4Q12 was Win32/Keygen, which affected 12.3 percent of computers with detections in Argentina. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Argentina in 4Q12 was INF/Autorun, which affected 8.5 percent of computers with detections in Argentina. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
22
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Argentina
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 13.24 (5.41) 17.72 (9.46) 0.35 (0.56)
4Q12 9.40 (5.10) 16.30 (10.85) 0.32 (0.33)
July–December 2012
23
Australia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Australia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Australia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 4.0 6.6
2Q12 2.9 7.0
3Q12 3.8 5.3
4Q12 3.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Australia and around the world, and for explanations of the methods and terms used here.
July–December 2012
25
Infection trends (CCM)
The MSRT detected malware on 3.2 of every 1,000 computers scanned in Australia in 4Q12 (a CCM score of 3.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Australia over the last six quarters, compared to the world as a whole.
CCM infection trends in Australia and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Australia
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
26
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Australia in 4Q12, by percentage of computers reporting detections
Australia
Percent of computers reporting detections
Worldwide
40% 35% 30%
25%
Column1 Australia
20% 15%
10%
5% 0%
The most common category in Australia in 4Q12 was Miscellaneous Trojans. It affected 31.5 percent of all computers with detections there, down from 35.4 percent in 3Q12. The second most common category in Australia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 31.0 percent of all computers with detections there, up from 26.7 percent in 3Q12. The third most common category in Australia in 4Q12 was Exploits, which affected 18.7 percent of all computers with detections there, up from 15.4 percent in 3Q12.
July–December 2012
27
Threat families
The top 10 malware and potentially unwanted software families in Australia in 4Q12
% of computers with detections 12.0% 7.7% 7.3% 7.3% 6.8% 5.9% 5.8% 5.6% 4.2% 4.2%
The most common threat family in Australia in 4Q12 was Win32/Keygen, which affected 12.0 percent of computers with detections in Australia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Australia in 4Q12 was Win32/Pdfjsc, which affected 7.7 percent of computers with detections in Australia. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Australia in 4Q12 was Java/Blacole, which affected 7.3 percent of computers with detections in Australia. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in Australia in 4Q12 was Win32/Sirefef, which affected 7.3 percent of computers with detections in Australia. Win32/Sirefef is a rogue security software family distributed under the name Antivirus 2010 and others.
28
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Australia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 10.30 (5.41) 10.91 (9.46) 0.26 (0.56)
4Q12 9.05 (5.10) 10.99 (10.85) 0.14 (0.33)
July–December 2012
29
Austria
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Austria in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Austria
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 2.8 6.6
2Q12 2.8 7.0
3Q12 2.3 5.3
4Q12 2.0 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Austria and around the world, and for explanations of the methods and terms used here.
July–December 2012
31
Infection trends (CCM)
The MSRT detected malware on 2.0 of every 1,000 computers scanned in Austria in 4Q12 (a CCM score of 2.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Austria over the last six quarters, compared to the world as a whole.
CCM infection trends in Austria and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Austria
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
32
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Austria in 4Q12, by percentage of computers reporting detections
Austria
Percent of computers reporting detections
Worldwide
40% Column1 35% Austria 30%
25%
20% 15%
10%
5% 0%
The most common category in Austria in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 29.9 percent of all computers with detections there, up from 26.8 percent in 3Q12. The second most common category in Austria in 4Q12 was Miscellaneous Trojans. It affected 27.7 percent of all computers with detections there, down from 30.6 percent in 3Q12. The third most common category in Austria in 4Q12 was Exploits, which affected 25.0 percent of all computers with detections there, up from 19.1 percent in 3Q12.
July–December 2012
33
Threat families
The top 10 malware and potentially unwanted software families in Austria in 4Q12
% of computers with detections 14.1% 13.5% 13.4% 10.7% 6.8% 5.2% 3.9% 3.2% 2.9% 2.7%
The most common threat family in Austria in 4Q12 was Win32/Pdfjsc, which affected 14.1 percent of computers with detections in Austria. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The second most common threat family in Austria in 4Q12 was Win32/DealPly, which affected 13.5 percent of computers with detections in Austria. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Austria in 4Q12 was Win32/Keygen, which affected 13.4 percent of computers with detections in Austria. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Austria in 4Q12 was Java/Blacole, which affected 10.7 percent of computers with detections in Austria. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run.
34
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Austria
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 3.08 (5.41) 5.52 (9.46) 0.16 (0.56)
4Q12 2.61 (5.10) 5.64 (10.85) 0.08 (0.33)
July–December 2012
35
Bahamas, The
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the Bahamas in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the Bahamas
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 11.6 6.6
2Q12 10.4 7.0
3Q12 8.6 5.3
4Q12 9.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the Bahamas and around the world, and for explanations of the methods and terms used here.
July–December 2012
37
Infection trends (CCM)
The MSRT detected malware on 9.2 of every 1,000 computers scanned in the Bahamas in 4Q12 (a CCM score of 9.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the Bahamas over the last six quarters, compared to the world as a whole.
CCM infection trends in the Bahamas and worldwide
14.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Bahamas, The
12.0 10.0
8.0
6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
38
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in the Bahamas in 4Q12, by percentage of computers reporting detections
Bahamas, The
Percent of computers reporting detections
Worldwide
40% 35% 30%
25%
Column1 Bahamas, The
20% 15%
10%
5% 0%
The most common category in the Bahamas in 4Q12 was Worms. It affected 34.7 percent of all computers with detections there, up from 31.9 percent in 3Q12. The second most common category in the Bahamas in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.0 percent of all computers with detections there, up from 27.3 percent in 3Q12. The third most common category in the Bahamas in 4Q12 was Adware, which affected 26.7 percent of all computers with detections there, down from 31.9 percent in 3Q12.
July–December 2012
39
Threat families
The top 10 malware and potentially unwanted software families in the Bahamas in 4Q12
% of computers with detections 17.8% 15.3% 12.2% 9.6% 8.7% 6.9% 6.9% 6.1% 4.3% 4.2%
The most common threat family in the Bahamas in 4Q12 was Win32/Hotbar, which affected 17.8 percent of computers with detections in the Bahamas. Win32/Hotbar is adware that displays a dynamic toolbar and targeted popup ads based on its monitoring of web-browsing activity. The second most common threat family in the Bahamas in 4Q12 was Win32/Zwangi, which affected 15.3 percent of computers with detections in the Bahamas. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. The third most common threat family in the Bahamas in 4Q12 was INF/Autorun, which affected 12.2 percent of computers with detections in the Bahamas. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in the Bahamas in 4Q12 was Win32/Vobfus, which affected 9.6 percent of computers with detections in the Bahamas. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
40
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the Bahamas
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.30 (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.03 (0.33)
July–December 2012
41
Bahrain
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Bahrain in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Bahrain
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 15.4 6.6
2Q12 14.7 7.0
3Q12 12.3 5.3
4Q12 12.6 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Bahrain and around the world, and for explanations of the methods and terms used here.
July–December 2012
43
Infection trends (CCM)
The MSRT detected malware on 12.6 of every 1,000 computers scanned in Bahrain in 4Q12 (a CCM score of 12.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Bahrain over the last six quarters, compared to the world as a whole.
CCM infection trends in Bahrain and worldwide
20.0
Computers cleaned per 1 ,000 scanned (CCM)
18.0
16.0 14.0
Worldwide Bahrain
12.0
10.0 8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
44
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Bahrain in 4Q12, by percentage of computers reporting detections
Bahrain
Percent of computers reporting detections
Worldwide
50%
45% 40%
Column1 Bahrain
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Bahrain in 4Q12 was Worms. It affected 43.7 percent of all computers with detections there, up from 33.4 percent in 3Q12. The second most common category in Bahrain in 4Q12 was Miscellaneous Trojans. It affected 34.9 percent of all computers with detections there, up from 27.6 percent in 3Q12. The third most common category in Bahrain in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 34.6 percent of all computers with detections there, up from 27.6 percent in 3Q12.
July–December 2012
45
Threat families
The top 10 malware and potentially unwanted software families in Bahrain in 4Q12
% of computers with detections 15.9% 15.5% 15.4% 11.9% 7.8% 7.5% 6.0% 5.9% 5.5% 5.4%
The most common threat family in Bahrain in 4Q12 was Win32/Nuqel, which affected 15.9 percent of computers with detections in Bahrain. Win32/Nuqel is a worm that spreads via mapped drives and certain instant messaging applications. It may modify system settings, connect to certain websites, download arbitrary files, or take other malicious actions. The second most common threat family in Bahrain in 4Q12 was INF/Autorun, which affected 15.5 percent of computers with detections in Bahrain. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Bahrain in 4Q12 was Win32/Keygen, which affected 15.4 percent of computers with detections in Bahrain. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Bahrain in 4Q12 was Win32/Dorkbot, which affected 11.9 percent of computers with detections in Bahrain. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits.
46
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Bahrain
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) N/A (0.56)
4Q12 N/A (5.10) N/A (10.85) N/A (0.33)
July–December 2012
47
Bangladesh
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Bangladesh in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Bangladesh
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 15.6 6.6
2Q12 15.1 7.0
3Q12 14.4 5.3
4Q12 12.9 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Bangladesh and around the world, and for explanations of the methods and terms used here.
July–December 2012
49
Infection trends (CCM)
The MSRT detected malware on 12.9 of every 1,000 computers scanned in Bangladesh in 4Q12 (a CCM score of 12.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Bangladesh over the last six quarters, compared to the world as a whole.
CCM infection trends in Bangladesh and worldwide
18.0
Computers cleaned per 1 ,000 scanned (CCM)
16.0 14.0 12.0
Worldwide Bangladesh
10.0
8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
50
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Bangladesh in 4Q12, by percentage of computers reporting detections
Bangladesh
Percent of computers reporting detections
Worldwide
60%
50%
Column1 Bangladesh
40% 30% 20% 10% 0%
The most common category in Bangladesh in 4Q12 was Miscellaneous Trojans. It affected 49.1 percent of all computers with detections there, up from 47.9 percent in 3Q12. The second most common category in Bangladesh in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.9 percent of all computers with detections there, up from 40.2 percent in 3Q12. The third most common category in Bangladesh in 4Q12 was Viruses, which affected 38.2 percent of all computers with detections there, down from 38.6 percent in 3Q12.
July–December 2012
51
Threat families
The top 10 malware and potentially unwanted software families in Bangladesh in 4Q12
% of computers with detections 39.0% 25.3% 25.1% 25.0% 16.8% 9.4% 8.4% 7.4% 5.7% 4.9%
The most common threat family in Bangladesh in 4Q12 was Win32/Ramnit, which affected 39.0 percent of computers with detections in Bangladesh. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The second most common threat family in Bangladesh in 4Q12 was Win32/CplLnk, which affected 25.3 percent of computers with detections in Bangladesh. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046. The third most common threat family in Bangladesh in 4Q12 was INF/Autorun, which affected 25.1 percent of computers with detections in Bangladesh. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Bangladesh in 4Q12 was Win32/Keygen, which affected 25.0 percent of computers with detections in Bangladesh. Win32/Keygen is a generic detection for tools that generate product keys for various software products.
52
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Bangladesh
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 1.01 (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.94 (0.33)
July–December 2012
53
Belarus
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Belarus in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Belarus
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 5.4 6.6
2Q12 7.2 7.0
3Q12 6.5 5.3
4Q12 5.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Belarus and around the world, and for explanations of the methods and terms used here.
July–December 2012
55
Infection trends (CCM)
The MSRT detected malware on 5.2 of every 1,000 computers scanned in Belarus in 4Q12 (a CCM score of 5.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Belarus over the last six quarters, compared to the world as a whole.
CCM infection trends in Belarus and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Belarus
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
56
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Belarus in 4Q12, by percentage of computers reporting detections
Belarus
Percent of computers reporting detections
Worldwide
60% Column1 Belarus 50% 40% 30% 20% 10% 0%
The most common category in Belarus in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 50.5 percent of all computers with detections there, down from 53.9 percent in 3Q12. The second most common category in Belarus in 4Q12 was Miscellaneous Trojans. It affected 39.1 percent of all computers with detections there, up from 37.7 percent in 3Q12. The third most common category in Belarus in 4Q12 was Worms, which affected 18.5 percent of all computers with detections there, up from 15.7 percent in 3Q12.
July–December 2012
57
Threat families
The top 10 malware and potentially unwanted software families in Belarus in 4Q12
% of computers with detections 23.2% 12.9% 10.9% 8.8% 5.9% 5.4% 4.7% 4.4% 4.3% 3.6%
The most common threat family in Belarus in 4Q12 was Win32/Keygen, which affected 23.2 percent of computers with detections in Belarus. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Belarus in 4Q12 was Win32/Pameseg, which affected 12.9 percent of computers with detections in Belarus. Win32/Pameseg is a fake program installer that requires the user to send SMS messages to a premium number to successfully install certain programs. The third most common threat family in Belarus in 4Q12 was Win32/Dorkbot, which affected 10.9 percent of computers with detections in Belarus. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The fourth most common threat family in Belarus in 4Q12 was Win32/Obfuscator, which affected 8.8 percent of computers with detections in Belarus. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods,
58
Microsoft Security Intelligence Report, Volume 14
including encryption, compression, anti-debugging and anti-emulation techniques.
July–December 2012
59
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Belarus
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 11.01 (5.41) 10.62 (9.46) 3.67 (0.56)
4Q12 13.38 (5.10) 13.77 (10.85) 1.31 (0.33)
60
Microsoft Security Intelligence Report, Volume 14
Belgium
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Belgium in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Belgium
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 3.7 6.6
2Q12 4.1 7.0
3Q12 3.0 5.3
4Q12 2.1 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Belgium and around the world, and for explanations of the methods and terms used here.
July–December 2012
61
Infection trends (CCM)
The MSRT detected malware on 2.1 of every 1,000 computers scanned in Belgium in 4Q12 (a CCM score of 2.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Belgium over the last six quarters, compared to the world as a whole.
CCM infection trends in Belgium and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Belgium
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
62
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Belgium in 4Q12, by percentage of computers reporting detections
Belgium
Percent of computers reporting detections
Worldwide
40% Column1 35% Belgium 30%
25%
20% 15%
10%
5% 0%
The most common category in Belgium in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 30.4 percent of all computers with detections there, up from 27.5 percent in 3Q12. The second most common category in Belgium in 4Q12 was Adware. It affected 30.1 percent of all computers with detections there, up from 28.5 percent in 3Q12. The third most common category in Belgium in 4Q12 was Miscellaneous Trojans, which affected 28.2 percent of all computers with detections there, down from 30.1 percent in 3Q12.
July–December 2012
63
Threat families
The top 10 malware and potentially unwanted software families in Belgium in 4Q12
% of computers with detections 16.5% 13.8% 11.5% 9.2% 7.8% 7.3% 6.7% 6.3% 5.9% 3.7%
The most common threat family in Belgium in 4Q12 was Win32/DealPly, which affected 16.5 percent of computers with detections in Belgium. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Belgium in 4Q12 was Win32/Pdfjsc, which affected 13.8 percent of computers with detections in Belgium. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Belgium in 4Q12 was Win32/Keygen, which affected 11.5 percent of computers with detections in Belgium. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Belgium in 4Q12 was Java/Blacole, which affected 9.2 percent of computers with detections in Belgium. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run.
64
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Belgium
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 3.04 (5.41) 4.32 (9.46) 0.14 (0.56)
4Q12 2.64 (5.10) 4.39 (10.85) 0.13 (0.33)
July–December 2012
65
Bolivia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Bolivia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Bolivia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 11.7 6.6
2Q12 10.7 7.0
3Q12 9.4 5.3
4Q12 9.4 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Bolivia and around the world, and for explanations of the methods and terms used here.
July–December 2012
67
Infection trends (CCM)
The MSRT detected malware on 9.4 of every 1,000 computers scanned in Bolivia in 4Q12 (a CCM score of 9.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Bolivia over the last six quarters, compared to the world as a whole.
CCM infection trends in Bolivia and worldwide
16.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Bolivia
14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
68
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Bolivia in 4Q12, by percentage of computers reporting detections
Bolivia
Percent of computers reporting detections
Worldwide
60%
50%
Column1 Bolivia
40% 30% 20% 10% 0%
The most common category in Bolivia in 4Q12 was Worms. It affected 48.3 percent of all computers with detections there, up from 44.8 percent in 3Q12. The second most common category in Bolivia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 39.5 percent of all computers with detections there, up from 37.1 percent in 3Q12. The third most common category in Bolivia in 4Q12 was Miscellaneous Trojans, which affected 26.4 percent of all computers with detections there, down from 28.4 percent in 3Q12.
July–December 2012
69
Threat families
The top 10 malware and potentially unwanted software families in Bolivia in 4Q12
% of computers with detections 19.9% 18.3% 15.1% 14.2% 13.8% 13.5% 5.3% 5.0% 4.1% 3.6%
The most common threat family in Bolivia in 4Q12 was Win32/Dorkbot, which affected 19.9 percent of computers with detections in Bolivia. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Bolivia in 4Q12 was Win32/Keygen, which affected 18.3 percent of computers with detections in Bolivia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Bolivia in 4Q12 was Win32/Sohanad, which affected 15.1 percent of computers with detections in Bolivia. Win32/Sohanad is a family of worms that may spread via removable or network drives and particular messenger applications. It may also modify a number of system settings and contact a remote host. The fourth most common threat family in Bolivia in 4Q12 was INF/Autorun, which affected 14.2 percent of computers with detections in Bolivia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
70
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Bolivia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.01 (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.02 (0.33)
July–December 2012
71
Brazil
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Brazil in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Brazil
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 13.3 6.6
2Q12 10.1 7.0
3Q12 9.0 5.3
4Q12 7.3 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Brazil and around the world, and for explanations of the methods and terms used here.
July–December 2012
73
Infection trends (CCM)
The MSRT detected malware on 7.3 of every 1,000 computers scanned in Brazil in 4Q12 (a CCM score of 7.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Brazil over the last six quarters, compared to the world as a whole.
CCM infection trends in Brazil and worldwide
20.0
Computers cleaned per 1 ,000 scanned (CCM)
18.0
16.0 14.0
Worldwide Brazil
12.0
10.0 8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
74
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Brazil in 4Q12, by percentage of computers reporting detections
Brazil
Percent of computers reporting detections
Worldwide
45% 40% 35% 30% 25%
20%
Column1 Brazil
15%
10%
5% 0%
The most common category in Brazil in 4Q12 was Adware. It affected 40.8 percent of all computers with detections there, up from 17.4 percent in 3Q12. The second most common category in Brazil in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.0 percent of all computers with detections there, down from 40.5 percent in 3Q12. The third most common category in Brazil in 4Q12 was Miscellaneous Trojans, which affected 17.1 percent of all computers with detections there, down from 23.5 percent in 3Q12.
July–December 2012
75
Threat families
The top 10 malware and potentially unwanted software families in Brazil in 4Q12
% of computers with detections 36.6% 13.0% 8.2% 7.1% 6.0% 5.8% 4.6% 4.4% 4.1% 3.8%
The most common threat family in Brazil in 4Q12 was Win32/DealPly, which affected 36.6 percent of computers with detections in Brazil. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Brazil in 4Q12 was Win32/Keygen, which affected 13.0 percent of computers with detections in Brazil. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Brazil in 4Q12 was Win32/Banload, which affected 8.2 percent of computers with detections in Brazil. Win32/Banload is a family of trojans that download other malware. Banload usually downloads Win32/Banker, which steals banking credentials and other sensitive data and sends it back to a remote attacker. The fourth most common threat family in Brazil in 4Q12 was INF/Autorun, which affected 7.1 percent of computers with detections in Brazil. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
76
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Brazil
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 13.11 (5.41) 36.24 (9.46) 0.18 (0.56)
4Q12 12.59 (5.10) 31.97 (10.85) 0.13 (0.33)
July–December 2012
77
Bulgaria
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Bulgaria in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Bulgaria
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 9.0 6.6
2Q12 8.0 7.0
3Q12 6.9 5.3
4Q12 7.6 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Bulgaria and around the world, and for explanations of the methods and terms used here.
July–December 2012
79
Infection trends (CCM)
The MSRT detected malware on 7.6 of every 1,000 computers scanned in Bulgaria in 4Q12 (a CCM score of 7.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Bulgaria over the last six quarters, compared to the world as a whole.
CCM infection trends in Bulgaria and worldwide
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
Worldwide Bulgaria
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
80
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Bulgaria in 4Q12, by percentage of computers reporting detections
Bulgaria
Percent of computers reporting detections
Worldwide
60% Column1 Bulgaria 50% 40% 30% 20% 10% 0%
The most common category in Bulgaria in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 47.9 percent of all computers with detections there, up from 42.4 percent in 3Q12. The second most common category in Bulgaria in 4Q12 was Miscellaneous Trojans. It affected 35.4 percent of all computers with detections there, up from 30.8 percent in 3Q12. The third most common category in Bulgaria in 4Q12 was Worms, which affected 26.0 percent of all computers with detections there, up from 19.4 percent in 3Q12.
July–December 2012
81
Threat families
The top 10 malware and potentially unwanted software families in Bulgaria in 4Q12
% of computers with detections 26.2% 6.7% 6.6% 5.8% 5.8% 5.4% 4.9% 4.6% 3.6% 3.6%
The most common threat family in Bulgaria in 4Q12 was Win32/Keygen, which affected 26.2 percent of computers with detections in Bulgaria. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Bulgaria in 4Q12 was Win32/Obfuscator, which affected 6.7 percent of computers with detections in Bulgaria. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The third most common threat family in Bulgaria in 4Q12 was INF/Autorun, which affected 6.6 percent of computers with detections in Bulgaria. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Bulgaria in 4Q12 was Win32/Phorpiex, which affected 5.8 percent of computers with detections in Bulgaria. Win32/Phorpiex is a family of worms that spread via removable drives and instant messaging software. The worms also allow backdoor access and control.
82
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Bulgaria
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 8.15 (5.41) 7.95 (9.46) 0.93 (0.56)
4Q12 8.89 (5.10) 8.57 (10.85) 0.45 (0.33)
July–December 2012
83
Canada
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Canada in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Canada
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 3.8 6.6
2Q12 2.7 7.0
3Q12 2.7 5.3
4Q12 2.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Canada and around the world, and for explanations of the methods and terms used here.
July–December 2012
85
Infection trends (CCM)
The MSRT detected malware on 2.2 of every 1,000 computers scanned in Canada in 4Q12 (a CCM score of 2.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Canada over the last six quarters, compared to the world as a whole.
CCM infection trends in Canada and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Canada
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
86
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Canada in 4Q12, by percentage of computers reporting detections
Canada
Percent of computers reporting detections
Worldwide
40% 35% 30%
25%
Column1 Canada
20% 15%
10%
5% 0%
The most common category in Canada in 4Q12 was Miscellaneous Trojans. It affected 36.6 percent of all computers with detections there, up from 36.6 percent in 3Q12. The second most common category in Canada in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 29.0 percent of all computers with detections there, up from 24.9 percent in 3Q12. The third most common category in Canada in 4Q12 was Adware, which affected 21.7 percent of all computers with detections there, down from 27.7 percent in 3Q12.
July–December 2012
87
Threat families
The top 10 malware and potentially unwanted software families in Canada in 4Q12
% of computers with detections 10.7% 10.0% 8.8% 8.7% 7.6% 6.7% 6.6% 6.4% 6.2% 3.6%
The most common threat family in Canada in 4Q12 was JS/IframeRef, which affected 10.7 percent of computers with detections in Canada. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The second most common threat family in Canada in 4Q12 was Win32/Keygen, which affected 10.0 percent of computers with detections in Canada. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Canada in 4Q12 was Java/Blacole, which affected 8.8 percent of computers with detections in Canada. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in Canada in 4Q12 was Win32/Sirefef, which affected 8.7 percent of computers with detections in Canada. Win32/Sirefef is a rogue security software family distributed under the name Antivirus 2010 and others.
88
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Canada
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 6.79 (5.41) 8.20 (9.46) 0.39 (0.56)
4Q12 5.23 (5.10) 7.99 (10.85) 0.31 (0.33)
July–December 2012
89
Chile
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Chile in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Chile
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 13.7 6.6
2Q12 9.4 7.0
3Q12 7.1 5.3
4Q12 5.6 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Chile and around the world, and for explanations of the methods and terms used here.
July–December 2012
91
Infection trends (CCM)
The MSRT detected malware on 5.6 of every 1,000 computers scanned in Chile in 4Q12 (a CCM score of 5.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Chile over the last six quarters, compared to the world as a whole.
CCM infection trends in Chile and worldwide
16.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Chile
14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
92
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Chile in 4Q12, by percentage of computers reporting detections
Chile
Percent of computers reporting detections
Worldwide
45% Column1 40% Chile 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Chile in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 40.2 percent of all computers with detections there, up from 33.1 percent in 3Q12. The second most common category in Chile in 4Q12 was Worms. It affected 36.6 percent of all computers with detections there, up from 33.8 percent in 3Q12. The third most common category in Chile in 4Q12 was Miscellaneous Trojans, which affected 20.0 percent of all computers with detections there, down from 21.7 percent in 3Q12.
July–December 2012
93
Threat families
The top 10 malware and potentially unwanted software families in Chile in 4Q12
% of computers with detections 21.4% 15.9% 8.6% 5.4% 4.6% 3.7% 3.5% 3.4% 3.4% 3.4%
The most common threat family in Chile in 4Q12 was Win32/Dorkbot, which affected 21.4 percent of computers with detections in Chile. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Chile in 4Q12 was Win32/Keygen, which affected 15.9 percent of computers with detections in Chile. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Chile in 4Q12 was INF/Autorun, which affected 8.6 percent of computers with detections in Chile. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Chile in 4Q12 was Win32/Conficker, which affected 5.4 percent of computers with detections in Chile. Win32/Conficker is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables several
94
Microsoft Security Intelligence Report, Volume 14
important system services and security products, and downloads arbitrary files.
July–December 2012
95
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Chile
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 11.09 (5.41) 15.65 (9.46) 0.53 (0.56)
4Q12 9.75 (5.10) 10.38 (10.85) 0.28 (0.33)
96
Microsoft Security Intelligence Report, Volume 14
China
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in China in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for China
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 0.8 6.6
2Q12 0.6 7.0
3Q12 0.6 5.3
4Q12 0.7 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in China and around the world, and for explanations of the methods and terms used here.
July–December 2012
97
Infection trends (CCM)
The MSRT detected malware on 0.7 of every 1,000 computers scanned in China in 4Q12 (a CCM score of 0.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for China over the last six quarters, compared to the world as a whole.
CCM infection trends in China and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide China
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
98
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in China in 4Q12, by percentage of computers reporting detections
China
Percent of computers reporting detections
Worldwide
60% Column1 China 50% 40% 30% 20% 10% 0%
The most common category in China in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 49.0 percent of all computers with detections there, up from 43.5 percent in 3Q12. The second most common category in China in 4Q12 was Miscellaneous Trojans. It affected 32.1 percent of all computers with detections there, up from 28.4 percent in 3Q12. The third most common category in China in 4Q12 was Viruses, which affected 15.2 percent of all computers with detections there, up from 13.0 percent in 3Q12.
July–December 2012
99
Threat families
The top 10 malware and potentially unwanted software families in China in 4Q12
% of computers with detections 20.2% 12.5% 6.8% 6.6% 4.8% 4.6% 4.5% 4.3% 3.5% 3.5%
The most common threat family in China in 4Q12 was Win32/Keygen, which affected 20.2 percent of computers with detections in China. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in China in 4Q12 was Win32/BaiduSobar, which affected 12.5 percent of computers with detections in China. Win32/BaiduSobar is a Chinese-language web browser toolbar that delivers pop-up and contextual advertisements, blocks certain other advertisements, and changes the Internet Explorer search page. The third most common threat family in China in 4Q12 was Win32/PossibleHostsFileHijack, which affected 6.8 percent of computers with detections in China. Win32/PossibleHostsFileHijack is an indicator that the computer’s HOSTS file may have been modified by malicious or potentially unwanted software, which can cause access to certain Internet domains and websites to be redirected or denied. The fourth most common threat family in China in 4Q12 was Win32/Obfuscator, which affected 6.6 percent of computers with detections in China. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods,
100
Microsoft Security Intelligence Report, Volume 14
including encryption, compression, anti-debugging and anti-emulation techniques.
July–December 2012
101
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for China
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 2.88 (5.41) 25.14 (9.46) 0.15 (0.56)
4Q12 3.43 (5.10) 25.09 (10.85) 0.17 (0.33)
102
Microsoft Security Intelligence Report, Volume 14
Colombia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Colombia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Colombia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 8.3 6.6
2Q12 7.2 7.0
3Q12 7.1 5.3
4Q12 5.8 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Colombia and around the world, and for explanations of the methods and terms used here.
July–December 2012
103
Infection trends (CCM)
The MSRT detected malware on 5.8 of every 1,000 computers scanned in Colombia in 4Q12 (a CCM score of 5.8, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Colombia over the last six quarters, compared to the world as a whole.
CCM infection trends in Colombia and worldwide
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
Worldwide Colombia
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
104
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Colombia in 4Q12, by percentage of computers reporting detections
Colombia
Percent of computers reporting detections
Worldwide
45% 40% 35% 30% 25%
20%
Column1 Colombia
15%
10%
5% 0%
The most common category in Colombia in 4Q12 was Worms. It affected 41.8 percent of all computers with detections there, up from 40.7 percent in 3Q12. The second most common category in Colombia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.6 percent of all computers with detections there, up from 37.5 percent in 3Q12. The third most common category in Colombia in 4Q12 was Miscellaneous Trojans, which affected 21.9 percent of all computers with detections there, down from 24.0 percent in 3Q12.
July–December 2012
105
Threat families
The top 10 malware and potentially unwanted software families in Colombia in 4Q12
% of computers with detections 21.5% 18.0% 15.7% 8.3% 6.5% 5.2% 4.3% 4.2% 3.9% 3.8%
The most common threat family in Colombia in 4Q12 was Win32/Dorkbot, which affected 21.5 percent of computers with detections in Colombia. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Colombia in 4Q12 was Win32/Keygen, which affected 18.0 percent of computers with detections in Colombia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Colombia in 4Q12 was INF/Autorun, which affected 15.7 percent of computers with detections in Colombia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Colombia in 4Q12 was Win32/Conficker, which affected 8.3 percent of computers with detections in Colombia. Win32/Conficker is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables
106
Microsoft Security Intelligence Report, Volume 14
several important system services and security products, and downloads arbitrary files.
July–December 2012
107
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Colombia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 11.90 (5.41) 10.97 (9.46) 0.72 (0.56)
4Q12 8.42 (5.10) 11.50 (10.85) 0.01 (0.33)
108
Microsoft Security Intelligence Report, Volume 14
Costa Rica
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Costa Rica in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Costa Rica
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 5.8 6.6
2Q12 4.3 7.0
3Q12 4.0 5.3
4Q12 3.7 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Costa Rica and around the world, and for explanations of the methods and terms used here.
July–December 2012
109
Infection trends (CCM)
The MSRT detected malware on 3.7 of every 1,000 computers scanned in Costa Rica in 4Q12 (a CCM score of 3.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Costa Rica over the last six quarters, compared to the world as a whole.
CCM infection trends in Costa Rica and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Costa Rica
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
110
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Costa Rica in 4Q12, by percentage of computers reporting detections
Costa Rica
Percent of computers reporting detections
Worldwide
50% Column1 45% Costa Rica
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Costa Rica in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.7 percent of all computers with detections there, up from 36.6 percent in 3Q12. The second most common category in Costa Rica in 4Q12 was Worms. It affected 27.3 percent of all computers with detections there, down from 28.1 percent in 3Q12. The third most common category in Costa Rica in 4Q12 was Miscellaneous Trojans, which affected 23.2 percent of all computers with detections there, up from 22.9 percent in 3Q12.
July–December 2012
111
Threat families
The top 10 malware and potentially unwanted software families in Costa Rica in 4Q12
% of computers with detections 21.7% 13.7% 8.5% 5.2% 4.5% 4.4% 3.9% 3.6% 3.3% 3.1%
The most common threat family in Costa Rica in 4Q12 was Win32/Keygen, which affected 21.7 percent of computers with detections in Costa Rica. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Costa Rica in 4Q12 was Win32/Dorkbot, which affected 13.7 percent of computers with detections in Costa Rica. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Costa Rica in 4Q12 was INF/Autorun, which affected 8.5 percent of computers with detections in Costa Rica. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Costa Rica in 4Q12 was Win32/OpenCandy, which affected 5.2 percent of computers with detections in Costa Rica. Win32/OpenCandy is an adware program that may be bundled with certain third-party software installation programs. Some versions may send user-specific information, including a unique machine
112
Microsoft Security Intelligence Report, Volume 14
code, operating system information, locale, and certain other information to a remote server without obtaining adequate user consent.
July–December 2012
113
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Costa Rica
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 3.70 (5.41) 5.19 (9.46) 0.86 (0.56)
4Q12 2.59 (5.10) 6.67 (10.85) 1.08 (0.33)
114
Microsoft Security Intelligence Report, Volume 14
Croatia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Croatia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Croatia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 9.3 6.6
2Q12 8.0 7.0
3Q12 7.4 5.3
4Q12 7.3 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Croatia and around the world, and for explanations of the methods and terms used here.
July–December 2012
115
Infection trends (CCM)
The MSRT detected malware on 7.3 of every 1,000 computers scanned in Croatia in 4Q12 (a CCM score of 7.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Croatia over the last six quarters, compared to the world as a whole.
CCM infection trends in Croatia and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Croatia
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
116
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Croatia in 4Q12, by percentage of computers reporting detections
Croatia
Percent of computers reporting detections
Worldwide
45% Column1 40% Croatia 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Croatia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 42.7 percent of all computers with detections there, up from 34.5 percent in 3Q12. The second most common category in Croatia in 4Q12 was Miscellaneous Trojans. It affected 29.3 percent of all computers with detections there, up from 26.7 percent in 3Q12. The third most common category in Croatia in 4Q12 was Worms, which affected 23.1 percent of all computers with detections there, down from 24.1 percent in 3Q12.
July–December 2012
117
Threat families
The top 10 malware and potentially unwanted software families in Croatia in 4Q12
% of computers with detections 19.2% 7.4% 6.7% 6.6% 4.9% 4.8% 4.5% 4.4% 4.2% 3.8%
The most common threat family in Croatia in 4Q12 was Win32/Keygen, which affected 19.2 percent of computers with detections in Croatia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Croatia in 4Q12 was Win32/Pdfjsc, which affected 7.4 percent of computers with detections in Croatia. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Croatia in 4Q12 was INF/Autorun, which affected 6.7 percent of computers with detections in Croatia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Croatia in 4Q12 was Win32/Obfuscator, which affected 6.6 percent of computers with detections in Croatia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques.
118
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Croatia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 5.07 (5.41) 5.33 (9.46) 0.21 (0.56)
4Q12 3.47 (5.10) 11.20 (10.85) 0.19 (0.33)
July–December 2012
119
Cyprus
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Cyprus in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Cyprus
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 7.3 6.6
2Q12 6.3 7.0
3Q12 5.3 5.3
4Q12 5.4 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Cyprus and around the world, and for explanations of the methods and terms used here.
July–December 2012
121
Infection trends (CCM)
The MSRT detected malware on 5.4 of every 1,000 computers scanned in Cyprus in 4Q12 (a CCM score of 5.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Cyprus over the last six quarters, compared to the world as a whole.
CCM infection trends in Cyprus and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Cyprus
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
122
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Cyprus in 4Q12, by percentage of computers reporting detections
Cyprus
Percent of computers reporting detections
Worldwide
45% Column1 40% Cyprus 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Cyprus in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.8 percent of all computers with detections there, up from 34.1 percent in 3Q12. The second most common category in Cyprus in 4Q12 was Worms. It affected 22.8 percent of all computers with detections there, up from 19.3 percent in 3Q12. The third most common category in Cyprus in 4Q12 was Miscellaneous Trojans, which affected 22.5 percent of all computers with detections there, up from 21.2 percent in 3Q12.
July–December 2012
123
Threat families
The top 10 malware and potentially unwanted software families in Cyprus in 4Q12
% of computers with detections 16.8% 9.2% 8.6% 7.5% 4.8% 4.5% 4.3% 4.1% 3.8% 3.7%
The most common threat family in Cyprus in 4Q12 was Win32/Keygen, which affected 16.8 percent of computers with detections in Cyprus. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Cyprus in 4Q12 was Win32/Hotbar, which affected 9.2 percent of computers with detections in Cyprus. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The third most common threat family in Cyprus in 4Q12 was INF/Autorun, which affected 8.6 percent of computers with detections in Cyprus. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Cyprus in 4Q12 was Win32/Zwangi, which affected 7.5 percent of computers with detections in Cyprus. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website.
124
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Cyprus
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 14.04 (5.41) 20.21 (9.46) 6.20 (0.56)
4Q12 15.16 (5.10) 15.72 (10.85) 1.87 (0.33)
July–December 2012
125
Czech Republic
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the Czech Republic in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the Czech Republic
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 2.1 6.6
2Q12 1.8 7.0
3Q12 2.1 5.3
4Q12 1.6 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the Czech Republic and around the world, and for explanations of the methods and terms used here.
July–December 2012
127
Infection trends (CCM)
The MSRT detected malware on 1.6 of every 1,000 computers scanned in the Czech Republic in 4Q12 (a CCM score of 1.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the Czech Republic over the last six quarters, compared to the world as a whole.
CCM infection trends in the Czech Republic and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Czech Republic
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
128
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in the Czech Republic in 4Q12, by percentage of computers reporting detections
Czech Republic
Percent of computers reporting detections
Worldwide
50% Column1 45% Czech Republic
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in the Czech Republic in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.7 percent of all computers with detections there, up from 35.1 percent in 3Q12. The second most common category in the Czech Republic in 4Q12 was Miscellaneous Trojans. It affected 31.5 percent of all computers with detections there, up from 29.9 percent in 3Q12. The third most common category in the Czech Republic in 4Q12 was Exploits, which affected 16.4 percent of all computers with detections there, up from 7.8 percent in 3Q12.
July–December 2012
129
Threat families
The top 10 malware and potentially unwanted software families in the Czech Republic in 4Q12
% of computers with detections 23.7% 11.3% 8.3% 7.9% 6.0% 5.2% 4.8% 2.9% 2.9% 2.8%
The most common threat family in the Czech Republic in 4Q12 was Win32/Keygen, which affected 23.7 percent of computers with detections in the Czech Republic. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in the Czech Republic in 4Q12 was JS/IframeRef, which affected 11.3 percent of computers with detections in the Czech Republic. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The third most common threat family in the Czech Republic in 4Q12 was Win32/Pdfjsc, which affected 8.3 percent of computers with detections in the Czech Republic. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in the Czech Republic in 4Q12 was Win32/Obfuscator, which affected 7.9 percent of computers with detections in the Czech Republic. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, antidebugging and anti-emulation techniques.
130
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the Czech Republic
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 3.55 (5.41) 5.98 (9.46) 0.56 (0.56)
4Q12 3.92 (5.10) 6.68 (10.85) 0.50 (0.33)
July–December 2012
131
Denmark
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Denmark in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Denmark
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 1.5 6.6
2Q12 1.7 7.0
3Q12 1.7 5.3
4Q12 1.5 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Denmark and around the world, and for explanations of the methods and terms used here.
July–December 2012
133
Infection trends (CCM)
The MSRT detected malware on 1.5 of every 1,000 computers scanned in Denmark in 4Q12 (a CCM score of 1.5, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Denmark over the last six quarters, compared to the world as a whole.
CCM infection trends in Denmark and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Denmark
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
134
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Denmark in 4Q12, by percentage of computers reporting detections
Denmark
Percent of computers reporting detections
Worldwide
40% Column1 35% Denmark 30%
25%
20% 15%
10%
5% 0%
The most common category in Denmark in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.2 percent of all computers with detections there, up from 30.3 percent in 3Q12. The second most common category in Denmark in 4Q12 was Miscellaneous Trojans. It affected 30.4 percent of all computers with detections there, down from 34.5 percent in 3Q12. The third most common category in Denmark in 4Q12 was Adware, which affected 24.9 percent of all computers with detections there, down from 29.4 percent in 3Q12.
July–December 2012
135
Threat families
The top 10 malware and potentially unwanted software families in Denmark in 4Q12
% of computers with detections 14.8% 11.8% 7.9% 7.9% 7.8% 7.8% 5.0% 4.8% 4.3% 3.2%
The most common threat family in Denmark in 4Q12 was Win32/Keygen, which affected 14.8 percent of computers with detections in Denmark. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Denmark in 4Q12 was Win32/DealPly, which affected 11.8 percent of computers with detections in Denmark. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Denmark in 4Q12 was JS/IframeRef, which affected 7.9 percent of computers with detections in Denmark. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Denmark in 4Q12 was Win32/Pdfjsc, which affected 7.9 percent of computers with detections in Denmark. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened.
136
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Denmark
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 6.51 (5.41) 5.27 (9.46) 0.55 (0.56)
4Q12 5.98 (5.10) 6.01 (10.85) 0.38 (0.33)
July–December 2012
137
Dominican Republic
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the Dominican Republic in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the Dominican Republic
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 15.2 6.6
2Q12 13.8 7.0
3Q12 13.1 5.3
4Q12 12.4 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the Dominican Republic and around the world, and for explanations of the methods and terms used here.
July–December 2012
139
Infection trends (CCM)
The MSRT detected malware on 12.4 of every 1,000 computers scanned in the Dominican Republic in 4Q12 (a CCM score of 12.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the Dominican Republic over the last six quarters, compared to the world as a whole.
CCM infection trends in the Dominican Republic and worldwide
16.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Dominican Republic
14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
140
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in the Dominican Republic in 4Q12, by percentage of computers reporting detections
Dominican Republic
Percent of computers reporting detections
The most common category in the Dominican Republic in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 42.5 percent of all computers with detections there, up from 38.4 percent in 3Q12. The second most common category in the Dominican Republic in 4Q12 was Worms. It affected 40.5 percent of all computers with detections there, up from 39.6 percent in 3Q12. The third most common category in the Dominican Republic in 4Q12 was Miscellaneous Trojans, which affected 26.2 percent of all computers with detections there, down from 27.8 percent in 3Q12.
July–December 2012
141
Threat families
The top 10 malware and potentially unwanted software families in the Dominican Republic in 4Q12
% of computers with detections 24.0% 22.1% 14.1% 10.6% 8.2% 7.6% 6.1% 4.8% 4.6% 4.4%
The most common threat family in the Dominican Republic in 4Q12 was Win32/Sality, which affected 24.0 percent of computers with detections in the Dominican Republic. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The second most common threat family in the Dominican Republic in 4Q12 was INF/Autorun, which affected 22.1 percent of computers with detections in the Dominican Republic. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in the Dominican Republic in 4Q12 was Win32/Keygen, which affected 14.1 percent of computers with detections in the Dominican Republic. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in the Dominican Republic in 4Q12 was Win32/Dorkbot, which affected 10.6 percent of computers with detections in the Dominican Republic. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the
142
Microsoft Security Intelligence Report, Volume 14
affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits.
July–December 2012
143
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the Dominican Republic
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.16 (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.04 (0.33)
144
Microsoft Security Intelligence Report, Volume 14
Ecuador
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Ecuador in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Ecuador
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 11.3 6.6
2Q12 11.1 7.0
3Q12 9.8 5.3
4Q12 8.7 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Ecuador and around the world, and for explanations of the methods and terms used here.
July–December 2012
145
Infection trends (CCM)
The MSRT detected malware on 8.7 of every 1,000 computers scanned in Ecuador in 4Q12 (a CCM score of 8.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Ecuador over the last six quarters, compared to the world as a whole.
CCM infection trends in Ecuador and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Ecuador
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
146
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Ecuador in 4Q12, by percentage of computers reporting detections
Ecuador
Percent of computers reporting detections
Worldwide
60%
50%
Column1 Ecuador
40% 30% 20% 10% 0%
The most common category in Ecuador in 4Q12 was Worms. It affected 48.0 percent of all computers with detections there, up from 47.3 percent in 3Q12. The second most common category in Ecuador in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.2 percent of all computers with detections there, up from 36.9 percent in 3Q12. The third most common category in Ecuador in 4Q12 was Miscellaneous Trojans, which affected 24.5 percent of all computers with detections there, down from 26.4 percent in 3Q12.
July–December 2012
147
Threat families
The top 10 malware and potentially unwanted software families in Ecuador in 4Q12
% of computers with detections 26.3% 17.8% 14.2% 13.0% 6.1% 5.6% 5.3% 4.5% 4.3% 4.2%
The most common threat family in Ecuador in 4Q12 was Win32/Dorkbot, which affected 26.3 percent of computers with detections in Ecuador. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Ecuador in 4Q12 was Win32/Keygen, which affected 17.8 percent of computers with detections in Ecuador. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Ecuador in 4Q12 was Win32/Vobfus, which affected 14.2 percent of computers with detections in Ecuador. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The fourth most common threat family in Ecuador in 4Q12 was INF/Autorun, which affected 13.0 percent of computers with detections in Ecuador. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
148
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Ecuador
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 5.86 (5.41) 8.30 (9.46) 0.01 (0.56)
4Q12 5.37 (5.10) 11.72 (10.85) 0.11 (0.33)
July–December 2012
149
Egypt
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Egypt in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Egypt
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 24.7 6.6
2Q12 23.4 7.0
3Q12 20.1 5.3
4Q12 22.3 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Egypt and around the world, and for explanations of the methods and terms used here.
July–December 2012
151
Infection trends (CCM)
The MSRT detected malware on 22.3 of every 1,000 computers scanned in Egypt in 4Q12 (a CCM score of 22.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Egypt over the last six quarters, compared to the world as a whole.
CCM infection trends in Egypt and worldwide
30.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Egypt
25.0 20.0 15.0 10.0
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
152
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Egypt in 4Q12, by percentage of computers reporting detections
Egypt
Percent of computers reporting detections
Worldwide
50% Column1 45% Egypt
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Egypt in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 47.6 percent of all computers with detections there, up from 37.3 percent in 3Q12. The second most common category in Egypt in 4Q12 was Worms. It affected 37.2 percent of all computers with detections there, up from 29.8 percent in 3Q12. The third most common category in Egypt in 4Q12 was Viruses, which affected 35.7 percent of all computers with detections there, up from 31.7 percent in 3Q12.
July–December 2012
153
Threat families
The top 10 malware and potentially unwanted software families in Egypt in 4Q12
% of computers with detections 29.3% 26.6% 21.7% 9.5% 8.7% 7.4% 6.0% 5.9% 5.5% 5.0%
The most common threat family in Egypt in 4Q12 was Win32/Sality, which affected 29.3 percent of computers with detections in Egypt. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The second most common threat family in Egypt in 4Q12 was Win32/Keygen, which affected 26.6 percent of computers with detections in Egypt. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Egypt in 4Q12 was INF/Autorun, which affected 21.7 percent of computers with detections in Egypt. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Egypt in 4Q12 was Win32/Dorkbot, which affected 9.5 percent of computers with detections in Egypt. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot
154
Microsoft Security Intelligence Report, Volume 14
may be distributed from compromised or malicious websites using PDF or browser exploits.
July–December 2012
155
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Egypt
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 7.61 (5.41) 15.83 (9.46) 0.01 (0.56)
4Q12 4.61 (5.10) 14.82 (10.85) 0.00 (0.33)
156
Microsoft Security Intelligence Report, Volume 14
El Salvador
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in El Salvador in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for El Salvador
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 6.8 6.6
2Q12 6.1 7.0
3Q12 5.9 5.3
4Q12 5.4 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in El Salvador and around the world, and for explanations of the methods and terms used here.
July–December 2012
157
Infection trends (CCM)
The MSRT detected malware on 5.4 of every 1,000 computers scanned in El Salvador in 4Q12 (a CCM score of 5.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for El Salvador over the last six quarters, compared to the world as a whole.
CCM infection trends in El Salvador and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide El Salvador
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
158
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in El Salvador in 4Q12, by percentage of computers reporting detections
El Salvador
Percent of computers reporting detections
Worldwide
50% Column1 45% El Salvador
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in El Salvador in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 44.7 percent of all computers with detections there, up from 39.6 percent in 3Q12. The second most common category in El Salvador in 4Q12 was Worms. It affected 39.6 percent of all computers with detections there, down from 39.7 percent in 3Q12. The third most common category in El Salvador in 4Q12 was Miscellaneous Trojans, which affected 22.2 percent of all computers with detections there, down from 23.0 percent in 3Q12.
July–December 2012
159
Threat families
The top 10 malware and potentially unwanted software families in El Salvador in 4Q12
% of computers with detections 21.0% 20.1% 13.7% 8.9% 5.2% 5.1% 4.7% 4.7% 4.5% 3.5%
The most common threat family in El Salvador in 4Q12 was Win32/Keygen, which affected 21.0 percent of computers with detections in El Salvador. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in El Salvador in 4Q12 was Win32/Dorkbot, which affected 20.1 percent of computers with detections in El Salvador. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in El Salvador in 4Q12 was INF/Autorun, which affected 13.7 percent of computers with detections in El Salvador. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in El Salvador in 4Q12 was Win32/Vobfus, which affected 8.9 percent of computers with detections in El Salvador. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
160
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for El Salvador
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.15 (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.19 (0.33)
July–December 2012
161
Estonia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Estonia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Estonia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 3.6 6.6
2Q12 3.0 7.0
3Q12 2.4 5.3
4Q12 2.3 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Estonia and around the world, and for explanations of the methods and terms used here.
July–December 2012
163
Infection trends (CCM)
The MSRT detected malware on 2.3 of every 1,000 computers scanned in Estonia in 4Q12 (a CCM score of 2.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Estonia over the last six quarters, compared to the world as a whole.
CCM infection trends in Estonia and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Estonia
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
164
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Estonia in 4Q12, by percentage of computers reporting detections
Estonia
Percent of computers reporting detections
Worldwide
60% Column1 Estonia 50% 40% 30% 20% 10% 0%
The most common category in Estonia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 50.4 percent of all computers with detections there, up from 43.2 percent in 3Q12. The second most common category in Estonia in 4Q12 was Miscellaneous Trojans. It affected 27.4 percent of all computers with detections there, up from 24.7 percent in 3Q12. The third most common category in Estonia in 4Q12 was Adware, which affected 19.0 percent of all computers with detections there, down from 26.7 percent in 3Q12.
July–December 2012
165
Threat families
The top 10 malware and potentially unwanted software families in Estonia in 4Q12
% of computers with detections 22.7% 8.4% 7.4% 7.0% 5.9% 4.3% 3.5% 3.4% 3.3% 3.2%
The most common threat family in Estonia in 4Q12 was Win32/Keygen, which affected 22.7 percent of computers with detections in Estonia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Estonia in 4Q12 was Win32/Obfuscator, which affected 8.4 percent of computers with detections in Estonia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The third most common threat family in Estonia in 4Q12 was Win32/Hotbar, which affected 7.4 percent of computers with detections in Estonia. Win32/Hotbar is adware that displays a dynamic toolbar and targeted popup ads based on its monitoring of web-browsing activity. The fourth most common threat family in Estonia in 4Q12 was JS/IframeRef, which affected 7.0 percent of computers with detections in Estonia. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.
166
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Estonia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 3.53 (5.41) 5.70 (9.46) 1.44 (0.56)
4Q12 5.30 (5.10) 5.70 (10.85) 0.22 (0.33)
July–December 2012
167
Finland
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Finland in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Finland
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 1.1 6.6
2Q12 1.1 7.0
3Q12 1.4 5.3
4Q12 0.8 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Finland and around the world, and for explanations of the methods and terms used here.
July–December 2012
169
Infection trends (CCM)
The MSRT detected malware on 0.8 of every 1,000 computers scanned in Finland in 4Q12 (a CCM score of 0.8, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Finland over the last six quarters, compared to the world as a whole.
CCM infection trends in Finland and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Finland
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
170
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Finland in 4Q12, by percentage of computers reporting detections
Finland
Percent of computers reporting detections
Worldwide
40% Column1 35% Finland 30%
25%
20% 15%
10%
5% 0%
The most common category in Finland in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.3 percent of all computers with detections there, up from 28.8 percent in 3Q12. The second most common category in Finland in 4Q12 was Miscellaneous Trojans. It affected 26.6 percent of all computers with detections there, up from 24.3 percent in 3Q12. The third most common category in Finland in 4Q12 was Exploits, which affected 24.6 percent of all computers with detections there, up from 18.2 percent in 3Q12.
July–December 2012
171
Threat families
The top 10 malware and potentially unwanted software families in Finland in 4Q12
% of computers with detections 13.4% 10.9% 10.5% 8.3% 7.6% 6.4% 5.9% 5.8% 4.8% 3.6%
The most common threat family in Finland in 4Q12 was Win32/Keygen, which affected 13.4 percent of computers with detections in Finland. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Finland in 4Q12 was Win32/Pdfjsc, which affected 10.9 percent of computers with detections in Finland. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Finland in 4Q12 was Java/Blacole, which affected 10.5 percent of computers with detections in Finland. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in Finland in 4Q12 was Win32/Hotbar, which affected 8.3 percent of computers with detections in Finland. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity.
172
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Finland
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 1.85 (5.41) 4.56 (9.46) 0.19 (0.56)
4Q12 1.85 (5.10) 3.88 (10.85) 0.03 (0.33)
July–December 2012
173
France
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in France in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for France
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 3.2 6.6
2Q12 2.9 7.0
3Q12 2.2 5.3
4Q12 1.9 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in France and around the world, and for explanations of the methods and terms used here.
July–December 2012
175
Infection trends (CCM)
The MSRT detected malware on 1.9 of every 1,000 computers scanned in France in 4Q12 (a CCM score of 1.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for France over the last six quarters, compared to the world as a whole.
CCM infection trends in France and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide France
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
176
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in France in 4Q12, by percentage of computers reporting detections
France
Percent of computers reporting detections
Worldwide
45% 40% 35% 30% 25%
20%
Column1 France
15%
10%
5% 0%
The most common category in France in 4Q12 was Adware. It affected 41.1 percent of all computers with detections there, up from 41.1 percent in 3Q12. The second most common category in France in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 34.1 percent of all computers with detections there, up from 27.0 percent in 3Q12. The third most common category in France in 4Q12 was Miscellaneous Trojans, which affected 20.0 percent of all computers with detections there, down from 22.3 percent in 3Q12.
July–December 2012
177
Threat families
The top 10 malware and potentially unwanted software families in France in 4Q12
% of computers with detections 19.8% 11.9% 11.0% 10.5% 5.2% 4.7% 4.2% 4.0% 3.9% 3.8%
The most common threat family in France in 4Q12 was Win32/DealPly, which affected 19.8 percent of computers with detections in France. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in France in 4Q12 was Win32/Zwangi, which affected 11.9 percent of computers with detections in France. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. The third most common threat family in France in 4Q12 was Win32/Hotbar, which affected 11.0 percent of computers with detections in France. Win32/Hotbar is adware that displays a dynamic toolbar and targeted popup ads based on its monitoring of web-browsing activity. The fourth most common threat family in France in 4Q12 was Win32/Keygen, which affected 10.5 percent of computers with detections in France. Win32/Keygen is a generic detection for tools that generate product keys for various software products.
178
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for France
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 4.16 (5.41) 6.89 (9.46) 0.30 (0.56)
4Q12 3.98 (5.10) 7.51 (10.85) 0.24 (0.33)
July–December 2012
179
Georgia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Georgia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Georgia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 23.3 6.6
2Q12 25.2 7.0
3Q12 22.9 5.3
4Q12 24.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Georgia and around the world, and for explanations of the methods and terms used here.
July–December 2012
181
Infection trends (CCM)
The MSRT detected malware on 24.2 of every 1,000 computers scanned in Georgia in 4Q12 (a CCM score of 24.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Georgia over the last six quarters, compared to the world as a whole.
CCM infection trends in Georgia and worldwide
30.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Georgia
25.0 20.0 15.0 10.0
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
182
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Georgia in 4Q12, by percentage of computers reporting detections
Georgia
Percent of computers reporting detections
Worldwide
50% Column1 45% Georgia
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Georgia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.0 percent of all computers with detections there, up from 43.6 percent in 3Q12. The second most common category in Georgia in 4Q12 was Worms. It affected 43.3 percent of all computers with detections there, up from 39.8 percent in 3Q12. The third most common category in Georgia in 4Q12 was Miscellaneous Trojans, which affected 33.1 percent of all computers with detections there, down from 35.2 percent in 3Q12.
July–December 2012
183
Threat families
The top 10 malware and potentially unwanted software families in Georgia in 4Q12
% of computers with detections 19.5% 13.2% 13.0% 11.1% 9.7% 9.1% 7.1% 6.1% 5.7% 5.0%
The most common threat family in Georgia in 4Q12 was Win32/Keygen, which affected 19.5 percent of computers with detections in Georgia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Georgia in 4Q12 was Win32/Dorkbot, which affected 13.2 percent of computers with detections in Georgia. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Georgia in 4Q12 was INF/Autorun, which affected 13.0 percent of computers with detections in Georgia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Georgia in 4Q12 was JS/IframeRef, which affected 11.1 percent of computers with detections in Georgia. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.
184
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Georgia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 13.89 (5.41) 19.10 (9.46) 4.49 (0.56)
4Q12 8.68 (5.10) 15.63 (10.85) 0.78 (0.33)
July–December 2012
185
Germany
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Germany in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Germany
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 3.5 6.6
2Q12 3.0 7.0
3Q12 2.6 5.3
4Q12 2.1 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Germany and around the world, and for explanations of the methods and terms used here.
July–December 2012
187
Infection trends (CCM)
The MSRT detected malware on 2.1 of every 1,000 computers scanned in Germany in 4Q12 (a CCM score of 2.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Germany over the last six quarters, compared to the world as a whole.
CCM infection trends in Germany and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Germany
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
188
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Germany in 4Q12, by percentage of computers reporting detections
Germany
Percent of computers reporting detections
Worldwide
40% Column1 35% Germany 30%
25%
20% 15%
10%
5% 0%
The most common category in Germany in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 29.2 percent of all computers with detections there, up from 24.5 percent in 3Q12. The second most common category in Germany in 4Q12 was Miscellaneous Trojans. It affected 27.2 percent of all computers with detections there, down from 31.1 percent in 3Q12. The third most common category in Germany in 4Q12 was Exploits, which affected 27.0 percent of all computers with detections there, up from 21.9 percent in 3Q12.
July–December 2012
189
Threat families
The top 10 malware and potentially unwanted software families in Germany in 4Q12
% of computers with detections 14.4% 12.3% 11.6% 9.7% 5.4% 5.3% 4.7% 4.2% 4.1% 3.7%
The most common threat family in Germany in 4Q12 was Win32/Pdfjsc, which affected 14.4 percent of computers with detections in Germany. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The second most common threat family in Germany in 4Q12 was Java/Blacole, which affected 12.3 percent of computers with detections in Germany. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The third most common threat family in Germany in 4Q12 was Win32/Keygen, which affected 11.6 percent of computers with detections in Germany. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Germany in 4Q12 was Win32/DealPly, which affected 9.7 percent of computers with detections in Germany. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs.
190
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Germany
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 3.44 (5.41) 5.97 (9.46) 4.19 (0.56)
4Q12 3.66 (5.10) 7.71 (10.85) 1.11 (0.33)
July–December 2012
191
Greece
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Greece in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Greece
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 7.3 6.6
2Q12 6.3 7.0
3Q12 5.3 5.3
4Q12 5.7 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Greece and around the world, and for explanations of the methods and terms used here.
July–December 2012
193
Infection trends (CCM)
The MSRT detected malware on 5.7 of every 1,000 computers scanned in Greece in 4Q12 (a CCM score of 5.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Greece over the last six quarters, compared to the world as a whole.
CCM infection trends in Greece and worldwide
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
Worldwide Greece
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
194
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Greece in 4Q12, by percentage of computers reporting detections
Greece
Percent of computers reporting detections
Worldwide
45% Column1 40% Greece 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Greece in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.4 percent of all computers with detections there, up from 32.6 percent in 3Q12. The second most common category in Greece in 4Q12 was Miscellaneous Trojans. It affected 27.0 percent of all computers with detections there, down from 28.7 percent in 3Q12. The third most common category in Greece in 4Q12 was Exploits, which affected 22.1 percent of all computers with detections there, up from 13.9 percent in 3Q12.
July–December 2012
195
Threat families
The top 10 malware and potentially unwanted software families in Greece in 4Q12
% of computers with detections 17.1% 11.2% 10.0% 8.3% 5.8% 5.8% 5.4% 4.9% 4.9% 4.3%
The most common threat family in Greece in 4Q12 was Win32/Keygen, which affected 17.1 percent of computers with detections in Greece. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Greece in 4Q12 was Win32/Pdfjsc, which affected 11.2 percent of computers with detections in Greece. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Greece in 4Q12 was Java/Blacole, which affected 10.0 percent of computers with detections in Greece. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in Greece in 4Q12 was INF/Autorun, which affected 8.3 percent of computers with detections in Greece. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
196
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Greece
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 3.20 (5.41) 7.70 (9.46) 0.07 (0.56)
4Q12 4.15 (5.10) 8.65 (10.85) 0.12 (0.33)
July–December 2012
197
Guatemala
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Guatemala in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Guatemala
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 8.0 6.6
2Q12 6.9 7.0
3Q12 6.8 5.3
4Q12 6.1 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Guatemala and around the world, and for explanations of the methods and terms used here.
July–December 2012
199
Infection trends (CCM)
The MSRT detected malware on 6.1 of every 1,000 computers scanned in Guatemala in 4Q12 (a CCM score of 6.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Guatemala over the last six quarters, compared to the world as a whole.
CCM infection trends in Guatemala and worldwide
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
Worldwide Guatemala
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
200
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Guatemala in 4Q12, by percentage of computers reporting detections
Guatemala
Percent of computers reporting detections
Worldwide
45% Column1 40% Guatemala 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Guatemala in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.0 percent of all computers with detections there, up from 37.4 percent in 3Q12. The second most common category in Guatemala in 4Q12 was Worms. It affected 39.6 percent of all computers with detections there, down from 42.4 percent in 3Q12. The third most common category in Guatemala in 4Q12 was Miscellaneous Trojans, which affected 22.9 percent of all computers with detections there, down from 23.8 percent in 3Q12.
July–December 2012
201
Threat families
The top 10 malware and potentially unwanted software families in Guatemala in 4Q12
% of computers with detections 18.1% 17.7% 13.6% 11.5% 5.7% 4.2% 4.2% 4.0% 3.6% 3.2%
The most common threat family in Guatemala in 4Q12 was Win32/Dorkbot, which affected 18.1 percent of computers with detections in Guatemala. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Guatemala in 4Q12 was Win32/Keygen, which affected 17.7 percent of computers with detections in Guatemala. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Guatemala in 4Q12 was INF/Autorun, which affected 13.6 percent of computers with detections in Guatemala. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Guatemala in 4Q12 was Win32/Vobfus, which affected 11.5 percent of computers with detections in Guatemala. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
202
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Guatemala
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.00 (0.56)
4Q12 N/A (5.10) N/A (10.85) N/A (0.33)
July–December 2012
203
Honduras
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Honduras in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Honduras
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 9.1 6.6
2Q12 8.5 7.0
3Q12 7.9 5.3
4Q12 7.1 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Honduras and around the world, and for explanations of the methods and terms used here.
July–December 2012
205
Infection trends (CCM)
The MSRT detected malware on 7.1 of every 1,000 computers scanned in Honduras in 4Q12 (a CCM score of 7.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Honduras over the last six quarters, compared to the world as a whole.
CCM infection trends in Honduras and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Honduras
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
206
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Honduras in 4Q12, by percentage of computers reporting detections
Honduras
Percent of computers reporting detections
Worldwide
50% Column1 45% Honduras
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Honduras in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.8 percent of all computers with detections there, up from 39.3 percent in 3Q12. The second most common category in Honduras in 4Q12 was Worms. It affected 42.1 percent of all computers with detections there, up from 42.0 percent in 3Q12. The third most common category in Honduras in 4Q12 was Miscellaneous Trojans, which affected 22.0 percent of all computers with detections there, down from 22.6 percent in 3Q12.
July–December 2012
207
Threat families
The top 10 malware and potentially unwanted software families in Honduras in 4Q12
% of computers with detections 20.0% 16.4% 14.8% 14.6% 8.1% 4.9% 4.8% 4.4% 4.0% 3.4%
The most common threat family in Honduras in 4Q12 was Win32/Keygen, which affected 20.0 percent of computers with detections in Honduras. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Honduras in 4Q12 was Win32/Dorkbot, which affected 16.4 percent of computers with detections in Honduras. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Honduras in 4Q12 was INF/Autorun, which affected 14.8 percent of computers with detections in Honduras. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Honduras in 4Q12 was Win32/Vobfus, which affected 14.6 percent of computers with detections in Honduras. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
208
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Honduras
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.00 (0.56)
4Q12 N/A (5.10) N/A (10.85) N/A (0.33)
July–December 2012
209
Hong Kong S.A.R.
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Hong Kong S.A.R. in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Hong Kong S.A.R.
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 3.5 6.6
2Q12 2.6 7.0
3Q12 2.3 5.3
4Q12 2.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Hong Kong S.A.R. and around the world, and for explanations of the methods and terms used here.
July–December 2012
211
Infection trends (CCM)
The MSRT detected malware on 2.2 of every 1,000 computers scanned in Hong Kong S.A.R. in 4Q12 (a CCM score of 2.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Hong Kong S.A.R. over the last six quarters, compared to the world as a whole.
CCM infection trends in Hong Kong S.A.R. and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Hong Kong S.A.R.
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
212
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Hong Kong S.A.R. in 4Q12, by percentage of computers reporting detections
Hong Kong S.A.R.
Percent of computers reporting detections
Worldwide
45% Column1 40% Hong Kong S.A.R. 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Hong Kong S.A.R. in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 42.3 percent of all computers with detections there, up from 34.2 percent in 3Q12. The second most common category in Hong Kong S.A.R. in 4Q12 was Miscellaneous Trojans. It affected 29.5 percent of all computers with detections there, up from 26.9 percent in 3Q12. The third most common category in Hong Kong S.A.R. in 4Q12 was Worms, which affected 14.4 percent of all computers with detections there, down from 14.5 percent in 3Q12.
July–December 2012
213
Threat families
The top 10 malware and potentially unwanted software families in Hong Kong S.A.R. in 4Q12
% of computers with detections 19.5% 6.9% 6.8% 5.8% 3.3% 3.0% 3.0% 2.9% 2.7% 2.7%
The most common threat family in Hong Kong S.A.R. in 4Q12 was Win32/Keygen, which affected 19.5 percent of computers with detections in Hong Kong S.A.R.. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Hong Kong S.A.R. in 4Q12 was JS/IframeRef, which affected 6.9 percent of computers with detections in Hong Kong S.A.R.. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The third most common threat family in Hong Kong S.A.R. in 4Q12 was INF/Autorun, which affected 6.8 percent of computers with detections in Hong Kong S.A.R.. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Hong Kong S.A.R. in 4Q12 was Win32/Obfuscator, which affected 5.8 percent of computers with detections in Hong Kong S.A.R.. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and antiemulation techniques.
214
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Hong Kong S.A.R.
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 6.01 (5.41) 10.70 (9.46) 0.28 (0.56)
4Q12 6.23 (5.10) 12.22 (10.85) 0.11 (0.33)
July–December 2012
215
Hungary
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Hungary in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Hungary
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 5.3 6.6
2Q12 5.2 7.0
3Q12 4.5 5.3
4Q12 4.7 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Hungary and around the world, and for explanations of the methods and terms used here.
July–December 2012
217
Infection trends (CCM)
The MSRT detected malware on 4.7 of every 1,000 computers scanned in Hungary in 4Q12 (a CCM score of 4.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Hungary over the last six quarters, compared to the world as a whole.
CCM infection trends in Hungary and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Hungary
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
218
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Hungary in 4Q12, by percentage of computers reporting detections
Hungary
Percent of computers reporting detections
Worldwide
50% Column1 45% Hungary
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Hungary in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.4 percent of all computers with detections there, up from 39.0 percent in 3Q12. The second most common category in Hungary in 4Q12 was Miscellaneous Trojans. It affected 25.2 percent of all computers with detections there, down from 26.4 percent in 3Q12. The third most common category in Hungary in 4Q12 was Worms, which affected 18.0 percent of all computers with detections there, up from 17.9 percent in 3Q12.
July–December 2012
219
Threat families
The top 10 malware and potentially unwanted software families in Hungary in 4Q12
% of computers with detections 23.4% 6.5% 6.5% 6.0% 5.7% 5.2% 4.8% 3.8% 3.6% 3.2%
The most common threat family in Hungary in 4Q12 was Win32/Keygen, which affected 23.4 percent of computers with detections in Hungary. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Hungary in 4Q12 was INF/Autorun, which affected 6.5 percent of computers with detections in Hungary. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Hungary in 4Q12 was Win32/Pdfjsc, which affected 6.5 percent of computers with detections in Hungary. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in Hungary in 4Q12 was Win32/Obfuscator, which affected 6.0 percent of computers with detections in Hungary. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques.
220
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Hungary
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 7.86 (5.41) 9.11 (9.46) 1.31 (0.56)
4Q12 7.86 (5.10) 10.66 (10.85) 1.34 (0.33)
July–December 2012
221
Iceland
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Iceland in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Iceland
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 3.2 6.6
2Q12 2.4 7.0
3Q12 1.7 5.3
4Q12 1.7 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Iceland and around the world, and for explanations of the methods and terms used here.
July–December 2012
223
Infection trends (CCM)
The MSRT detected malware on 1.7 of every 1,000 computers scanned in Iceland in 4Q12 (a CCM score of 1.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Iceland over the last six quarters, compared to the world as a whole.
CCM infection trends in Iceland and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Iceland
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
224
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Iceland in 4Q12, by percentage of computers reporting detections
Iceland
Percent of computers reporting detections
Worldwide
50% Column1 45% Iceland
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Iceland in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.1 percent of all computers with detections there, up from 37.5 percent in 3Q12. The second most common category in Iceland in 4Q12 was Adware. It affected 24.5 percent of all computers with detections there, down from 37.4 percent in 3Q12. The third most common category in Iceland in 4Q12 was Miscellaneous Trojans, which affected 23.8 percent of all computers with detections there, up from 21.7 percent in 3Q12.
July–December 2012
225
Threat families
The top 10 malware and potentially unwanted software families in Iceland in 4Q12
% of computers with detections 19.5% 14.3% 9.9% 8.1% 5.4% 5.2% 4.9% 4.6% 3.8% 3.2%
The most common threat family in Iceland in 4Q12 was Win32/Keygen, which affected 19.5 percent of computers with detections in Iceland. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Iceland in 4Q12 was Win32/Hotbar, which affected 14.3 percent of computers with detections in Iceland. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The third most common threat family in Iceland in 4Q12 was Win32/Zwangi, which affected 9.9 percent of computers with detections in Iceland. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. The fourth most common threat family in Iceland in 4Q12 was JS/IframeRef, which affected 8.1 percent of computers with detections in Iceland. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.
226
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Iceland
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 5.57 (5.41) 5.57 (9.46) 0.33 (0.56)
4Q12 5.57 (5.10) 5.92 (10.85) 0.35 (0.33)
July–December 2012
227
India
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in India in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for India
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 13.2 6.6
2Q12 12.5 7.0
3Q12 11.3 5.3
4Q12 10.0 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in India and around the world, and for explanations of the methods and terms used here.
July–December 2012
229
Infection trends (CCM)
The MSRT detected malware on 10.0 of every 1,000 computers scanned in India in 4Q12 (a CCM score of 10.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for India over the last six quarters, compared to the world as a whole.
CCM infection trends in India and worldwide
16.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide India
14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
230
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in India in 4Q12, by percentage of computers reporting detections
India
Percent of computers reporting detections
Worldwide
45% 40% 35% 30% 25%
20%
Column1 India
15%
10%
5% 0%
The most common category in India in 4Q12 was Worms. It affected 39.9 percent of all computers with detections there, up from 37.6 percent in 3Q12. The second most common category in India in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.6 percent of all computers with detections there, up from 35.4 percent in 3Q12. The third most common category in India in 4Q12 was Miscellaneous Trojans, which affected 34.7 percent of all computers with detections there, down from 34.8 percent in 3Q12.
July–December 2012
231
Threat families
The top 10 malware and potentially unwanted software families in India in 4Q12
% of computers with detections 22.9% 16.8% 14.8% 12.9% 10.8% 7.9% 6.2% 6.0% 5.5% 4.9%
The most common threat family in India in 4Q12 was INF/Autorun, which affected 22.9 percent of computers with detections in India. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in India in 4Q12 was Win32/Sality, which affected 16.8 percent of computers with detections in India. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in India in 4Q12 was Win32/Keygen, which affected 14.8 percent of computers with detections in India. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in India in 4Q12 was Win32/Ramnit, which affected 12.9 percent of computers with detections in India. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
232
Microsoft Security Intelligence Report, Volume 14
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
July–December 2012
233
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for India
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 7.73 (5.41) 10.84 (9.46) 0.29 (0.56)
4Q12 7.70 (5.10) 13.38 (10.85) 0.15 (0.33)
234
Microsoft Security Intelligence Report, Volume 14
Indonesia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Indonesia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Indonesia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 17.0 6.6
2Q12 16.6 7.0
3Q12 15.7 5.3
4Q12 14.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Indonesia and around the world, and for explanations of the methods and terms used here.
July–December 2012
235
Infection trends (CCM)
The MSRT detected malware on 14.2 of every 1,000 computers scanned in Indonesia in 4Q12 (a CCM score of 14.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Indonesia over the last six quarters, compared to the world as a whole.
CCM infection trends in Indonesia and worldwide
20.0
Computers cleaned per 1 ,000 scanned (CCM)
18.0
16.0 14.0
Worldwide Indonesia
12.0
10.0 8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
236
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Indonesia in 4Q12, by percentage of computers reporting detections
Indonesia
Percent of computers reporting detections
Worldwide
50% Column1 45% Indonesia
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Indonesia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.5 percent of all computers with detections there, up from 39.7 percent in 3Q12. The second most common category in Indonesia in 4Q12 was Miscellaneous Trojans. It affected 42.7 percent of all computers with detections there, up from 42.6 percent in 3Q12. The third most common category in Indonesia in 4Q12 was Viruses, which affected 40.4 percent of all computers with detections there, up from 40.0 percent in 3Q12.
July–December 2012
237
Threat families
The top 10 malware and potentially unwanted software families in Indonesia in 4Q12
% of computers with detections 33.8% 23.5% 20.6% 17.1% 14.4% 12.4% 10.8% 7.6% 7.5% 6.2%
The most common threat family in Indonesia in 4Q12 was Win32/Ramnit, which affected 33.8 percent of computers with detections in Indonesia. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The second most common threat family in Indonesia in 4Q12 was Win32/Keygen, which affected 23.5 percent of computers with detections in Indonesia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Indonesia in 4Q12 was Win32/CplLnk, which affected 20.6 percent of computers with detections in Indonesia. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046. The fourth most common threat family in Indonesia in 4Q12 was Win32/Sality, which affected 17.1 percent of computers with detections in Indonesia. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a
238
Microsoft Security Intelligence Report, Volume 14
damaging payload that deletes files with certain extensions and terminates security-related processes and services.
July–December 2012
239
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Indonesia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 13.83 (5.41) 12.69 (9.46) 1.39 (0.56)
4Q12 14.71 (5.10) 12.60 (10.85) 0.81 (0.33)
240
Microsoft Security Intelligence Report, Volume 14
Iraq
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Iraq in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Iraq
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 23.7 6.6
2Q12 25.3 7.0
3Q12 20.7 5.3
4Q12 20.6 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Iraq and around the world, and for explanations of the methods and terms used here.
July–December 2012
241
Infection trends (CCM)
The MSRT detected malware on 20.6 of every 1,000 computers scanned in Iraq in 4Q12 (a CCM score of 20.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Iraq over the last six quarters, compared to the world as a whole.
CCM infection trends in Iraq and worldwide
30.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Iraq
25.0 20.0 15.0 10.0
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
242
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Iraq in 4Q12, by percentage of computers reporting detections
Iraq
Percent of computers reporting detections
Worldwide
45% 40% 35% 30% 25%
20%
Column1 Iraq
15%
10%
5% 0%
The most common category in Iraq in 4Q12 was Worms. It affected 41.6 percent of all computers with detections there, up from 31.7 percent in 3Q12. The second most common category in Iraq in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 36.4 percent of all computers with detections there, up from 28.8 percent in 3Q12. The third most common category in Iraq in 4Q12 was Miscellaneous Trojans, which affected 33.7 percent of all computers with detections there, up from 26.6 percent in 3Q12.
July–December 2012
243
Threat families
The top 10 malware and potentially unwanted software families in Iraq in 4Q12
% of computers with detections 20.8% 18.5% 18.4% 14.9% 11.6% 11.0% 7.2% 6.6% 6.2% 4.7%
The most common threat family in Iraq in 4Q12 was INF/Autorun, which affected 20.8 percent of computers with detections in Iraq. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Iraq in 4Q12 was Win32/Keygen, which affected 18.5 percent of computers with detections in Iraq. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Iraq in 4Q12 was Win32/Sality, which affected 18.4 percent of computers with detections in Iraq. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Iraq in 4Q12 was Win32/Ramnit, which affected 14.9 percent of computers with detections in Iraq. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
244
Microsoft Security Intelligence Report, Volume 14
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
July–December 2012
245
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Iraq
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) N/A (0.56)
4Q12 N/A (5.10) N/A (10.85) N/A (0.33)
246
Microsoft Security Intelligence Report, Volume 14
Ireland
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Ireland in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Ireland
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 4.0 6.6
2Q12 2.9 7.0
3Q12 2.3 5.3
4Q12 2.0 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Ireland and around the world, and for explanations of the methods and terms used here.
July–December 2012
247
Infection trends (CCM)
The MSRT detected malware on 2.0 of every 1,000 computers scanned in Ireland in 4Q12 (a CCM score of 2.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Ireland over the last six quarters, compared to the world as a whole.
CCM infection trends in Ireland and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Ireland
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
248
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Ireland in 4Q12, by percentage of computers reporting detections
Ireland
Percent of computers reporting detections
Worldwide
40% Column1 35% Ireland 30%
25%
20% 15%
10%
5% 0%
The most common category in Ireland in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 31.4 percent of all computers with detections there, up from 25.4 percent in 3Q12. The second most common category in Ireland in 4Q12 was Miscellaneous Trojans. It affected 30.3 percent of all computers with detections there, down from 32.8 percent in 3Q12. The third most common category in Ireland in 4Q12 was Adware, which affected 25.6 percent of all computers with detections there, down from 31.7 percent in 3Q12.
July–December 2012
249
Threat families
The top 10 malware and potentially unwanted software families in Ireland in 4Q12
% of computers with detections 12.8% 10.0% 8.7% 7.3% 7.0% 6.1% 5.1% 4.5% 4.4% 4.4%
The most common threat family in Ireland in 4Q12 was Win32/Hotbar, which affected 12.8 percent of computers with detections in Ireland. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The second most common threat family in Ireland in 4Q12 was Win32/Keygen, which affected 10.0 percent of computers with detections in Ireland. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Ireland in 4Q12 was Win32/Zwangi, which affected 8.7 percent of computers with detections in Ireland. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. The fourth most common threat family in Ireland in 4Q12 was Java/Blacole, which affected 7.3 percent of computers with detections in Ireland. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run.
250
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Ireland
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 4.29 (5.41) 4.76 (9.46) 0.50 (0.56)
4Q12 3.57 (5.10) 5.00 (10.85) 0.42 (0.33)
July–December 2012
251
Israel
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Israel in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Israel
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 9.7 6.6
2Q12 8.6 7.0
3Q12 6.9 5.3
4Q12 6.9 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Israel and around the world, and for explanations of the methods and terms used here.
July–December 2012
253
Infection trends (CCM)
The MSRT detected malware on 6.9 of every 1,000 computers scanned in Israel in 4Q12 (a CCM score of 6.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Israel over the last six quarters, compared to the world as a whole.
CCM infection trends in Israel and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Israel
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
254
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Israel in 4Q12, by percentage of computers reporting detections
Israel
Percent of computers reporting detections
Worldwide
60% Column1 Israel 50% 40% 30% 20% 10% 0%
The most common category in Israel in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 47.9 percent of all computers with detections there, up from 43.5 percent in 3Q12. The second most common category in Israel in 4Q12 was Miscellaneous Trojans. It affected 24.6 percent of all computers with detections there, up from 23.2 percent in 3Q12. The third most common category in Israel in 4Q12 was Worms, which affected 23.1 percent of all computers with detections there, up from 20.4 percent in 3Q12.
July–December 2012
255
Threat families
The top 10 malware and potentially unwanted software families in Israel in 4Q12
% of computers with detections 17.9% 9.9% 9.5% 5.8% 5.7% 5.6% 5.2% 5.0% 4.8% 3.8%
The most common threat family in Israel in 4Q12 was Win32/Keygen, which affected 17.9 percent of computers with detections in Israel. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Israel in 4Q12 was Win32/AmmyyAdmin, which affected 9.9 percent of computers with detections in Israel. Win32/AmmyyAdmin is a remote control application that allows full control of the computer in which it is installed. It can be installed for legitimate purposes, but can also be installed from a remote location by an attacker. The third most common threat family in Israel in 4Q12 was INF/Autorun, which affected 9.5 percent of computers with detections in Israel. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Israel in 4Q12 was Win32/Sality, which affected 5.8 percent of computers with detections in Israel. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.
256
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Israel
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 10.06 (5.41) 10.87 (9.46) 0.17 (0.56)
4Q12 5.88 (5.10) 10.14 (10.85) 0.11 (0.33)
July–December 2012
257
Italy
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Italy in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Italy
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 6.5 6.6
2Q12 4.5 7.0
3Q12 3.7 5.3
4Q12 3.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Italy and around the world, and for explanations of the methods and terms used here.
July–December 2012
259
Infection trends (CCM)
The MSRT detected malware on 3.2 of every 1,000 computers scanned in Italy in 4Q12 (a CCM score of 3.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Italy over the last six quarters, compared to the world as a whole.
CCM infection trends in Italy and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide
[[COUNTRY]]
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
260
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Italy in 4Q12, by percentage of computers reporting detections
Italy
Percent of computers reporting detections
Worldwide
40% Column1 35% Italy 30%
25%
20% 15%
10%
5% 0%
The most common category in Italy in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 32.2 percent of all computers with detections there, up from 27.5 percent in 3Q12. The second most common category in Italy in 4Q12 was Adware. It affected 25.6 percent of all computers with detections there, down from 29.3 percent in 3Q12. The third most common category in Italy in 4Q12 was Miscellaneous Trojans, which affected 23.8 percent of all computers with detections there, down from 28.7 percent in 3Q12.
July–December 2012
261
Threat families
The top 10 malware and potentially unwanted software families in Italy in 4Q12
% of computers with detections 13.7% 13.3% 13.2% 11.1% 8.0% 5.5% 4.7% 4.6% 3.9% 3.8%
The most common threat family in Italy in 4Q12 was Win32/Pdfjsc, which affected 13.7 percent of computers with detections in Italy. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The second most common threat family in Italy in 4Q12 was Win32/DealPly, which affected 13.3 percent of computers with detections in Italy. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Italy in 4Q12 was Win32/Keygen, which affected 13.2 percent of computers with detections in Italy. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Italy in 4Q12 was ASX/Wimad, which affected 11.1 percent of computers with detections in Italy. ASX/Wimad is a detection for malicious Windows Media files that can be used to encourage users to download and execute arbitrary files on an affected machine.
262
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Italy
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 4.47 (5.41) 7.21 (9.46) 0.48 (0.56)
4Q12 4.26 (5.10) 8.04 (10.85) 0.25 (0.33)
July–December 2012
263
Jamaica
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Jamaica in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Jamaica
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 8.8 6.6
2Q12 8.2 7.0
3Q12 6.8 5.3
4Q12 6.0 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Jamaica and around the world, and for explanations of the methods and terms used here.
July–December 2012
265
Infection trends (CCM)
The MSRT detected malware on 6.0 of every 1,000 computers scanned in Jamaica in 4Q12 (a CCM score of 6.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Jamaica over the last six quarters, compared to the world as a whole.
CCM infection trends in Jamaica and worldwide
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
Worldwide Jamaica
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
266
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Jamaica in 4Q12, by percentage of computers reporting detections
Jamaica
Percent of computers reporting detections
Worldwide
45% Column1 40% Jamaica 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Jamaica in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.8 percent of all computers with detections there, up from 35.3 percent in 3Q12. The second most common category in Jamaica in 4Q12 was Worms. It affected 36.1 percent of all computers with detections there, up from 31.6 percent in 3Q12. The third most common category in Jamaica in 4Q12 was Adware, which affected 24.0 percent of all computers with detections there, down from 28.7 percent in 3Q12.
July–December 2012
267
Threat families
The top 10 malware and potentially unwanted software families in Jamaica in 4Q12
% of computers with detections 16.2% 14.8% 13.9% 13.6% 9.3% 5.8% 5.6% 4.4% 4.3% 4.2%
The most common threat family in Jamaica in 4Q12 was Win32/Vobfus, which affected 16.2 percent of computers with detections in Jamaica. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The second most common threat family in Jamaica in 4Q12 was INF/Autorun, which affected 14.8 percent of computers with detections in Jamaica. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Jamaica in 4Q12 was Win32/Keygen, which affected 13.9 percent of computers with detections in Jamaica. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Jamaica in 4Q12 was Win32/Hotbar, which affected 13.6 percent of computers with detections in Jamaica. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity.
268
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Jamaica
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) N/A (0.56)
4Q12 N/A (5.10) N/A (10.85) N/A (0.33)
July–December 2012
269
Japan
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Japan in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Japan
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 1.0 6.6
2Q12 0.9 7.0
3Q12 0.7 5.3
4Q12 0.7 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Japan and around the world, and for explanations of the methods and terms used here.
July–December 2012
271
Infection trends (CCM)
The MSRT detected malware on 0.7 of every 1,000 computers scanned in Japan in 4Q12 (a CCM score of 0.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Japan over the last six quarters, compared to the world as a whole.
CCM infection trends in Japan and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Japan
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
272
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Japan in 4Q12, by percentage of computers reporting detections
Japan
Percent of computers reporting detections
Worldwide
40% 35% 30%
25%
Column1 Japan
20% 15%
10%
5% 0%
The most common category in Japan in 4Q12 was Adware. It affected 37.6 percent of all computers with detections there, up from 31.7 percent in 3Q12. The second most common category in Japan in 4Q12 was Miscellaneous Trojans. It affected 26.1 percent of all computers with detections there, down from 28.7 percent in 3Q12. The third most common category in Japan in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 19.8 percent of all computers with detections there, down from 20.7 percent in 3Q12.
July–December 2012
273
Threat families
The top 10 malware and potentially unwanted software families in Japan in 4Q12
% of computers with detections 29.5% 9.4% 7.7% 5.5% 5.1% 4.2% 3.1% 2.7% 2.7% 2.6%
The most common threat family in Japan in 4Q12 was Win32/DealPly, which affected 29.5 percent of computers with detections in Japan. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Japan in 4Q12 was JS/IframeRef, which affected 9.4 percent of computers with detections in Japan. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The third most common threat family in Japan in 4Q12 was Win32/Keygen, which affected 7.7 percent of computers with detections in Japan. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Japan in 4Q12 was INF/Autorun, which affected 5.5 percent of computers with detections in Japan. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
274
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Japan
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 1.84 (5.41) 5.49 (9.46) 0.13 (0.56)
4Q12 1.78 (5.10) 5.29 (10.85) 0.08 (0.33)
July–December 2012
275
Jordan
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Jordan in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Jordan
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 15.8 6.6
2Q12 18.0 7.0
3Q12 16.0 5.3
4Q12 12.6 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Jordan and around the world, and for explanations of the methods and terms used here.
July–December 2012
277
Infection trends (CCM)
The MSRT detected malware on 12.6 of every 1,000 computers scanned in Jordan in 4Q12 (a CCM score of 12.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Jordan over the last six quarters, compared to the world as a whole.
CCM infection trends in Jordan and worldwide
20.0
Computers cleaned per 1 ,000 scanned (CCM)
18.0
16.0 14.0
Worldwide Jordan
12.0
10.0 8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
278
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Jordan in 4Q12, by percentage of computers reporting detections
Jordan
Percent of computers reporting detections
Worldwide
45% Column1 40% Jordan 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Jordan in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.8 percent of all computers with detections there, up from 29.5 percent in 3Q12. The second most common category in Jordan in 4Q12 was Worms. It affected 38.3 percent of all computers with detections there, up from 27.2 percent in 3Q12. The third most common category in Jordan in 4Q12 was Miscellaneous Trojans, which affected 35.5 percent of all computers with detections there, up from 26.2 percent in 3Q12.
July–December 2012
279
Threat families
The top 10 malware and potentially unwanted software families in Jordan in 4Q12
% of computers with detections 20.8% 16.6% 15.8% 10.7% 9.7% 9.3% 8.7% 6.8% 5.0% 4.4%
The most common threat family in Jordan in 4Q12 was INF/Autorun, which affected 20.8 percent of computers with detections in Jordan. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Jordan in 4Q12 was Win32/Keygen, which affected 16.6 percent of computers with detections in Jordan. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Jordan in 4Q12 was Win32/Sality, which affected 15.8 percent of computers with detections in Jordan. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Jordan in 4Q12 was Win32/Ramnit, which affected 10.7 percent of computers with detections in Jordan. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
280
Microsoft Security Intelligence Report, Volume 14
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
July–December 2012
281
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Jordan
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.02 (0.56)
4Q12 N/A (5.10) N/A (10.85) N/A (0.33)
282
Microsoft Security Intelligence Report, Volume 14
Kazakhstan
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Kazakhstan in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Kazakhstan
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 8.8 6.6
2Q12 8.5 7.0
3Q12 7.1 5.3
4Q12 6.9 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Kazakhstan and around the world, and for explanations of the methods and terms used here.
July–December 2012
283
Infection trends (CCM)
The MSRT detected malware on 6.9 of every 1,000 computers scanned in Kazakhstan in 4Q12 (a CCM score of 6.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Kazakhstan over the last six quarters, compared to the world as a whole.
CCM infection trends in Kazakhstan and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Kazakhstan
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
284
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Kazakhstan in 4Q12, by percentage of computers reporting detections
Kazakhstan
Percent of computers reporting detections
Worldwide
60% Column1 Kazakhstan 50% 40% 30% 20% 10% 0%
The most common category in Kazakhstan in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 48.6 percent of all computers with detections there, down from 52.7 percent in 3Q12. The second most common category in Kazakhstan in 4Q12 was Miscellaneous Trojans. It affected 36.6 percent of all computers with detections there, up from 35.2 percent in 3Q12. The third most common category in Kazakhstan in 4Q12 was Worms, which affected 24.7 percent of all computers with detections there, up from 20.7 percent in 3Q12.
July–December 2012
285
Threat families
The top 10 malware and potentially unwanted software families in Kazakhstan in 4Q12
% of computers with detections 17.9% 12.6% 12.3% 10.7% 8.3% 6.0% 5.7% 5.5% 5.5% 4.8%
The most common threat family in Kazakhstan in 4Q12 was Win32/Keygen, which affected 17.9 percent of computers with detections in Kazakhstan. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Kazakhstan in 4Q12 was Win32/Pameseg, which affected 12.6 percent of computers with detections in Kazakhstan. Win32/Pameseg is a fake program installer that requires the user to send SMS messages to a premium number to successfully install certain programs. The third most common threat family in Kazakhstan in 4Q12 was Win32/Vobfus, which affected 12.3 percent of computers with detections in Kazakhstan. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The fourth most common threat family in Kazakhstan in 4Q12 was INF/Autorun, which affected 10.7 percent of computers with detections in Kazakhstan. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
286
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Kazakhstan
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 19.00 (5.41) 8.89 (9.46) 0.64 (0.56)
4Q12 11.95 (5.10) 14.40 (10.85) 0.52 (0.33)
July–December 2012
287
Kenya
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Kenya in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Kenya
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 9.5 6.6
2Q12 9.0 7.0
3Q12 7.3 5.3
4Q12 6.8 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Kenya and around the world, and for explanations of the methods and terms used here.
July–December 2012
289
Infection trends (CCM)
The MSRT detected malware on 6.8 of every 1,000 computers scanned in Kenya in 4Q12 (a CCM score of 6.8, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Kenya over the last six quarters, compared to the world as a whole.
CCM infection trends in Kenya and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Kenya
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
290
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Kenya in 4Q12, by percentage of computers reporting detections
Kenya
Percent of computers reporting detections
Worldwide
45% 40% 35% 30% 25%
20%
Column1 Kenya
15%
10%
5% 0%
The most common category in Kenya in 4Q12 was Miscellaneous Trojans. It affected 40.4 percent of all computers with detections there, up from 37.0 percent in 3Q12. The second most common category in Kenya in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.2 percent of all computers with detections there, up from 35.0 percent in 3Q12. The third most common category in Kenya in 4Q12 was Worms, which affected 31.0 percent of all computers with detections there, down from 32.7 percent in 3Q12.
July–December 2012
291
Threat families
The top 10 malware and potentially unwanted software families in Kenya in 4Q12
% of computers with detections 18.4% 18.3% 17.1% 13.8% 8.8% 7.8% 7.1% 6.9% 6.3% 4.9%
The most common threat family in Kenya in 4Q12 was Win32/Comame, which affected 18.4 percent of computers with detections in Kenya. Win32/Comame is a generic detection for a variety of threats. The second most common threat family in Kenya in 4Q12 was INF/Autorun, which affected 18.3 percent of computers with detections in Kenya. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Kenya in 4Q12 was Win32/Sality, which affected 17.1 percent of computers with detections in Kenya. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Kenya in 4Q12 was Win32/Keygen, which affected 13.8 percent of computers with detections in Kenya. Win32/Keygen is a generic detection for tools that generate product keys for various software products.
292
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Kenya
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.21 (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.49 (0.33)
July–December 2012
293
Korea
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Korea in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Korea
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 27.5 6.6
2Q12 70.4 7.0
3Q12 27.5 5.3
4Q12 93.0 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Korea and around the world, and for explanations of the methods and terms used here.
July–December 2012
295
Infection trends (CCM)
The MSRT detected malware on 93.0 of every 1,000 computers scanned in Korea in 4Q12 (a CCM score of 93.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Korea over the last six quarters, compared to the world as a whole.
CCM infection trends in Korea and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide
[[COUNTRY]]
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
296
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Korea in 4Q12, by percentage of computers reporting detections
Korea
Percent of computers reporting detections
Worldwide
80% 70% 60%
50%
Column1 Korea
40% 30%
20%
10% 0%
The most common category in Korea in 4Q12 was Miscellaneous Trojans. It affected 75.6 percent of all computers with detections there, up from 35.5 percent in 3Q12. The second most common category in Korea in 4Q12 was Adware. It affected 32.6 percent of all computers with detections there, down from 55.5 percent in 3Q12. The third most common category in Korea in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 9.7 percent of all computers with detections there, down from 14.6 percent in 3Q12.
July–December 2012
297
Threat families
The top 10 malware and potentially unwanted software families in Korea in 4Q12
% of computers with detections 70.6% 10.6% 10.3% 8.7% 6.4% 6.1% 3.3% 3.1% 3.0% 2.9%
The most common threat family in Korea in 4Q12 was Win32/Onescan, which affected 70.6 percent of computers with detections in Korea. Win32/Onescan is a Korean-language rogue security software family distributed under the names One Scan, Siren114, EnPrivacy, PC Trouble, Smart Vaccine, and many others. The second most common threat family in Korea in 4Q12 was Win32/Addendum, which affected 10.6 percent of computers with detections in Korea. Win32/Addendum is adware that is installed as a web browser helper object (BHO) that may display unwanted pop-up advertisements and redirect search queries when accessing certain websites. It may also download executable files to install as updates. The third most common threat family in Korea in 4Q12 was Win32/SideOn, which affected 10.3 percent of computers with detections in Korea. Win32/SideOn is a component of a program called WinPro that may redirect the user’s web browser to certain websites and display ads for certain products. The fourth most common threat family in Korea in 4Q12 was Win32/Wingo, which affected 8.7 percent of computers with detections in Korea. Win32/Wingo is a program that may install a browser helper object (BHO) that may display pop-up advertisements and download updates of itself.
298
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Korea
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 3.86 (5.41) 14.50 (9.46) 0.26 (0.56)
4Q12 3.98 (5.10) 17.88 (10.85) 0.31 (0.33)
July–December 2012
299
Kuwait
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Kuwait in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Kuwait
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 11.8 6.6
2Q12 11.6 7.0
3Q12 10.0 5.3
4Q12 9.7 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Kuwait and around the world, and for explanations of the methods and terms used here.
July–December 2012
301
Infection trends (CCM)
The MSRT detected malware on 9.7 of every 1,000 computers scanned in Kuwait in 4Q12 (a CCM score of 9.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Kuwait over the last six quarters, compared to the world as a whole.
CCM infection trends in Kuwait and worldwide
14.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Kuwait
12.0 10.0
8.0
6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
302
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Kuwait in 4Q12, by percentage of computers reporting detections
Kuwait
Percent of computers reporting detections
Worldwide
40% Column1 35% Kuwait 30%
25%
20% 15%
10%
5% 0%
The most common category in Kuwait in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 37.7 percent of all computers with detections there, up from 29.2 percent in 3Q12. The second most common category in Kuwait in 4Q12 was Worms. It affected 33.8 percent of all computers with detections there, up from 24.9 percent in 3Q12. The third most common category in Kuwait in 4Q12 was Miscellaneous Trojans, which affected 32.7 percent of all computers with detections there, up from 25.5 percent in 3Q12.
July–December 2012
303
Threat families
The top 10 malware and potentially unwanted software families in Kuwait in 4Q12
% of computers with detections 17.1% 15.0% 9.0% 8.2% 6.5% 6.2% 5.4% 5.2% 4.2% 4.1%
The most common threat family in Kuwait in 4Q12 was Win32/Keygen, which affected 17.1 percent of computers with detections in Kuwait. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Kuwait in 4Q12 was INF/Autorun, which affected 15.0 percent of computers with detections in Kuwait. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Kuwait in 4Q12 was Win32/Sality, which affected 9.0 percent of computers with detections in Kuwait. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Kuwait in 4Q12 was Win32/Dorkbot, which affected 8.2 percent of computers with detections in Kuwait. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot
304
Microsoft Security Intelligence Report, Volume 14
may be distributed from compromised or malicious websites using PDF or browser exploits.
July–December 2012
305
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Kuwait
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 4.58 (5.41) 6.54 (9.46) 0.08 (0.56)
4Q12 2.61 (5.10) 5.88 (10.85) 0.26 (0.33)
306
Microsoft Security Intelligence Report, Volume 14
Latvia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Latvia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Latvia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 5.1 6.6
2Q12 4.5 7.0
3Q12 3.8 5.3
4Q12 4.1 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Latvia and around the world, and for explanations of the methods and terms used here.
July–December 2012
307
Infection trends (CCM)
The MSRT detected malware on 4.1 of every 1,000 computers scanned in Latvia in 4Q12 (a CCM score of 4.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Latvia over the last six quarters, compared to the world as a whole.
CCM infection trends in Latvia and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide
[[COUNTRY]]
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
308
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Latvia in 4Q12, by percentage of computers reporting detections
Latvia
Percent of computers reporting detections
Worldwide
50% Column1 45% Latvia
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Latvia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.9 percent of all computers with detections there, up from 45.6 percent in 3Q12. The second most common category in Latvia in 4Q12 was Miscellaneous Trojans. It affected 31.9 percent of all computers with detections there, up from 28.7 percent in 3Q12. The third most common category in Latvia in 4Q12 was Worms, which affected 20.1 percent of all computers with detections there, up from 14.1 percent in 3Q12.
July–December 2012
309
Threat families
The top 10 malware and potentially unwanted software families in Latvia in 4Q12
% of computers with detections 21.2% 7.7% 7.3% 7.2% 5.1% 4.9% 4.7% 4.0% 3.7% 3.6%
The most common threat family in Latvia in 4Q12 was Win32/Keygen, which affected 21.2 percent of computers with detections in Latvia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Latvia in 4Q12 was Win32/Dorkbot, which affected 7.7 percent of computers with detections in Latvia. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Latvia in 4Q12 was Win32/Obfuscator, which affected 7.3 percent of computers with detections in Latvia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The fourth most common threat family in Latvia in 4Q12 was JS/IframeRef, which affected 7.2 percent of computers with detections in Latvia.
310
Microsoft Security Intelligence Report, Volume 14
JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.
July–December 2012
311
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Latvia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 3.85 (5.41) 8.06 (9.46) 0.51 (0.56)
4Q12 5.43 (5.10) 13.66 (10.85) 1.52 (0.33)
312
Microsoft Security Intelligence Report, Volume 14
Lebanon
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Lebanon in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Lebanon
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 13.3 6.6
2Q12 13.9 7.0
3Q12 10.4 5.3
4Q12 13.0 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Lebanon and around the world, and for explanations of the methods and terms used here.
July–December 2012
313
Infection trends (CCM)
The MSRT detected malware on 13.0 of every 1,000 computers scanned in Lebanon in 4Q12 (a CCM score of 13.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Lebanon over the last six quarters, compared to the world as a whole.
CCM infection trends in Lebanon and worldwide
16.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Lebanon
14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
314
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Lebanon in 4Q12, by percentage of computers reporting detections
Lebanon
Percent of computers reporting detections
Worldwide
45% 40% 35% 30% 25%
20%
Column1 Lebanon
15%
10%
5% 0%
The most common category in Lebanon in 4Q12 was Worms. It affected 39.1 percent of all computers with detections there, up from 29.9 percent in 3Q12. The second most common category in Lebanon in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.2 percent of all computers with detections there, up from 30.4 percent in 3Q12. The third most common category in Lebanon in 4Q12 was Miscellaneous Trojans, which affected 30.1 percent of all computers with detections there, up from 24.5 percent in 3Q12.
July–December 2012
315
Threat families
The top 10 malware and potentially unwanted software families in Lebanon in 4Q12
% of computers with detections 17.5% 16.3% 11.2% 11.2% 8.8% 8.6% 8.3% 6.0% 5.8% 5.5%
The most common threat family in Lebanon in 4Q12 was Win32/Keygen, which affected 17.5 percent of computers with detections in Lebanon. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Lebanon in 4Q12 was INF/Autorun, which affected 16.3 percent of computers with detections in Lebanon. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Lebanon in 4Q12 was Win32/Sality, which affected 11.2 percent of computers with detections in Lebanon. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Lebanon in 4Q12 was Win32/CplLnk, which affected 11.2 percent of computers with detections in Lebanon. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046.
316
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Lebanon
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.05 (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.00 (0.33)
July–December 2012
317
Lithuania
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Lithuania in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Lithuania
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 7.4 6.6
2Q12 6.4 7.0
3Q12 5.8 5.3
4Q12 6.4 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Lithuania and around the world, and for explanations of the methods and terms used here.
July–December 2012
319
Infection trends (CCM)
The MSRT detected malware on 6.4 of every 1,000 computers scanned in Lithuania in 4Q12 (a CCM score of 6.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Lithuania over the last six quarters, compared to the world as a whole.
CCM infection trends in Lithuania and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Lithuania
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
320
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Lithuania in 4Q12, by percentage of computers reporting detections
Lithuania
Percent of computers reporting detections
Worldwide
50% Column1 45% Lithuania
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Lithuania in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.2 percent of all computers with detections there, up from 42.0 percent in 3Q12. The second most common category in Lithuania in 4Q12 was Miscellaneous Trojans. It affected 33.2 percent of all computers with detections there, up from 29.6 percent in 3Q12. The third most common category in Lithuania in 4Q12 was Worms, which affected 21.4 percent of all computers with detections there, up from 18.2 percent in 3Q12.
July–December 2012
321
Threat families
The top 10 malware and potentially unwanted software families in Lithuania in 4Q12
% of computers with detections 23.1% 8.4% 7.3% 5.2% 5.1% 3.9% 3.7% 3.6% 3.2% 3.2%
The most common threat family in Lithuania in 4Q12 was Win32/Keygen, which affected 23.1 percent of computers with detections in Lithuania. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Lithuania in 4Q12 was JS/IframeRef, which affected 8.4 percent of computers with detections in Lithuania. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The third most common threat family in Lithuania in 4Q12 was Win32/Obfuscator, which affected 7.3 percent of computers with detections in Lithuania. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The fourth most common threat family in Lithuania in 4Q12 was INF/Autorun, which affected 5.2 percent of computers with detections in Lithuania. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
322
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Lithuania
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 4.43 (5.41) 7.89 (9.46) 4.43 (0.56)
4Q12 5.54 (5.10) 12.88 (10.85) 0.22 (0.33)
July–December 2012
323
Luxembourg
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Luxembourg in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Luxembourg
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 2.8 6.6
2Q12 2.0 7.0
3Q12 2.2 5.3
4Q12 2.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Luxembourg and around the world, and for explanations of the methods and terms used here.
July–December 2012
325
Infection trends (CCM)
The MSRT detected malware on 2.2 of every 1,000 computers scanned in Luxembourg in 4Q12 (a CCM score of 2.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Luxembourg over the last six quarters, compared to the world as a whole.
CCM infection trends in Luxembourg and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Luxembourg
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
326
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Luxembourg in 4Q12, by percentage of computers reporting detections
Luxembourg
Percent of computers reporting detections
Worldwide
40% Column1 35% Luxembourg 30%
25%
20% 15%
10%
5% 0%
The most common category in Luxembourg in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.5 percent of all computers with detections there, up from 29.4 percent in 3Q12. The second most common category in Luxembourg in 4Q12 was Miscellaneous Trojans. It affected 28.4 percent of all computers with detections there, up from 26.6 percent in 3Q12. The third most common category in Luxembourg in 4Q12 was Exploits, which affected 21.6 percent of all computers with detections there, up from 7.6 percent in 3Q12.
July–December 2012
327
Threat families
The top 10 malware and potentially unwanted software families in Luxembourg in 4Q12
% of computers with detections 12.9% 10.4% 8.9% 7.6% 5.8% 5.6% 5.3% 5.2% 4.9% 4.3%
The most common threat family in Luxembourg in 4Q12 was Win32/Keygen, which affected 12.9 percent of computers with detections in Luxembourg. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Luxembourg in 4Q12 was Win32/Pdfjsc, which affected 10.4 percent of computers with detections in Luxembourg. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Luxembourg in 4Q12 was Java/Blacole, which affected 8.9 percent of computers with detections in Luxembourg. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in Luxembourg in 4Q12 was Win32/Reveton, which affected 7.6 percent of computers with detections in Luxembourg. Win32/Reveton is a ransomware family that targets users from certain countries. It locks the computer and displays a location-specific
328
Microsoft Security Intelligence Report, Volume 14
webpage that covers the desktop and demands that the user pay a fine for the supposed possession of illicit material.
July–December 2012
329
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Luxembourg
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 5.70 (5.41) 8.92 (9.46) 0.17 (0.56)
4Q12 5.95 (5.10) 19.33 (10.85) 1.08 (0.33)
330
Microsoft Security Intelligence Report, Volume 14
Macao S.A.R.
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Macao S.A.R. in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Macao S.A.R.
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 3.0 6.6
2Q12 2.2 7.0
3Q12 1.9 5.3
4Q12 1.9 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Macao S.A.R. and around the world, and for explanations of the methods and terms used here.
July–December 2012
331
Infection trends (CCM)
The MSRT detected malware on 1.9 of every 1,000 computers scanned in Macao S.A.R. in 4Q12 (a CCM score of 1.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Macao S.A.R. over the last six quarters, compared to the world as a whole.
CCM infection trends in Macao S.A.R. and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Macao S.A.R.
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
332
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Macao S.A.R. in 4Q12, by percentage of computers reporting detections
Macao S.A.R.
Percent of computers reporting detections
Worldwide
50% Column1 45% Macao S.A.R.
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Macao S.A.R. in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.7 percent of all computers with detections there, up from 35.4 percent in 3Q12. The second most common category in Macao S.A.R. in 4Q12 was Miscellaneous Trojans. It affected 28.8 percent of all computers with detections there, up from 28.5 percent in 3Q12. The third most common category in Macao S.A.R. in 4Q12 was Worms, which affected 19.0 percent of all computers with detections there, up from 17.0 percent in 3Q12.
July–December 2012
333
Threat families
The top 10 malware and potentially unwanted software families in Macao S.A.R. in 4Q12
% of computers with detections 20.6% 7.5% 5.9% 5.6% 5.0% 3.5% 3.0% 3.0% 3.0% 2.6%
The most common threat family in Macao S.A.R. in 4Q12 was Win32/Keygen, which affected 20.6 percent of computers with detections in Macao S.A.R.. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Macao S.A.R. in 4Q12 was INF/Autorun, which affected 7.5 percent of computers with detections in Macao S.A.R.. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Macao S.A.R. in 4Q12 was JS/IframeRef, which affected 5.9 percent of computers with detections in Macao S.A.R.. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Macao S.A.R. in 4Q12 was Win32/Obfuscator, which affected 5.6 percent of computers with detections in Macao S.A.R.. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques.
334
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Macao S.A.R.
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.08 (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.09 (0.33)
July–December 2012
335
Malaysia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Malaysia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Malaysia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 9.3 6.6
2Q12 8.7 7.0
3Q12 8.1 5.3
4Q12 7.9 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Malaysia and around the world, and for explanations of the methods and terms used here.
July–December 2012
337
Infection trends (CCM)
The MSRT detected malware on 7.9 of every 1,000 computers scanned in Malaysia in 4Q12 (a CCM score of 7.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Malaysia over the last six quarters, compared to the world as a whole.
CCM infection trends in Malaysia and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Malaysia
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
338
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Malaysia in 4Q12, by percentage of computers reporting detections
Malaysia
Percent of computers reporting detections
Worldwide
45% Column1 40% Malaysia 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Malaysia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 39.6 percent of all computers with detections there, up from 32.4 percent in 3Q12. The second most common category in Malaysia in 4Q12 was Worms. It affected 38.6 percent of all computers with detections there, up from 37.3 percent in 3Q12. The third most common category in Malaysia in 4Q12 was Miscellaneous Trojans, which affected 24.5 percent of all computers with detections there, down from 24.6 percent in 3Q12.
July–December 2012
339
Threat families
The top 10 malware and potentially unwanted software families in Malaysia in 4Q12
% of computers with detections 15.9% 15.9% 15.1% 9.1% 5.9% 5.1% 4.6% 3.4% 3.4% 3.4%
The most common threat family in Malaysia in 4Q12 was Win32/Keygen, which affected 15.9 percent of computers with detections in Malaysia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Malaysia in 4Q12 was Win32/Dorkbot, which affected 15.9 percent of computers with detections in Malaysia. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Malaysia in 4Q12 was INF/Autorun, which affected 15.1 percent of computers with detections in Malaysia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Malaysia in 4Q12 was Win32/Sality, which affected 9.1 percent of computers with detections in Malaysia. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a
340
Microsoft Security Intelligence Report, Volume 14
damaging payload that deletes files with certain extensions and terminates security-related processes and services.
July–December 2012
341
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Malaysia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 17.15 (5.41) 11.63 (9.46) 1.76 (0.56)
4Q12 17.66 (5.10) 13.87 (10.85) 0.95 (0.33)
342
Microsoft Security Intelligence Report, Volume 14
Malta
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Malta in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Malta
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 4.1 6.6
2Q12 3.6 7.0
3Q12 2.5 5.3
4Q12 2.3 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Malta and around the world, and for explanations of the methods and terms used here.
July–December 2012
343
Infection trends (CCM)
The MSRT detected malware on 2.3 of every 1,000 computers scanned in Malta in 4Q12 (a CCM score of 2.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Malta over the last six quarters, compared to the world as a whole.
CCM infection trends in Malta and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Malta
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
344
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Malta in 4Q12, by percentage of computers reporting detections
Malta
Percent of computers reporting detections
Worldwide
50% Column1 45% Malta
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Malta in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 46.6 percent of all computers with detections there, up from 34.0 percent in 3Q12. The second most common category in Malta in 4Q12 was Adware. It affected 29.6 percent of all computers with detections there, down from 39.5 percent in 3Q12. The third most common category in Malta in 4Q12 was Miscellaneous Trojans, which affected 19.7 percent of all computers with detections there, up from 18.9 percent in 3Q12.
July–December 2012
345
Threat families
The top 10 malware and potentially unwanted software families in Malta in 4Q12
% of computers with detections 18.5% 16.8% 12.6% 7.8% 6.4% 5.3% 4.9% 4.0% 3.7% 3.6%
The most common threat family in Malta in 4Q12 was Win32/Keygen, which affected 18.5 percent of computers with detections in Malta. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Malta in 4Q12 was Win32/Hotbar, which affected 16.8 percent of computers with detections in Malta. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The third most common threat family in Malta in 4Q12 was Win32/Zwangi, which affected 12.6 percent of computers with detections in Malta. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. The fourth most common threat family in Malta in 4Q12 was ASX/Wimad, which affected 7.8 percent of computers with detections in Malta. ASX/Wimad is a detection for malicious Windows Media files that can be used to encourage users to download and execute arbitrary files on an affected machine.
346
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Malta
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 0.78 (5.41) 0.78 (9.46) 0.07 (0.56)
4Q12 3.12 (5.10) 4.68 (10.85) 0.04 (0.33)
July–December 2012
347
Mexico
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Mexico in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Mexico
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 11.2 6.6
2Q12 10.0 7.0
3Q12 9.3 5.3
4Q12 7.8 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Mexico and around the world, and for explanations of the methods and terms used here.
July–December 2012
349
Infection trends (CCM)
The MSRT detected malware on 7.8 of every 1,000 computers scanned in Mexico in 4Q12 (a CCM score of 7.8, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Mexico over the last six quarters, compared to the world as a whole.
CCM infection trends in Mexico and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Mexico
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
350
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Mexico in 4Q12, by percentage of computers reporting detections
Mexico
Percent of computers reporting detections
Worldwide
50%
45% 40%
Column1 Mexico
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Mexico in 4Q12 was Worms. It affected 43.2 percent of all computers with detections there, down from 45.5 percent in 3Q12. The second most common category in Mexico in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 34.8 percent of all computers with detections there, up from 34.5 percent in 3Q12. The third most common category in Mexico in 4Q12 was Adware, which affected 21.7 percent of all computers with detections there, up from 16.7 percent in 3Q12.
July–December 2012
351
Threat families
The top 10 malware and potentially unwanted software families in Mexico in 4Q12
% of computers with detections 22.5% 15.3% 14.2% 13.3% 7.9% 6.3% 5.0% 4.6% 3.4% 3.3%
The most common threat family in Mexico in 4Q12 was Win32/Dorkbot, which affected 22.5 percent of computers with detections in Mexico. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Mexico in 4Q12 was Win32/DealPly, which affected 15.3 percent of computers with detections in Mexico. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Mexico in 4Q12 was Win32/Keygen, which affected 14.2 percent of computers with detections in Mexico. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Mexico in 4Q12 was INF/Autorun, which affected 13.3 percent of computers with detections in Mexico. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
352
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Mexico
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 12.36 (5.41) 13.33 (9.46) 0.03 (0.56)
4Q12 6.16 (5.10) 10.95 (10.85) 0.05 (0.33)
July–December 2012
353
Moldova
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Moldova in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Moldova
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 5.9 6.6
2Q12 6.7 7.0
3Q12 6.1 5.3
4Q12 7.8 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Moldova and around the world, and for explanations of the methods and terms used here.
July–December 2012
355
Infection trends (CCM)
The MSRT detected malware on 7.8 of every 1,000 computers scanned in Moldova in 4Q12 (a CCM score of 7.8, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Moldova over the last six quarters, compared to the world as a whole.
CCM infection trends in Moldova and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Moldova
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
356
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Moldova in 4Q12, by percentage of computers reporting detections
Moldova
Percent of computers reporting detections
Worldwide
60% Column1 Moldova 50% 40% 30% 20% 10% 0%
The most common category in Moldova in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 49.6 percent of all computers with detections there, down from 49.7 percent in 3Q12. The second most common category in Moldova in 4Q12 was Miscellaneous Trojans. It affected 35.1 percent of all computers with detections there, down from 38.2 percent in 3Q12. The third most common category in Moldova in 4Q12 was Worms, which affected 30.2 percent of all computers with detections there, up from 16.6 percent in 3Q12.
July–December 2012
357
Threat families
The top 10 malware and potentially unwanted software families in Moldova in 4Q12
% of computers with detections 23.1% 16.3% 7.9% 7.2% 5.3% 4.1% 3.9% 3.8% 3.5% 3.3%
The most common threat family in Moldova in 4Q12 was Win32/Keygen, which affected 23.1 percent of computers with detections in Moldova. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Moldova in 4Q12 was Win32/Dorkbot, which affected 16.3 percent of computers with detections in Moldova. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Moldova in 4Q12 was Win32/Obfuscator, which affected 7.9 percent of computers with detections in Moldova. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The fourth most common threat family in Moldova in 4Q12 was Win32/Pameseg, which affected 7.2 percent of computers with detections in Moldova. Win32/Pameseg is a fake program installer that requires the user
358
Microsoft Security Intelligence Report, Volume 14
to send SMS messages to a premium number to successfully install certain programs.
July–December 2012
359
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Moldova
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 3.71 (5.41) 7.88 (9.46) 0.17 (0.56)
4Q12 1.39 (5.10) 12.98 (10.85) 0.08 (0.33)
360
Microsoft Security Intelligence Report, Volume 14
Morocco
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Morocco in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Morocco
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 15.6 6.6
2Q12 20.1 7.0
3Q12 21.1 5.3
4Q12 20.1 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Morocco and around the world, and for explanations of the methods and terms used here.
July–December 2012
361
Infection trends (CCM)
The MSRT detected malware on 20.1 of every 1,000 computers scanned in Morocco in 4Q12 (a CCM score of 20.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Morocco over the last six quarters, compared to the world as a whole.
CCM infection trends in Morocco and worldwide
25.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Morocco
20.0
15.0
10.0
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
362
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Morocco in 4Q12, by percentage of computers reporting detections
Morocco
Percent of computers reporting detections
Worldwide
45% 40% 35% 30% 25%
20%
Column1 Morocco
15%
10%
5% 0%
The most common category in Morocco in 4Q12 was Worms. It affected 41.1 percent of all computers with detections there, up from 38.7 percent in 3Q12. The second most common category in Morocco in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 36.4 percent of all computers with detections there, up from 26.6 percent in 3Q12. The third most common category in Morocco in 4Q12 was Miscellaneous Trojans, which affected 29.8 percent of all computers with detections there, up from 24.6 percent in 3Q12.
July–December 2012
363
Threat families
The top 10 malware and potentially unwanted software families in Morocco in 4Q12
% of computers with detections 16.3% 13.8% 13.1% 12.1% 10.1% 9.9% 7.2% 5.5% 4.6% 4.3%
The most common threat family in Morocco in 4Q12 was Win32/Keygen, which affected 16.3 percent of computers with detections in Morocco. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Morocco in 4Q12 was Win32/Sality, which affected 13.8 percent of computers with detections in Morocco. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Morocco in 4Q12 was Win32/Yeltminky, which affected 13.1 percent of computers with detections in Morocco. Win32/Yeltminky is a family of worms that spreads by making copies of itself on all available drives and creating an autorun.inf file to execute that copy. The fourth most common threat family in Morocco in 4Q12 was INF/Autorun, which affected 12.1 percent of computers with detections in Morocco. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
364
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Morocco
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 21.48 (5.41) 12.61 (9.46) 0.12 (0.56)
4Q12 8.40 (5.10) 10.27 (10.85) 0.13 (0.33)
July–December 2012
365
Nepal
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Nepal in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Nepal
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 20.0 6.6
2Q12 19.3 7.0
3Q12 18.2 5.3
4Q12 16.5 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Nepal and around the world, and for explanations of the methods and terms used here.
July–December 2012
367
Infection trends (CCM)
The MSRT detected malware on 16.5 of every 1,000 computers scanned in Nepal in 4Q12 (a CCM score of 16.5, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Nepal over the last six quarters, compared to the world as a whole.
CCM infection trends in Nepal and worldwide
30.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Nepal
25.0 20.0 15.0 10.0
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
368
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Nepal in 4Q12, by percentage of computers reporting detections
Nepal
Percent of computers reporting detections
Worldwide
60%
50%
Column1 Nepal
40% 30% 20% 10% 0%
The most common category in Nepal in 4Q12 was Miscellaneous Trojans. It affected 48.6 percent of all computers with detections there, down from 48.8 percent in 3Q12. The second most common category in Nepal in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 40.4 percent of all computers with detections there, up from 38.0 percent in 3Q12. The third most common category in Nepal in 4Q12 was Worms, which affected 39.3 percent of all computers with detections there, down from 42.0 percent in 3Q12.
July–December 2012
369
Threat families
The top 10 malware and potentially unwanted software families in Nepal in 4Q12
% of computers with detections 28.6% 25.6% 22.1% 21.1% 18.4% 18.1% 16.0% 9.3% 5.6% 5.1%
The most common threat family in Nepal in 4Q12 was Win32/Ramnit, which affected 28.6 percent of computers with detections in Nepal. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The second most common threat family in Nepal in 4Q12 was INF/Autorun, which affected 25.6 percent of computers with detections in Nepal. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Nepal in 4Q12 was Win32/CplLnk, which affected 22.1 percent of computers with detections in Nepal. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046. The fourth most common threat family in Nepal in 4Q12 was Win32/Sality, which affected 21.1 percent of computers with detections in Nepal. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload
370
Microsoft Security Intelligence Report, Volume 14
that deletes files with certain extensions and terminates security-related processes and services.
July–December 2012
371
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Nepal
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 1.18 (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.50 (0.33)
372
Microsoft Security Intelligence Report, Volume 14
Netherlands
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the Netherlands in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the Netherlands
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 6.3 6.6
2Q12 4.8 7.0
3Q12 5.6 5.3
4Q12 2.6 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the Netherlands and around the world, and for explanations of the methods and terms used here.
July–December 2012
373
Infection trends (CCM)
The MSRT detected malware on 2.6 of every 1,000 computers scanned in the Netherlands in 4Q12 (a CCM score of 2.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the Netherlands over the last six quarters, compared to the world as a whole.
CCM infection trends in the Netherlands and worldwide
14.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Netherlands
12.0 10.0
8.0
6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
374
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in the Netherlands in 4Q12, by percentage of computers reporting detections
Netherlands
Percent of computers reporting detections
Worldwide
40% Column1 35% Netherlands 30%
25%
20% 15%
10%
5% 0%
The most common category in the Netherlands in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.0 percent of all computers with detections there, up from 30.5 percent in 3Q12. The second most common category in the Netherlands in 4Q12 was Miscellaneous Trojans. It affected 26.7 percent of all computers with detections there, down from 27.2 percent in 3Q12. The third most common category in the Netherlands in 4Q12 was Adware, which affected 25.8 percent of all computers with detections there, up from 22.6 percent in 3Q12.
July–December 2012
375
Threat families
The top 10 malware and potentially unwanted software families in the Netherlands in 4Q12
% of computers with detections 15.3% 15.1% 11.1% 10.5% 9.5% 5.9% 5.1% 4.4% 4.1% 4.1%
The most common threat family in the Netherlands in 4Q12 was Win32/Keygen, which affected 15.3 percent of computers with detections in the Netherlands. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in the Netherlands in 4Q12 was Win32/DealPly, which affected 15.1 percent of computers with detections in the Netherlands. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third -party software installation programs. The third most common threat family in the Netherlands in 4Q12 was Win32/Pdfjsc, which affected 11.1 percent of computers with detections in the Netherlands. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in the Netherlands in 4Q12 was Java/Blacole, which affected 10.5 percent of computers with detections in the Netherlands. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run.
376
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the Netherlands
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 4.05 (5.41) 6.53 (9.46) 0.64 (0.56)
4Q12 4.01 (5.10) 7.35 (10.85) 0.35 (0.33)
July–December 2012
377
New Zealand
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in New Zealand in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for New Zealand
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 3.5 6.6
2Q12 3.1 7.0
3Q12 3.3 5.3
4Q12 3.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in New Zealand and around the world, and for explanations of the methods and terms used here.
July–December 2012
379
Infection trends (CCM)
The MSRT detected malware on 3.2 of every 1,000 computers scanned in New Zealand in 4Q12 (a CCM score of 3.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for New Zealand over the last six quarters, compared to the world as a whole.
CCM infection trends in New Zealand and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide New Zealand
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
380
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in New Zealand in 4Q12, by percentage of computers reporting detections
New Zealand
Percent of computers reporting detections
Worldwide
40% Column1 35% Zealand New 30%
25%
20% 15%
10%
5% 0%
The most common category in New Zealand in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.1 percent of all computers with detections there, up from 25.4 percent in 3Q12. The second most common category in New Zealand in 4Q12 was Miscellaneous Trojans. It affected 28.9 percent of all computers with detections there, down from 31.1 percent in 3Q12. The third most common category in New Zealand in 4Q12 was Adware, which affected 20.4 percent of all computers with detections there, down from 25.9 percent in 3Q12.
July–December 2012
381
Threat families
The top 10 malware and potentially unwanted software families in New Zealand in 4Q12
% of computers with detections 11.4% 9.3% 7.2% 6.6% 6.4% 5.9% 5.0% 4.5% 4.4% 3.6%
The most common threat family in New Zealand in 4Q12 was Win32/Keygen, which affected 11.4 percent of computers with detections in New Zealand. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in New Zealand in 4Q12 was Win32/Hotbar, which affected 9.3 percent of computers with detections in New Zealand. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The third most common threat family in New Zealand in 4Q12 was JS/IframeRef, which affected 7.2 percent of computers with detections in New Zealand. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in New Zealand in 4Q12 was Win32/Sirefef, which affected 6.6 percent of computers with detections in New Zealand. Win32/Sirefef is a rogue security software family distributed under the name Antivirus 2010 and others.
382
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for New Zealand
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 6.90 (5.41) 11.76 (9.46) 0.19 (0.56)
4Q12 4.86 (5.10) 7.28 (10.85) 0.08 (0.33)
July–December 2012
383
Nicaragua
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Nicaragua in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Nicaragua
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 6.2 6.6
2Q12 6.3 7.0
3Q12 6.2 5.3
4Q12 4.7 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Nicaragua and around the world, and for explanations of the methods and terms used here.
July–December 2012
385
Infection trends (CCM)
The MSRT detected malware on 4.7 of every 1,000 computers scanned in Nicaragua in 4Q12 (a CCM score of 4.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Nicaragua over the last six quarters, compared to the world as a whole.
CCM infection trends in Nicaragua and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Nicaragua
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
386
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Nicaragua in 4Q12, by percentage of computers reporting detections
Nicaragua
Percent of computers reporting detections
Worldwide
50% Column1 45% Nicaragua
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Nicaragua in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.1 percent of all computers with detections there, up from 39.9 percent in 3Q12. The second most common category in Nicaragua in 4Q12 was Worms. It affected 38.2 percent of all computers with detections there, down from 40.1 percent in 3Q12. The third most common category in Nicaragua in 4Q12 was Miscellaneous Trojans, which affected 22.1 percent of all computers with detections there, down from 24.5 percent in 3Q12.
July–December 2012
387
Threat families
The top 10 malware and potentially unwanted software families in Nicaragua in 4Q12
% of computers with detections 25.9% 17.6% 8.2% 7.3% 7.2% 4.7% 4.5% 4.4% 4.0% 3.8%
The most common threat family in Nicaragua in 4Q12 was Win32/Keygen, which affected 25.9 percent of computers with detections in Nicaragua. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Nicaragua in 4Q12 was Win32/Dorkbot, which affected 17.6 percent of computers with detections in Nicaragua. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Nicaragua in 4Q12 was INF/Autorun, which affected 8.2 percent of computers with detections in Nicaragua. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Nicaragua in 4Q12 was Win32/Vobfus, which affected 7.3 percent of computers with detections in Nicaragua. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
388
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Nicaragua
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.06 (0.56)
4Q12 N/A (5.10) N/A (10.85) N/A (0.33)
July–December 2012
389
Nigeria
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Nigeria in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Nigeria
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 8.1 6.6
2Q12 8.1 7.0
3Q12 7.2 5.3
4Q12 7.0 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Nigeria and around the world, and for explanations of the methods and terms used here.
July–December 2012
391
Infection trends (CCM)
The MSRT detected malware on 7.0 of every 1,000 computers scanned in Nigeria in 4Q12 (a CCM score of 7.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Nigeria over the last six quarters, compared to the world as a whole.
CCM infection trends in Nigeria and worldwide
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
Worldwide Nigeria
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
392
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Nigeria in 4Q12, by percentage of computers reporting detections
Nigeria
Percent of computers reporting detections
Worldwide
45% 40% 35% 30% 25%
20%
Column1 Nigeria
15%
10%
5% 0%
The most common category in Nigeria in 4Q12 was Worms. It affected 41.2 percent of all computers with detections there, up from 40.8 percent in 3Q12. The second most common category in Nigeria in 4Q12 was Miscellaneous Trojans. It affected 29.7 percent of all computers with detections there, up from 29.5 percent in 3Q12. The third most common category in Nigeria in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 28.8 percent of all computers with detections there, up from 26.9 percent in 3Q12.
July–December 2012
393
Threat families
The top 10 malware and potentially unwanted software families in Nigeria in 4Q12
% of computers with detections 17.1% 16.1% 11.4% 10.7% 10.1% 9.4% 8.6% 7.8% 6.1% 5.3%
The most common threat family in Nigeria in 4Q12 was Win32/Vobfus, which affected 17.1 percent of computers with detections in Nigeria. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The second most common threat family in Nigeria in 4Q12 was INF/Autorun, which affected 16.1 percent of computers with detections in Nigeria. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Nigeria in 4Q12 was Win32/Sality, which affected 11.4 percent of computers with detections in Nigeria. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Nigeria in 4Q12 was Win32/Ramnit, which affected 10.7 percent of computers with detections in Nigeria. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
394
Microsoft Security Intelligence Report, Volume 14
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
July–December 2012
395
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Nigeria
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.45 (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.52 (0.33)
396
Microsoft Security Intelligence Report, Volume 14
Norway
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Norway in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Norway
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 1.6 6.6
2Q12 1.9 7.0
3Q12 3.0 5.3
4Q12 2.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Norway and around the world, and for explanations of the methods and terms used here.
July–December 2012
397
Infection trends (CCM)
The MSRT detected malware on 2.2 of every 1,000 computers scanned in Norway in 4Q12 (a CCM score of 2.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Norway over the last six quarters, compared to the world as a whole.
CCM infection trends in Norway and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Norway
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
398
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Norway in 4Q12, by percentage of computers reporting detections
Norway
Percent of computers reporting detections
Worldwide
40% Column1 35% Norway 30%
25%
20% 15%
10%
5% 0%
The most common category in Norway in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 32.4 percent of all computers with detections there, up from 28.9 percent in 3Q12. The second most common category in Norway in 4Q12 was Miscellaneous Trojans. It affected 25.8 percent of all computers with detections there, down from 28.0 percent in 3Q12. The third most common category in Norway in 4Q12 was Adware, which affected 24.5 percent of all computers with detections there, down from 28.9 percent in 3Q12.
July–December 2012
399
Threat families
The top 10 malware and potentially unwanted software families in Norway in 4Q12
% of computers with detections 13.1% 9.9% 8.5% 8.2% 8.1% 7.3% 5.4% 4.6% 4.1% 3.5%
The most common threat family in Norway in 4Q12 was Win32/Keygen, which affected 13.1 percent of computers with detections in Norway. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Norway in 4Q12 was Win32/DealPly, which affected 9.9 percent of computers with detections in Norway. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Norway in 4Q12 was JS/IframeRef, which affected 8.5 percent of computers with detections in Norway. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Norway in 4Q12 was Win32/Hotbar, which affected 8.2 percent of computers with detections in Norway. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity.
400
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Norway
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 2.97 (5.41) 5.28 (9.46) 0.27 (0.56)
4Q12 2.88 (5.10) 5.67 (10.85) 0.18 (0.33)
July–December 2012
401
Oman
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Oman in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Oman
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 14.9 6.6
2Q12 16.2 7.0
3Q12 12.2 5.3
4Q12 13.4 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Oman and around the world, and for explanations of the methods and terms used here.
July–December 2012
403
Infection trends (CCM)
The MSRT detected malware on 13.4 of every 1,000 computers scanned in Oman in 4Q12 (a CCM score of 13.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Oman over the last six quarters, compared to the world as a whole.
CCM infection trends in Oman and worldwide
18.0
Computers cleaned per 1 ,000 scanned (CCM)
16.0 14.0 12.0
Worldwide Oman
10.0
8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
404
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Oman in 4Q12, by percentage of computers reporting detections
Oman
Percent of computers reporting detections
Worldwide
50%
45% 40%
Column1 Oman
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Oman in 4Q12 was Worms. It affected 46.8 percent of all computers with detections there, up from 33.0 percent in 3Q12. The second most common category in Oman in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 39.7 percent of all computers with detections there, up from 30.3 percent in 3Q12. The third most common category in Oman in 4Q12 was Miscellaneous Trojans, which affected 28.9 percent of all computers with detections there, up from 24.1 percent in 3Q12.
July–December 2012
405
Threat families
The top 10 malware and potentially unwanted software families in Oman in 4Q12
% of computers with detections 22.5% 22.5% 15.2% 8.0% 6.9% 6.4% 5.8% 4.8% 4.6% 4.3%
The most common threat family in Oman in 4Q12 was Win32/Vobfus, which affected 22.5 percent of computers with detections in Oman. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The second most common threat family in Oman in 4Q12 was INF/Autorun, which affected 22.5 percent of computers with detections in Oman. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Oman in 4Q12 was Win32/Keygen, which affected 15.2 percent of computers with detections in Oman. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Oman in 4Q12 was Win32/Sality, which affected 8.0 percent of computers with detections in Oman. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.
406
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Oman
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.00 (0.56)
4Q12 N/A (5.10) N/A (10.85) N/A (0.33)
July–December 2012
407
Pakistan
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Pakistan in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Pakistan
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 32.8 6.6
2Q12 35.3 7.0
3Q12 30.6 5.3
4Q12 26.8 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Pakistan and around the world, and for explanations of the methods and terms used here.
July–December 2012
409
Infection trends (CCM)
The MSRT detected malware on 26.8 of every 1,000 computers scanned in Pakistan in 4Q12 (a CCM score of 26.8, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Pakistan over the last six quarters, compared to the world as a whole.
CCM infection trends in Pakistan and worldwide
40.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Pakistan
35.0 30.0 25.0
20.0 15.0 10.0 5.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
410
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Pakistan in 4Q12, by percentage of computers reporting detections
Pakistan
Percent of computers reporting detections
Worldwide
60%
50%
Column1 Pakistan
40% 30% 20% 10% 0%
The most common category in Pakistan in 4Q12 was Worms. It affected 50.2 percent of all computers with detections there, up from 47.0 percent in 3Q12. The second most common category in Pakistan in 4Q12 was Viruses. It affected 44.2 percent of all computers with detections there, up from 42.1 percent in 3Q12. The third most common category in Pakistan in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 42.0 percent of all computers with detections there, up from 37.6 percent in 3Q12.
July–December 2012
411
Threat families
The top 10 malware and potentially unwanted software families in Pakistan in 4Q12
% of computers with detections 34.9% 27.5% 21.3% 18.1% 16.3% 16.2% 13.9% 11.0% 8.0% 7.1%
The most common threat family in Pakistan in 4Q12 was INF/Autorun, which affected 34.9 percent of computers with detections in Pakistan. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Pakistan in 4Q12 was Win32/Sality, which affected 27.5 percent of computers with detections in Pakistan. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Pakistan in 4Q12 was Win32/Ramnit, which affected 21.3 percent of computers with detections in Pakistan. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The fourth most common threat family in Pakistan in 4Q12 was Win32/Keygen, which affected 18.1 percent of computers with detections in
412
Microsoft Security Intelligence Report, Volume 14
Pakistan. Win32/Keygen is a generic detection for tools that generate product keys for various software products.
July–December 2012
413
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Pakistan
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 17.60 (5.41) 18.38 (9.46) 0.64 (0.56)
4Q12 4.69 (5.10) 16.03 (10.85) 0.26 (0.33)
414
Microsoft Security Intelligence Report, Volume 14
Palestinian Authority
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the Palestinian territories (West Bank and Gaza Strip) in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the Palestinian territories
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 29.1 6.6
2Q12 29.8 7.0
3Q12 24.4 5.3
4Q12 26.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the Palestinian territories and around the world, and for explanations of the methods and terms used here.
July–December 2012
415
Infection trends (CCM)
The MSRT detected malware on 26.2 of every 1,000 computers scanned in the Palestinian territories in 4Q12 (a CCM score of 26.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the Palestinian territories over the last six quarters, compared to the world as a whole.
CCM infection trends in the Palestinian territories and worldwide
35.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Palestinian Authority
30.0 25.0
20.0
15.0 10.0
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
416
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in the Palestinian territories in 4Q12, by percentage of computers reporting detections
Palestinian Authority
Percent of computers reporting detections
Worldwide
50% Column1 45% Palestinian Authority
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in the Palestinian territories in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 44.2 percent of all computers with detections there, up from 36.8 percent in 3Q12. The second most common category in the Palestinian territories in 4Q12 was Worms. It affected 40.4 percent of all computers with detections there, up from 31.4 percent in 3Q12. The third most common category in the Palestinian territories in 4Q12 was Miscellaneous Trojans, which affected 39.8 percent of all computers with detections there, up from 31.9 percent in 3Q12.
July–December 2012
417
Threat families
The top 10 malware and potentially unwanted software families in the Palestinian territories in 4Q12
% of computers with detections 23.7% 22.9% 21.3% 13.3% 12.7% 11.1% 10.0% 8.9% 6.1% 5.9%
The most common threat family in the Palestinian territories in 4Q12 was Win32/Sality, which affected 23.7 percent of computers with detections in the Palestinian territories. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The second most common threat family in the Palestinian territories in 4Q12 was Win32/Keygen, which affected 22.9 percent of computers with detections in the Palestinian territories. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in the Palestinian territories in 4Q12 was INF/Autorun, which affected 21.3 percent of computers with detections in the Palestinian territories. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in the Palestinian territories in 4Q12 was Win32/CplLnk, which affected 13.3 percent of computers with detections in the Palestinian territories. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046.
418
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the Palestinian territories
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.22 (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.02 (0.33)
July–December 2012
419
Panama
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Panama in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Panama
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 9.9 6.6
2Q12 7.6 7.0
3Q12 6.4 5.3
4Q12 5.7 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Panama and around the world, and for explanations of the methods and terms used here.
July–December 2012
421
Infection trends (CCM)
The MSRT detected malware on 5.7 of every 1,000 computers scanned in Panama in 4Q12 (a CCM score of 5.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Panama over the last six quarters, compared to the world as a whole.
CCM infection trends in Panama and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Panama
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
422
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Panama in 4Q12, by percentage of computers reporting detections
Panama
Percent of computers reporting detections
Worldwide
45% Column1 40% Panama 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Panama in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.3 percent of all computers with detections there, up from 34.2 percent in 3Q12. The second most common category in Panama in 4Q12 was Worms. It affected 35.6 percent of all computers with detections there, down from 36.9 percent in 3Q12. The third most common category in Panama in 4Q12 was Miscellaneous Trojans, which affected 24.6 percent of all computers with detections there, down from 25.3 percent in 3Q12.
July–December 2012
423
Threat families
The top 10 malware and potentially unwanted software families in Panama in 4Q12
% of computers with detections 17.5% 14.3% 11.0% 10.1% 5.9% 5.2% 4.5% 3.9% 3.8% 3.7%
The most common threat family in Panama in 4Q12 was Win32/Dorkbot, which affected 17.5 percent of computers with detections in Panama. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Panama in 4Q12 was Win32/Keygen, which affected 14.3 percent of computers with detections in Panama. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Panama in 4Q12 was INF/Autorun, which affected 11.0 percent of computers with detections in Panama. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Panama in 4Q12 was Win32/Vobfus, which affected 10.1 percent of computers with detections in Panama. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
424
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Panama
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 9.50 (5.41) 10.52 (9.46) 0.29 (0.56)
4Q12 6.45 (5.10) 8.82 (10.85) 0.33 (0.33)
July–December 2012
425
Paraguay
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Paraguay in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Paraguay
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 6.1 6.6
2Q12 4.9 7.0
3Q12 5.8 5.3
4Q12 4.9 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Paraguay and around the world, and for explanations of the methods and terms used here.
July–December 2012
427
Infection trends (CCM)
The MSRT detected malware on 4.9 of every 1,000 computers scanned in Paraguay in 4Q12 (a CCM score of 4.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Paraguay over the last six quarters, compared to the world as a whole.
CCM infection trends in Paraguay and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Paraguay
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
428
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Paraguay in 4Q12, by percentage of computers reporting detections
Paraguay
Percent of computers reporting detections
Worldwide
45% Column1 40% Paraguay 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Paraguay in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 40.4 percent of all computers with detections there, up from 34.5 percent in 3Q12. The second most common category in Paraguay in 4Q12 was Worms. It affected 37.7 percent of all computers with detections there, up from 34.9 percent in 3Q12. The third most common category in Paraguay in 4Q12 was Miscellaneous Trojans, which affected 19.9 percent of all computers with detections there, down from 21.5 percent in 3Q12.
July–December 2012
429
Threat families
The top 10 malware and potentially unwanted software families in Paraguay in 4Q12
% of computers with detections 21.2% 17.6% 11.3% 5.0% 4.8% 4.7% 4.0% 3.8% 3.6% 3.4%
The most common threat family in Paraguay in 4Q12 was Win32/Dorkbot, which affected 21.2 percent of computers with detections in Paraguay. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Paraguay in 4Q12 was Win32/Keygen, which affected 17.6 percent of computers with detections in Paraguay. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Paraguay in 4Q12 was INF/Autorun, which affected 11.3 percent of computers with detections in Paraguay. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Paraguay in 4Q12 was Win32/DealPly, which affected 5.0 percent of computers with detections in Paraguay. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs.
430
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Paraguay
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.01 (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.05 (0.33)
July–December 2012
431
Peru
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Peru in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Peru
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 10.7 6.6
2Q12 10.3 7.0
3Q12 9.6 5.3
4Q12 8.4 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Peru and around the world, and for explanations of the methods and terms used here.
July–December 2012
433
Infection trends (CCM)
The MSRT detected malware on 8.4 of every 1,000 computers scanned in Peru in 4Q12 (a CCM score of 8.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Peru over the last six quarters, compared to the world as a whole.
CCM infection trends in Peru and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Peru
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
434
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Peru in 4Q12, by percentage of computers reporting detections
Peru
Percent of computers reporting detections
Worldwide
50%
45% 40%
Column1 Peru
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Peru in 4Q12 was Worms. It affected 45.1 percent of all computers with detections there, up from 43.0 percent in 3Q12. The second most common category in Peru in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.9 percent of all computers with detections there, up from 38.4 percent in 3Q12. The third most common category in Peru in 4Q12 was Miscellaneous Trojans, which affected 23.1 percent of all computers with detections there, down from 24.6 percent in 3Q12.
July–December 2012
435
Threat families
The top 10 malware and potentially unwanted software families in Peru in 4Q12
% of computers with detections 20.6% 19.6% 11.9% 11.3% 6.9% 6.0% 5.9% 5.0% 4.6% 4.5%
The most common threat family in Peru in 4Q12 was Win32/Keygen, which affected 20.6 percent of computers with detections in Peru. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Peru in 4Q12 was Win32/Dorkbot, which affected 19.6 percent of computers with detections in Peru. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Peru in 4Q12 was INF/Autorun, which affected 11.9 percent of computers with detections in Peru. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Peru in 4Q12 was Win32/Vobfus, which affected 11.3 percent of computers with detections in Peru. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
436
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Peru
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 14.89 (5.41) 11.91 (9.46) 0.02 (0.56)
4Q12 3.64 (5.10) 16.55 (10.85) 0.02 (0.33)
July–December 2012
437
Philippines
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Philippines in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Philippines
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 10.2 6.6
2Q12 9.8 7.0
3Q12 9.9 5.3
4Q12 10.7 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Philippines and around the world, and for explanations of the methods and terms used here.
July–December 2012
439
Infection trends (CCM)
The MSRT detected malware on 10.7 of every 1,000 computers scanned in Philippines in 4Q12 (a CCM score of 10.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Philippines over the last six quarters, compared to the world as a whole.
CCM infection trends in Philippines and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Philippines
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
440
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Philippines in 4Q12, by percentage of computers reporting detections
Philippines
Percent of computers reporting detections
Worldwide
45% Column1 40% Philippines 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Philippines in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.7 percent of all computers with detections there, up from 38.7 percent in 3Q12. The second most common category in Philippines in 4Q12 was Worms. It affected 41.5 percent of all computers with detections there, up from 40.8 percent in 3Q12. The third most common category in Philippines in 4Q12 was Miscellaneous Trojans, which affected 30.4 percent of all computers with detections there, up from 30.0 percent in 3Q12.
July–December 2012
441
Threat families
The top 10 malware and potentially unwanted software families in Philippines in 4Q12
% of computers with detections 19.0% 18.1% 15.9% 12.1% 9.5% 8.4% 7.9% 6.5% 6.3% 5.8%
The most common threat family in Philippines in 4Q12 was INF/Autorun, which affected 19.0 percent of computers with detections in Philippines. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Philippines in 4Q12 was Win32/Sality, which affected 18.1 percent of computers with detections in Philippines. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Philippines in 4Q12 was Win32/Keygen, which affected 15.9 percent of computers with detections in Philippines. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Philippines in 4Q12 was Win32/Dorkbot, which affected 12.1 percent of computers with detections in Philippines. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot
442
Microsoft Security Intelligence Report, Volume 14
may be distributed from compromised or malicious websites using PDF or browser exploits.
July–December 2012
443
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Philippines
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 11.23 (5.41) 13.18 (9.46) 0.06 (0.56)
4Q12 8.43 (5.10) 11.88 (10.85) 0.05 (0.33)
444
Microsoft Security Intelligence Report, Volume 14
Poland
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Poland in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Poland
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 9.0 6.6
2Q12 8.0 7.0
3Q12 7.8 5.3
4Q12 7.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Poland and around the world, and for explanations of the methods and terms used here.
July–December 2012
445
Infection trends (CCM)
The MSRT detected malware on 7.2 of every 1,000 computers scanned in Poland in 4Q12 (a CCM score of 7.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Poland over the last six quarters, compared to the world as a whole.
CCM infection trends in Poland and worldwide
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
Worldwide Poland
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
446
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Poland in 4Q12, by percentage of computers reporting detections
Poland
Percent of computers reporting detections
Worldwide
40% Column1 35% Poland 30%
25%
20% 15%
10%
5% 0%
The most common category in Poland in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 31.5 percent of all computers with detections there, down from 32.7 percent in 3Q12. The second most common category in Poland in 4Q12 was Miscellaneous Trojans. It affected 25.4 percent of all computers with detections there, up from 25.2 percent in 3Q12. The third most common category in Poland in 4Q12 was Worms, which affected 21.2 percent of all computers with detections there, down from 23.3 percent in 3Q12.
July–December 2012
447
Threat families
The top 10 malware and potentially unwanted software families in Poland in 4Q12
% of computers with detections 10.6% 10.6% 8.4% 6.9% 6.4% 4.7% 4.6% 4.4% 4.3% 4.2%
The most common threat family in Poland in 4Q12 was Win32/DealPly, which affected 10.6 percent of computers with detections in Poland. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Poland in 4Q12 was Win32/Keygen, which affected 10.6 percent of computers with detections in Poland. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Poland in 4Q12 was Win32/Pdfjsc, which affected 8.4 percent of computers with detections in Poland. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in Poland in 4Q12 was INF/Autorun, which affected 6.9 percent of computers with detections in Poland. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
448
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Poland
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 5.51 (5.41) 4.35 (9.46) 0.38 (0.56)
4Q12 4.21 (5.10) 6.37 (10.85) 0.52 (0.33)
July–December 2012
449
Portugal
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Portugal in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Portugal
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 6.4 6.6
2Q12 5.1 7.0
3Q12 3.8 5.3
4Q12 3.3 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Portugal and around the world, and for explanations of the methods and terms used here.
July–December 2012
451
Infection trends (CCM)
The MSRT detected malware on 3.3 of every 1,000 computers scanned in Portugal in 4Q12 (a CCM score of 3.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Portugal over the last six quarters, compared to the world as a whole.
CCM infection trends in Portugal and worldwide
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
Worldwide Portugal
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
452
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Portugal in 4Q12, by percentage of computers reporting detections
Portugal
Percent of computers reporting detections
Worldwide
45% Column1 40% Portugal 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Portugal in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.8 percent of all computers with detections there, up from 34.5 percent in 3Q12. The second most common category in Portugal in 4Q12 was Miscellaneous Trojans. It affected 25.9 percent of all computers with detections there, down from 30.0 percent in 3Q12. The third most common category in Portugal in 4Q12 was Exploits, which affected 25.7 percent of all computers with detections there, up from 15.8 percent in 3Q12.
July–December 2012
453
Threat families
The top 10 malware and potentially unwanted software families in Portugal in 4Q12
% of computers with detections 17.5% 15.7% 15.2% 9.3% 7.0% 6.0% 5.8% 5.5% 3.4% 3.4%
The most common threat family in Portugal in 4Q12 was Win32/Keygen, which affected 17.5 percent of computers with detections in Portugal. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Portugal in 4Q12 was Win32/Pdfjsc, which affected 15.7 percent of computers with detections in Portugal. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Portugal in 4Q12 was Win32/DealPly, which affected 15.2 percent of computers with detections in Portugal. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The fourth most common threat family in Portugal in 4Q12 was Java/Blacole, which affected 9.3 percent of computers with detections in Portugal. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run.
454
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Portugal
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 8.14 (5.41) 6.94 (9.46) 0.95 (0.56)
4Q12 5.31 (5.10) 6.51 (10.85) 0.58 (0.33)
July–December 2012
455
Puerto Rico
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Puerto Rico in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Puerto Rico
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 6.7 6.6
2Q12 5.9 7.0
3Q12 4.9 5.3
4Q12 4.7 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Puerto Rico and around the world, and for explanations of the methods and terms used here.
July–December 2012
457
Infection trends (CCM)
The MSRT detected malware on 4.7 of every 1,000 computers scanned in Puerto Rico in 4Q12 (a CCM score of 4.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Puerto Rico over the last six quarters, compared to the world as a whole.
CCM infection trends in Puerto Rico and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Puerto Rico
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
458
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Puerto Rico in 4Q12, by percentage of computers reporting detections
Puerto Rico
Percent of computers reporting detections
Worldwide
40% Column1 35% Puerto Rico 30%
25%
20% 15%
10%
5% 0%
The most common category in Puerto Rico in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 32.7 percent of all computers with detections there, up from 27.2 percent in 3Q12. The second most common category in Puerto Rico in 4Q12 was Worms. It affected 32.6 percent of all computers with detections there, up from 29.5 percent in 3Q12. The third most common category in Puerto Rico in 4Q12 was Miscellaneous Trojans, which affected 24.8 percent of all computers with detections there, up from 22.6 percent in 3Q12.
July–December 2012
459
Threat families
The top 10 malware and potentially unwanted software families in Puerto Rico in 4Q12
% of computers with detections 12.3% 11.4% 11.0% 8.3% 8.1% 7.6% 6.7% 4.1% 3.2% 3.2%
The most common threat family in Puerto Rico in 4Q12 was INF/Autorun, which affected 12.3 percent of computers with detections in Puerto Rico. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Puerto Rico in 4Q12 was Win32/Vobfus, which affected 11.4 percent of computers with detections in Puerto Rico. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The third most common threat family in Puerto Rico in 4Q12 was Win32/Keygen, which affected 11.0 percent of computers with detections in Puerto Rico. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Puerto Rico in 4Q12 was Win32/Hotbar, which affected 8.3 percent of computers with detections in Puerto Rico. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity.
460
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Puerto Rico
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 6.98 (5.41) 9.51 (9.46) 0.19 (0.56)
4Q12 1.90 (5.10) 13.95 (10.85) 0.12 (0.33)
July–December 2012
461
Qatar
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Qatar in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Qatar
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 12.1 6.6
2Q12 11.6 7.0
3Q12 9.0 5.3
4Q12 8.6 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Qatar and around the world, and for explanations of the methods and terms used here.
July–December 2012
463
Infection trends (CCM)
The MSRT detected malware on 8.6 of every 1,000 computers scanned in Qatar in 4Q12 (a CCM score of 8.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Qatar over the last six quarters, compared to the world as a whole.
CCM infection trends in Qatar and worldwide
16.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Qatar
14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
464
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Qatar in 4Q12, by percentage of computers reporting detections
Qatar
Percent of computers reporting detections
Worldwide
40% Column1 35% Qatar 30%
25%
20% 15%
10%
5% 0%
The most common category in Qatar in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 36.5 percent of all computers with detections there, up from 29.5 percent in 3Q12. The second most common category in Qatar in 4Q12 was Worms. It affected 35.4 percent of all computers with detections there, up from 28.2 percent in 3Q12. The third most common category in Qatar in 4Q12 was Miscellaneous Trojans, which affected 30.0 percent of all computers with detections there, up from 24.3 percent in 3Q12.
July–December 2012
465
Threat families
The top 10 malware and potentially unwanted software families in Qatar in 4Q12
% of computers with detections 15.8% 15.2% 7.6% 7.5% 7.4% 5.7% 5.7% 5.6% 4.2% 4.0%
The most common threat family in Qatar in 4Q12 was INF/Autorun, which affected 15.8 percent of computers with detections in Qatar. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Qatar in 4Q12 was Win32/Keygen, which affected 15.2 percent of computers with detections in Qatar. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Qatar in 4Q12 was Win32/Hotbar, which affected 7.6 percent of computers with detections in Qatar. Win32/Hotbar is adware that displays a dynamic toolbar and targeted popup ads based on its monitoring of web-browsing activity. The fourth most common threat family in Qatar in 4Q12 was Win32/Nuqel, which affected 7.5 percent of computers with detections in Qatar. Win32/Nuqel is a worm that spreads via mapped drives and certain instant messaging applications. It may modify system settings, connect to certain websites, download arbitrary files, or take other malicious actions.
466
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Qatar
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) N/A (0.56)
4Q12 N/A (5.10) N/A (10.85) N/A (0.33)
July–December 2012
467
Romania
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Romania in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Romania
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 14.9 6.6
2Q12 15.0 7.0
3Q12 12.9 5.3
4Q12 12.4 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Romania and around the world, and for explanations of the methods and terms used here.
July–December 2012
469
Infection trends (CCM)
The MSRT detected malware on 12.4 of every 1,000 computers scanned in Romania in 4Q12 (a CCM score of 12.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Romania over the last six quarters, compared to the world as a whole.
CCM infection trends in Romania and worldwide
16.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Romania
14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
470
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Romania in 4Q12, by percentage of computers reporting detections
Romania
Percent of computers reporting detections
Worldwide
50% Column1 45% Romania
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Romania in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.3 percent of all computers with detections there, up from 37.4 percent in 3Q12. The second most common category in Romania in 4Q12 was Miscellaneous Trojans. It affected 30.1 percent of all computers with detections there, up from 29.3 percent in 3Q12. The third most common category in Romania in 4Q12 was Worms, which affected 22.1 percent of all computers with detections there, up from 21.9 percent in 3Q12.
July–December 2012
471
Threat families
The top 10 malware and potentially unwanted software families in Romania in 4Q12
% of computers with detections 20.0% 12.7% 11.1% 5.8% 5.8% 5.5% 4.4% 3.9% 3.8% 3.2%
The most common threat family in Romania in 4Q12 was Win32/Keygen, which affected 20.0 percent of computers with detections in Romania. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Romania in 4Q12 was Win32/Sality, which affected 12.7 percent of computers with detections in Romania. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Romania in 4Q12 was INF/Autorun, which affected 11.1 percent of computers with detections in Romania. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Romania in 4Q12 was Win32/Conficker, which affected 5.8 percent of computers with detections in Romania. Win32/Conficker is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables
472
Microsoft Security Intelligence Report, Volume 14
several important system services and security products, and downloads arbitrary files.
July–December 2012
473
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Romania
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 9.58 (5.41) 13.93 (9.46) 0.57 (0.56)
4Q12 8.00 (5.10) 16.50 (10.85) 0.39 (0.33)
474
Microsoft Security Intelligence Report, Volume 14
Russia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Russia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Russia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 6.2 6.6
2Q12 6.7 7.0
3Q12 5.5 5.3
4Q12 5.0 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Russia and around the world, and for explanations of the methods and terms used here.
July–December 2012
475
Infection trends (CCM)
The MSRT detected malware on 5.0 of every 1,000 computers scanned in Russia in 4Q12 (a CCM score of 5.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Russia over the last six quarters, compared to the world as a whole.
CCM infection trends in Russia and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Russia
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
476
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Russia in 4Q12, by percentage of computers reporting detections
Russia
Percent of computers reporting detections
Worldwide
60% Column1 Russia 50% 40% 30% 20% 10% 0%
The most common category in Russia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 50.0 percent of all computers with detections there, down from 52.3 percent in 3Q12. The second most common category in Russia in 4Q12 was Miscellaneous Trojans. It affected 37.1 percent of all computers with detections there, up from 36.6 percent in 3Q12. The third most common category in Russia in 4Q12 was Worms, which affected 17.5 percent of all computers with detections there, up from 15.1 percent in 3Q12.
July–December 2012
477
Threat families
The top 10 malware and potentially unwanted software families in Russia in 4Q12
% of computers with detections 18.7% 11.5% 10.4% 7.9% 7.3% 6.9% 5.9% 5.3% 5.0% 4.7%
The most common threat family in Russia in 4Q12 was Win32/Keygen, which affected 18.7 percent of computers with detections in Russia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Russia in 4Q12 was Win32/Pameseg, which affected 11.5 percent of computers with detections in Russia. Win32/Pameseg is a fake program installer that requires the user to send SMS messages to a premium number to successfully install certain programs. The third most common threat family in Russia in 4Q12 was Win32/Obfuscator, which affected 10.4 percent of computers with detections in Russia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and antiemulation techniques. The fourth most common threat family in Russia in 4Q12 was JS/Redirector, which affected 7.9 percent of computers with detections in Russia. JS/Redirector is a detection for a class of JavaScript trojans that redirect users to unexpected websites, which may contain drive-by downloads.
478
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Russia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 6.06 (5.41) 12.30 (9.46) 1.10 (0.56)
4Q12 8.32 (5.10) 15.87 (10.85) 1.03 (0.33)
July–December 2012
479
Saudi Arabia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Saudi Arabia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Saudi Arabia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 14.0 6.6
2Q12 13.4 7.0
3Q12 10.7 5.3
4Q12 11.4 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Saudi Arabia and around the world, and for explanations of the methods and terms used here.
July–December 2012
481
Infection trends (CCM)
The MSRT detected malware on 11.4 of every 1,000 computers scanned in Saudi Arabia in 4Q12 (a CCM score of 11.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Saudi Arabia over the last six quarters, compared to the world as a whole.
CCM infection trends in Saudi Arabia and worldwide
16.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Saudi Arabia
14.0 12.0 10.0
8.0 6.0 4.0 2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
482
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Saudi Arabia in 4Q12, by percentage of computers reporting detections
Saudi Arabia
Percent of computers reporting detections
Worldwide
45% Column1 40% Saudi Arabia 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Saudi Arabia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 40.4 percent of all computers with detections there, up from 29.9 percent in 3Q12. The second most common category in Saudi Arabia in 4Q12 was Miscellaneous Trojans. It affected 33.0 percent of all computers with detections there, up from 27.3 percent in 3Q12. The third most common category in Saudi Arabia in 4Q12 was Worms, which affected 31.8 percent of all computers with detections there, up from 21.3 percent in 3Q12.
July–December 2012
483
Threat families
The top 10 malware and potentially unwanted software families in Saudi Arabia in 4Q12
% of computers with detections 19.9% 14.4% 10.8% 7.4% 6.9% 6.7% 6.1% 4.0% 3.8% 3.5%
The most common threat family in Saudi Arabia in 4Q12 was Win32/Keygen, which affected 19.9 percent of computers with detections in Saudi Arabia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Saudi Arabia in 4Q12 was INF/Autorun, which affected 14.4 percent of computers with detections in Saudi Arabia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Saudi Arabia in 4Q12 was Win32/Sality, which affected 10.8 percent of computers with detections in Saudi Arabia. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Saudi Arabia in 4Q12 was Win32/Ramnit, which affected 7.4 percent of computers with detections in Saudi Arabia. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
484
Microsoft Security Intelligence Report, Volume 14
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
July–December 2012
485
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Saudi Arabia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 20.02 (5.41) 19.14 (9.46) 0.38 (0.56)
4Q12 3.74 (5.10) 13.86 (10.85) 0.01 (0.33)
486
Microsoft Security Intelligence Report, Volume 14
Senegal
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Senegal in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Senegal
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 11.5 6.6
2Q12 9.7 7.0
3Q12 8.5 5.3
4Q12 9.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Senegal and around the world, and for explanations of the methods and terms used here.
July–December 2012
487
Infection trends (CCM)
The MSRT detected malware on 9.2 of every 1,000 computers scanned in Senegal in 4Q12 (a CCM score of 9.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Senegal over the last six quarters, compared to the world as a whole.
CCM infection trends in Senegal and worldwide
14.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Senegal
12.0 10.0
8.0
6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
488
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Senegal in 4Q12, by percentage of computers reporting detections
Senegal
Percent of computers reporting detections
Worldwide
50%
45% 40%
Column1 Senegal
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Senegal in 4Q12 was Worms. It affected 45.3 percent of all computers with detections there, down from 48.8 percent in 3Q12. The second most common category in Senegal in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 37.9 percent of all computers with detections there, up from 35.7 percent in 3Q12. The third most common category in Senegal in 4Q12 was Miscellaneous Trojans, which affected 27.7 percent of all computers with detections there, up from 26.0 percent in 3Q12.
July–December 2012
489
Threat families
The top 10 malware and potentially unwanted software families in Senegal in 4Q12
% of computers with detections 27.6% 15.1% 13.0% 11.1% 11.1% 7.9% 6.4% 5.9% 5.3% 4.8%
The most common threat family in Senegal in 4Q12 was INF/Autorun, which affected 27.6 percent of computers with detections in Senegal. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Senegal in 4Q12 was Win32/Sality, which affected 15.1 percent of computers with detections in Senegal. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Senegal in 4Q12 was Win32/Keygen, which affected 13.0 percent of computers with detections in Senegal. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Senegal in 4Q12 was Win32/Vobfus, which affected 11.1 percent of computers with detections in Senegal. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
490
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Senegal
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) N/A (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.44 (0.33)
July–December 2012
491
Singapore
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Singapore in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Singapore
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 5.6 6.6
2Q12 4.4 7.0
3Q12 3.9 5.3
4Q12 3.7 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Singapore and around the world, and for explanations of the methods and terms used here.
July–December 2012
493
Infection trends (CCM)
The MSRT detected malware on 3.7 of every 1,000 computers scanned in Singapore in 4Q12 (a CCM score of 3.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Singapore over the last six quarters, compared to the world as a whole.
CCM infection trends in Singapore and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Singapore
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
494
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Singapore in 4Q12, by percentage of computers reporting detections
Singapore
Percent of computers reporting detections
Worldwide
45% Column1 40% Singapore 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Singapore in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.4 percent of all computers with detections there, up from 28.4 percent in 3Q12. The second most common category in Singapore in 4Q12 was Miscellaneous Trojans. It affected 27.5 percent of all computers with detections there, up from 25.6 percent in 3Q12. The third most common category in Singapore in 4Q12 was Worms, which affected 23.4 percent of all computers with detections there, up from 21.9 percent in 3Q12.
July–December 2012
495
Threat families
The top 10 malware and potentially unwanted software families in Singapore in 4Q12
% of computers with detections 14.6% 9.8% 9.2% 7.9% 6.2% 5.8% 4.6% 4.3% 4.0% 3.3%
The most common threat family in Singapore in 4Q12 was Win32/Keygen, which affected 14.6 percent of computers with detections in Singapore. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Singapore in 4Q12 was INF/Autorun, which affected 9.8 percent of computers with detections in Singapore. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Singapore in 4Q12 was Win32/Hotbar, which affected 9.2 percent of computers with detections in Singapore. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The fourth most common threat family in Singapore in 4Q12 was Win32/Zwangi, which affected 7.9 percent of computers with detections in Singapore. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website.
496
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Singapore
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 6.05 (5.41) 7.72 (9.46) 0.76 (0.56)
4Q12 5.98 (5.10) 9.76 (10.85) 0.50 (0.33)
July–December 2012
497
Slovakia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Slovakia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Slovakia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 3.4 6.6
2Q12 3.0 7.0
3Q12 2.8 5.3
4Q12 2.6 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Slovakia and around the world, and for explanations of the methods and terms used here.
July–December 2012
499
Infection trends (CCM)
The MSRT detected malware on 2.6 of every 1,000 computers scanned in Slovakia in 4Q12 (a CCM score of 2.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Slovakia over the last six quarters, compared to the world as a whole.
CCM infection trends in Slovakia and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Slovakia
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
500
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Slovakia in 4Q12, by percentage of computers reporting detections
Slovakia
Percent of computers reporting detections
Worldwide
50% Column1 45% Slovakia
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Slovakia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 44.3 percent of all computers with detections there, up from 37.3 percent in 3Q12. The second most common category in Slovakia in 4Q12 was Miscellaneous Trojans. It affected 26.9 percent of all computers with detections there, down from 27.3 percent in 3Q12. The third most common category in Slovakia in 4Q12 was Adware, which affected 16.9 percent of all computers with detections there, down from 29.0 percent in 3Q12.
July–December 2012
501
Threat families
The top 10 malware and potentially unwanted software families in Slovakia in 4Q12
% of computers with detections 23.1% 7.4% 7.1% 6.4% 5.8% 5.5% 4.8% 4.1% 3.9% 3.4%
The most common threat family in Slovakia in 4Q12 was Win32/Keygen, which affected 23.1 percent of computers with detections in Slovakia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Slovakia in 4Q12 was Win32/Pdfjsc, which affected 7.4 percent of computers with detections in Slovakia. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Slovakia in 4Q12 was JS/IframeRef, which affected 7.1 percent of computers with detections in Slovakia. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Slovakia in 4Q12 was Win32/Obfuscator, which affected 6.4 percent of computers with detections in Slovakia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques.
502
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Slovakia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 2.83 (5.41) 6.28 (9.46) 0.16 (0.56)
4Q12 5.81 (5.10) 8.01 (10.85) 0.22 (0.33)
July–December 2012
503
Slovenia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Slovenia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Slovenia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 4.2 6.6
2Q12 4.0 7.0
3Q12 4.3 5.3
4Q12 3.4 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Slovenia and around the world, and for explanations of the methods and terms used here.
July–December 2012
505
Infection trends (CCM)
The MSRT detected malware on 3.4 of every 1,000 computers scanned in Slovenia in 4Q12 (a CCM score of 3.4, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Slovenia over the last six quarters, compared to the world as a whole.
CCM infection trends in Slovenia and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Slovenia
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
506
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Slovenia in 4Q12, by percentage of computers reporting detections
Slovenia
Percent of computers reporting detections
Worldwide
50% Column1 45% Slovenia
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Slovenia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.5 percent of all computers with detections there, up from 37.9 percent in 3Q12. The second most common category in Slovenia in 4Q12 was Miscellaneous Trojans. It affected 27.1 percent of all computers with detections there, up from 26.6 percent in 3Q12. The third most common category in Slovenia in 4Q12 was Exploits, which affected 15.7 percent of all computers with detections there, up from 4.6 percent in 3Q12.
July–December 2012
507
Threat families
The top 10 malware and potentially unwanted software families in Slovenia in 4Q12
% of computers with detections 23.0% 11.2% 6.5% 5.3% 5.2% 4.9% 4.8% 4.3% 3.9% 3.6%
The most common threat family in Slovenia in 4Q12 was Win32/Keygen, which affected 23.0 percent of computers with detections in Slovenia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Slovenia in 4Q12 was Win32/Pdfjsc, which affected 11.2 percent of computers with detections in Slovenia. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Slovenia in 4Q12 was Win32/Obfuscator, which affected 6.5 percent of computers with detections in Slovenia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The fourth most common threat family in Slovenia in 4Q12 was JS/IframeRef, which affected 5.3 percent of computers with detections in Slovenia. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.
508
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Slovenia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 4.02 (5.41) 2.72 (9.46) 0.69 (0.56)
4Q12 4.02 (5.10) 4.02 (10.85) 0.86 (0.33)
July–December 2012
509
South Africa
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in South Africa in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for South Africa
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 7.9 6.6
2Q12 6.9 7.0
3Q12 6.4 5.3
4Q12 6.5 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in South Africa and around the world, and for explanations of the methods and terms used here.
July–December 2012
511
Infection trends (CCM)
The MSRT detected malware on 6.5 of every 1,000 computers scanned in South Africa in 4Q12 (a CCM score of 6.5, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for South Africa over the last six quarters, compared to the world as a whole.
CCM infection trends in South Africa and worldwide
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
Worldwide South Africa
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
512
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in South Africa in 4Q12, by percentage of computers reporting detections
South Africa
Percent of computers reporting detections
Worldwide
45% 40% 35% 30% 25%
20%
Column1 South Africa
15%
10%
5% 0%
The most common category in South Africa in 4Q12 was Worms. It affected 41.2 percent of all computers with detections there, up from 39.9 percent in 3Q12. The second most common category in South Africa in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 36.1 percent of all computers with detections there, up from 32.9 percent in 3Q12. The third most common category in South Africa in 4Q12 was Miscellaneous Trojans, which affected 26.8 percent of all computers with detections there, up from 26.0 percent in 3Q12.
July–December 2012
513
Threat families
The top 10 malware and potentially unwanted software families in South Africa in 4Q12
% of computers with detections 18.0% 12.9% 12.4% 6.7% 5.6% 5.5% 5.2% 5.2% 4.7% 4.7%
The most common threat family in South Africa in 4Q12 was INF/Autorun, which affected 18.0 percent of computers with detections in South Africa. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in South Africa in 4Q12 was Win32/Vobfus, which affected 12.9 percent of computers with detections in South Africa. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The third most common threat family in South Africa in 4Q12 was Win32/Keygen, which affected 12.4 percent of computers with detections in South Africa. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in South Africa in 4Q12 was Win32/Rimecud, which affected 6.7 percent of computers with detections in South Africa. Win32/Rimecud is a family of worms with multiple components that spread via fixed and removable drives and via instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected system.
514
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for South Africa
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 8.26 (5.41) 12.18 (9.46) 0.50 (0.56)
4Q12 8.98 (5.10) 13.68 (10.85) 0.36 (0.33)
July–December 2012
515
Spain
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Spain in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Spain
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 7.3 6.6
2Q12 5.4 7.0
3Q12 4.0 5.3
4Q12 3.6 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Spain and around the world, and for explanations of the methods and terms used here.
July–December 2012
517
Infection trends (CCM)
The MSRT detected malware on 3.6 of every 1,000 computers scanned in Spain in 4Q12 (a CCM score of 3.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Spain over the last six quarters, compared to the world as a whole.
CCM infection trends in Spain and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Spain
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
518
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Spain in 4Q12, by percentage of computers reporting detections
Spain
Percent of computers reporting detections
Worldwide
40% Column1 35% Spain 30%
25%
20% 15%
10%
5% 0%
The most common category in Spain in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 35.0 percent of all computers with detections there, up from 26.0 percent in 3Q12. The second most common category in Spain in 4Q12 was Adware. It affected 32.4 percent of all computers with detections there, down from 35.9 percent in 3Q12. The third most common category in Spain in 4Q12 was Miscellaneous Trojans, which affected 22.4 percent of all computers with detections there, down from 25.7 percent in 3Q12.
July–December 2012
519
Threat families
The top 10 malware and potentially unwanted software families in Spain in 4Q12
% of computers with detections 17.2% 13.5% 7.9% 5.5% 5.5% 4.9% 4.8% 4.2% 4.0% 4.0%
The most common threat family in Spain in 4Q12 was Win32/DealPly, which affected 17.2 percent of computers with detections in Spain. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Spain in 4Q12 was Win32/Keygen, which affected 13.5 percent of computers with detections in Spain. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Spain in 4Q12 was Win32/Pdfjsc, which affected 7.9 percent of computers with detections in Spain. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in Spain in 4Q12 was ASX/Wimad, which affected 5.5 percent of computers with detections in Spain. ASX/Wimad is a detection for malicious Windows Media files that can be used to encourage users to download and execute arbitrary files on an affected machine.
520
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Spain
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 4.90 (5.41) 7.70 (9.46) 0.86 (0.56)
4Q12 4.80 (5.10) 8.73 (10.85) 0.23 (0.33)
July–December 2012
521
Sri Lanka
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Sri Lanka in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Sri Lanka
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 10.5 6.6
2Q12 10.0 7.0
3Q12 9.9 5.3
4Q12 8.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Sri Lanka and around the world, and for explanations of the methods and terms used here.
July–December 2012
523
Infection trends (CCM)
The MSRT detected malware on 8.2 of every 1,000 computers scanned in Sri Lanka in 4Q12 (a CCM score of 8.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Sri Lanka over the last six quarters, compared to the world as a whole.
CCM infection trends in Sri Lanka and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Sri Lanka
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
524
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Sri Lanka in 4Q12, by percentage of computers reporting detections
Sri Lanka
Percent of computers reporting detections
Worldwide
50% Column1 45% Sri Lanka
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Sri Lanka in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 46.1 percent of all computers with detections there, up from 41.6 percent in 3Q12. The second most common category in Sri Lanka in 4Q12 was Worms. It affected 40.2 percent of all computers with detections there, up from 37.7 percent in 3Q12. The third most common category in Sri Lanka in 4Q12 was Miscellaneous Trojans, which affected 32.7 percent of all computers with detections there, up from 30.8 percent in 3Q12.
July–December 2012
525
Threat families
The top 10 malware and potentially unwanted software families in Sri Lanka in 4Q12
% of computers with detections 27.5% 22.1% 18.8% 13.1% 12.6% 11.4% 10.1% 9.1% 5.9% 4.9%
The most common threat family in Sri Lanka in 4Q12 was INF/Autorun, which affected 27.5 percent of computers with detections in Sri Lanka. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Sri Lanka in 4Q12 was Win32/Keygen, which affected 22.1 percent of computers with detections in Sri Lanka. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Sri Lanka in 4Q12 was Win32/Sality, which affected 18.8 percent of computers with detections in Sri Lanka. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Sri Lanka in 4Q12 was Win32/Ramnit, which affected 13.1 percent of computers with detections in Sri Lanka. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
526
Microsoft Security Intelligence Report, Volume 14
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
July–December 2012
527
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Sri Lanka
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.01 (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.06 (0.33)
528
Microsoft Security Intelligence Report, Volume 14
Sweden
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Sweden in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Sweden
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 1.8 6.6
2Q12 2.1 7.0
3Q12 2.8 5.3
4Q12 1.6 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Sweden and around the world, and for explanations of the methods and terms used here.
July–December 2012
529
Infection trends (CCM)
The MSRT detected malware on 1.6 of every 1,000 computers scanned in Sweden in 4Q12 (a CCM score of 1.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Sweden over the last six quarters, compared to the world as a whole.
CCM infection trends in Sweden and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide
[[COUNTRY]]
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
530
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Sweden in 4Q12, by percentage of computers reporting detections
Sweden
Percent of computers reporting detections
Worldwide
40% Column1 35% Sweden 30%
25%
20% 15%
10%
5% 0%
The most common category in Sweden in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 32.6 percent of all computers with detections there, up from 27.7 percent in 3Q12. The second most common category in Sweden in 4Q12 was Miscellaneous Trojans. It affected 30.0 percent of all computers with detections there, down from 32.2 percent in 3Q12. The third most common category in Sweden in 4Q12 was Adware, which affected 25.4 percent of all computers with detections there, down from 27.9 percent in 3Q12.
July–December 2012
531
Threat families
The top 10 malware and potentially unwanted software families in Sweden in 4Q12
% of computers with detections 14.5% 12.0% 10.5% 8.0% 7.2% 6.7% 5.3% 4.7% 4.6% 3.0%
The most common threat family in Sweden in 4Q12 was Win32/Keygen, which affected 14.5 percent of computers with detections in Sweden. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Sweden in 4Q12 was Win32/DealPly, which affected 12.0 percent of computers with detections in Sweden. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Sweden in 4Q12 was Win32/Pdfjsc, which affected 10.5 percent of computers with detections in Sweden. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in Sweden in 4Q12 was JS/IframeRef, which affected 8.0 percent of computers with detections in Sweden. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.
532
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Sweden
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 3.24 (5.41) 5.08 (9.46) 0.12 (0.56)
4Q12 2.77 (5.10) 5.36 (10.85) 0.12 (0.33)
July–December 2012
533
Switzerland
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Switzerland in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Switzerland
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 1.8 6.6
2Q12 1.7 7.0
3Q12 2.3 5.3
4Q12 1.6 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Switzerland and around the world, and for explanations of the methods and terms used here.
July–December 2012
535
Infection trends (CCM)
The MSRT detected malware on 1.6 of every 1,000 computers scanned in Switzerland in 4Q12 (a CCM score of 1.6, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Switzerland over the last six quarters, compared to the world as a whole.
CCM infection trends in Switzerland and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Switzerland
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
536
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Switzerland in 4Q12, by percentage of computers reporting detections
Switzerland
Percent of computers reporting detections
Worldwide
40% Column1 35% Switzerland 30%
25%
20% 15%
10%
5% 0%
The most common category in Switzerland in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.0 percent of all computers with detections there, up from 25.1 percent in 3Q12. The second most common category in Switzerland in 4Q12 was Miscellaneous Trojans. It affected 27.6 percent of all computers with detections there, down from 32.2 percent in 3Q12. The third most common category in Switzerland in 4Q12 was Adware, which affected 20.8 percent of all computers with detections there, down from 29.0 percent in 3Q12.
July–December 2012
537
Threat families
The top 10 malware and potentially unwanted software families in Switzerland in 4Q12
% of computers with detections 12.2% 9.3% 7.7% 6.8% 6.4% 5.7% 5.4% 4.7% 4.2% 3.4%
The most common threat family in Switzerland in 4Q12 was Win32/Keygen, which affected 12.2 percent of computers with detections in Switzerland. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Switzerland in 4Q12 was Win32/Pdfjsc, which affected 9.3 percent of computers with detections in Switzerland. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Switzerland in 4Q12 was JS/IframeRef, which affected 7.7 percent of computers with detections in Switzerland. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Switzerland in 4Q12 was Win32/DealPly, which affected 6.8 percent of computers with detections in Switzerland. Win32/DealPly is adware that displays offers related to the user’s web browsing habits. It may be bundled with certain third -party software installation programs.
538
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Switzerland
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 3.01 (5.41) 5.95 (9.46) 0.33 (0.56)
4Q12 3.36 (5.10) 7.14 (10.85) 0.36 (0.33)
July–December 2012
539
Syria
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Syria in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Syria
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 16.2 6.6
2Q12 19.8 7.0
3Q12 19.1 5.3
4Q12 23.1 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Syria and around the world, and for explanations of the methods and terms used here.
July–December 2012
541
Infection trends (CCM)
The MSRT detected malware on 23.1 of every 1,000 computers scanned in Syria in 4Q12 (a CCM score of 23.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Syria over the last six quarters, compared to the world as a whole.
CCM infection trends in Syria and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide
[[COUNTRY]]
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
542
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Syria in 4Q12, by percentage of computers reporting detections
Syria
Percent of computers reporting detections
Worldwide
50% Column1 45% Syria
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Syria in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 46.4 percent of all computers with detections there, up from 37.8 percent in 3Q12. The second most common category in Syria in 4Q12 was Worms. It affected 42.3 percent of all computers with detections there, up from 33.7 percent in 3Q12. The third most common category in Syria in 4Q12 was Miscellaneous Trojans, which affected 35.4 percent of all computers with detections there, up from 30.9 percent in 3Q12.
July–December 2012
543
Threat families
The top 10 malware and potentially unwanted software families in Syria in 4Q12
% of computers with detections 26.1% 20.5% 18.9% 17.3% 13.3% 12.4% 9.1% 9.0% 6.4% 5.4%
The most common threat family in Syria in 4Q12 was Win32/Keygen, which affected 26.1 percent of computers with detections in Syria. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Syria in 4Q12 was Win32/Sality, which affected 20.5 percent of computers with detections in Syria. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Syria in 4Q12 was INF/Autorun, which affected 18.9 percent of computers with detections in Syria. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Syria in 4Q12 was Win32/Ramnit, which affected 17.3 percent of computers with detections in Syria. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
544
Microsoft Security Intelligence Report, Volume 14
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
July–December 2012
545
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Syria
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 3.76 (0.56)
4Q12 N/A (5.10) N/A (10.85) 3.71 (0.33)
546
Microsoft Security Intelligence Report, Volume 14
Taiwan
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Taiwan in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Taiwan
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 6.9 6.6
2Q12 5.3 7.0
3Q12 4.8 5.3
4Q12 5.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Taiwan and around the world, and for explanations of the methods and terms used here.
July–December 2012
547
Infection trends (CCM)
The MSRT detected malware on 5.2 of every 1,000 computers scanned in Taiwan in 4Q12 (a CCM score of 5.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Taiwan over the last six quarters, compared to the world as a whole.
CCM infection trends in Taiwan and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Taiwan
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
548
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Taiwan in 4Q12, by percentage of computers reporting detections
Taiwan
Percent of computers reporting detections
Worldwide
50% Column1 45% Taiwan
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Taiwan in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 44.4 percent of all computers with detections there, up from 40.2 percent in 3Q12. The second most common category in Taiwan in 4Q12 was Miscellaneous Trojans. It affected 32.9 percent of all computers with detections there, up from 29.6 percent in 3Q12. The third most common category in Taiwan in 4Q12 was Worms, which affected 21.0 percent of all computers with detections there, down from 21.4 percent in 3Q12.
July–December 2012
549
Threat families
The top 10 malware and potentially unwanted software families in Taiwan in 4Q12
% of computers with detections 22.5% 12.1% 6.5% 6.0% 4.9% 4.9% 4.4% 4.0% 3.8% 3.6%
The most common threat family in Taiwan in 4Q12 was Win32/Keygen, which affected 22.5 percent of computers with detections in Taiwan. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Taiwan in 4Q12 was INF/Autorun, which affected 12.1 percent of computers with detections in Taiwan. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Taiwan in 4Q12 was JS/IframeRef, which affected 6.5 percent of computers with detections in Taiwan. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Taiwan in 4Q12 was Win32/Conficker, which affected 6.0 percent of computers with detections in Taiwan. Win32/Conficker is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables several important system services and security products, and downloads arbitrary files.
550
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Taiwan
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 2.96 (5.41) 15.37 (9.46) 0.39 (0.56)
4Q12 3.30 (5.10) 15.67 (10.85) 0.33 (0.33)
July–December 2012
551
Tanzania
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Tanzania in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Tanzania
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 10.1 6.6
2Q12 9.8 7.0
3Q12 7.8 5.3
4Q12 7.3 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Tanzania and around the world, and for explanations of the methods and terms used here.
July–December 2012
553
Infection trends (CCM)
The MSRT detected malware on 7.3 of every 1,000 computers scanned in Tanzania in 4Q12 (a CCM score of 7.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Tanzania over the last six quarters, compared to the world as a whole.
CCM infection trends in Tanzania and worldwide
14.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Tanzania
12.0 10.0
8.0
6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
554
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Tanzania in 4Q12, by percentage of computers reporting detections
Tanzania
Percent of computers reporting detections
Worldwide
45% 40% 35% 30% 25%
20%
Column1 Tanzania
15%
10%
5% 0%
The most common category in Tanzania in 4Q12 was Worms. It affected 39.1 percent of all computers with detections there, down from 41.8 percent in 3Q12. The second most common category in Tanzania in 4Q12 was Miscellaneous Trojans. It affected 38.3 percent of all computers with detections there, up from 35.2 percent in 3Q12. The third most common category in Tanzania in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 34.4 percent of all computers with detections there, up from 33.5 percent in 3Q12.
July–December 2012
555
Threat families
The top 10 malware and potentially unwanted software families in Tanzania in 4Q12
% of computers with detections 19.6% 14.9% 13.8% 13.1% 11.3% 10.2% 9.9% 9.9% 8.6% 6.8%
The most common threat family in Tanzania in 4Q12 was INF/Autorun, which affected 19.6 percent of computers with detections in Tanzania. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Tanzania in 4Q12 was Win32/Ramnit, which affected 14.9 percent of computers with detections in Tanzania. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The third most common threat family in Tanzania in 4Q12 was Win32/Vobfus, which affected 13.8 percent of computers with detections in Tanzania. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The fourth most common threat family in Tanzania in 4Q12 was Win32/Sality, which affected 13.1 percent of computers with detections in Tanzania. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a
556
Microsoft Security Intelligence Report, Volume 14
damaging payload that deletes files with certain extensions and terminates security-related processes and services.
July–December 2012
557
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Tanzania
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 1.97 (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.66 (0.33)
558
Microsoft Security Intelligence Report, Volume 14
Thailand
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Thailand in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Thailand
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 18.9 6.6
2Q12 17.3 7.0
3Q12 18.0 5.3
4Q12 21.0 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Thailand and around the world, and for explanations of the methods and terms used here.
July–December 2012
559
Infection trends (CCM)
The MSRT detected malware on 21.0 of every 1,000 computers scanned in Thailand in 4Q12 (a CCM score of 21.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Thailand over the last six quarters, compared to the world as a whole.
CCM infection trends in Thailand and worldwide
25.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Thailand
20.0
15.0
10.0
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
560
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Thailand in 4Q12, by percentage of computers reporting detections
Thailand
Percent of computers reporting detections
Worldwide
50% Column1 45% Thailand
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Thailand in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.0 percent of all computers with detections there, up from 41.0 percent in 3Q12. The second most common category in Thailand in 4Q12 was Miscellaneous Trojans. It affected 37.0 percent of all computers with detections there, up from 36.8 percent in 3Q12. The third most common category in Thailand in 4Q12 was Worms, which affected 29.3 percent of all computers with detections there, down from 32.5 percent in 3Q12.
July–December 2012
561
Threat families
The top 10 malware and potentially unwanted software families in Thailand in 4Q12
% of computers with detections 24.4% 17.0% 12.2% 8.0% 7.6% 6.7% 6.1% 5.6% 4.7% 4.7%
The most common threat family in Thailand in 4Q12 was Win32/Keygen, which affected 24.4 percent of computers with detections in Thailand. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Thailand in 4Q12 was Win32/Sality, which affected 17.0 percent of computers with detections in Thailand. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Thailand in 4Q12 was INF/Autorun, which affected 12.2 percent of computers with detections in Thailand. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Thailand in 4Q12 was Win32/Dorkbot, which affected 8.0 percent of computers with detections in Thailand. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot
562
Microsoft Security Intelligence Report, Volume 14
may be distributed from compromised or malicious websites using PDF or browser exploits.
July–December 2012
563
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Thailand
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 13.59 (5.41) 23.23 (9.46) 1.79 (0.56)
4Q12 11.23 (5.10) 23.09 (10.85) 0.66 (0.33)
564
Microsoft Security Intelligence Report, Volume 14
Trinidad and Tobago
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Trinidad and Tobago in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Trinidad and Tobago
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 8.5 6.6
2Q12 7.2 7.0
3Q12 5.8 5.3
4Q12 5.0 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Trinidad and Tobago and around the world, and for explanations of the methods and terms used here.
July–December 2012
565
Infection trends (CCM)
The MSRT detected malware on 5.0 of every 1,000 computers scanned in Trinidad and Tobago in 4Q12 (a CCM score of 5.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Trinidad and Tobago over the last six quarters, compared to the world as a whole.
CCM infection trends in Trinidad and Tobago and worldwide
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Trinidad and Tobago
10.0 8.0 6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
566
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Trinidad and Tobago in 4Q12, by percentage of computers reporting detections
Trinidad and Tobago
Percent of computers reporting detections
Worldwide
50% Column1 45% Trinidad and Tobago
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Trinidad and Tobago in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.3 percent of all computers with detections there, up from 34.5 percent in 3Q12. The second most common category in Trinidad and Tobago in 4Q12 was Worms. It affected 31.1 percent of all computers with detections there, up from 28.7 percent in 3Q12. The third most common category in Trinidad and Tobago in 4Q12 was Adware, which affected 24.5 percent of all computers with detections there, down from 32.5 percent in 3Q12.
July–December 2012
567
Threat families
The top 10 malware and potentially unwanted software families in Trinidad and Tobago in 4Q12
% of computers with detections 14.6% 14.1% 13.2% 10.5% 9.6% 6.3% 4.9% 4.8% 4.1% 4.0%
The most common threat family in Trinidad and Tobago in 4Q12 was INF/Autorun, which affected 14.6 percent of computers with detections in Trinidad and Tobago. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Trinidad and Tobago in 4Q12 was Win32/Keygen, which affected 14.1 percent of computers with detections in Trinidad and Tobago. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Trinidad and Tobago in 4Q12 was Win32/Hotbar, which affected 13.2 percent of computers with detections in Trinidad and Tobago. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The fourth most common threat family in Trinidad and Tobago in 4Q12 was Win32/Vobfus, which affected 10.5 percent of computers with detections in Trinidad and Tobago. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
568
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Trinidad and Tobago
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) N/A (0.56)
4Q12 N/A (5.10) N/A (10.85) N/A (0.33)
July–December 2012
569
Tunisia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Tunisia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Tunisia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 15.3 6.6
2Q12 14.3 7.0
3Q12 10.9 5.3
4Q12 12.9 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Tunisia and around the world, and for explanations of the methods and terms used here.
July–December 2012
571
Infection trends (CCM)
The MSRT detected malware on 12.9 of every 1,000 computers scanned in Tunisia in 4Q12 (a CCM score of 12.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Tunisia over the last six quarters, compared to the world as a whole.
CCM infection trends in Tunisia and worldwide
18.0
Computers cleaned per 1 ,000 scanned (CCM)
16.0 14.0 12.0
Worldwide Tunisia
10.0
8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
572
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Tunisia in 4Q12, by percentage of computers reporting detections
Tunisia
Percent of computers reporting detections
Worldwide
50% Column1 45% Tunisia
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Tunisia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.3 percent of all computers with detections there, up from 35.9 percent in 3Q12. The second most common category in Tunisia in 4Q12 was Worms. It affected 34.9 percent of all computers with detections there, up from 30.9 percent in 3Q12. The third most common category in Tunisia in 4Q12 was Miscellaneous Trojans, which affected 29.3 percent of all computers with detections there, up from 24.6 percent in 3Q12.
July–December 2012
573
Threat families
The top 10 malware and potentially unwanted software families in Tunisia in 4Q12
% of computers with detections 19.0% 19.0% 13.4% 11.5% 11.0% 10.9% 6.6% 6.4% 6.1% 5.7%
The most common threat family in Tunisia in 4Q12 was INF/Autorun, which affected 19.0 percent of computers with detections in Tunisia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Tunisia in 4Q12 was Win32/Keygen, which affected 19.0 percent of computers with detections in Tunisia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Tunisia in 4Q12 was Win32/Ramnit, which affected 13.4 percent of computers with detections in Tunisia. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The fourth most common threat family in Tunisia in 4Q12 was Win32/Sality, which affected 11.5 percent of computers with detections in Tunisia. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload
574
Microsoft Security Intelligence Report, Volume 14
that deletes files with certain extensions and terminates security-related processes and services.
July–December 2012
575
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Tunisia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 8.05 (5.41) 15.37 (9.46) 0.04 (0.56)
4Q12 5.12 (5.10) 10.25 (10.85) 0.00 (0.33)
576
Microsoft Security Intelligence Report, Volume 14
Turkey
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Turkey in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Turkey
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 31.9 6.6
2Q12 26.7 7.0
3Q12 20.9 5.3
4Q12 20.7 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Turkey and around the world, and for explanations of the methods and terms used here.
July–December 2012
577
Infection trends (CCM)
The MSRT detected malware on 20.7 of every 1,000 computers scanned in Turkey in 4Q12 (a CCM score of 20.7, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Turkey over the last six quarters, compared to the world as a whole.
CCM infection trends in Turkey and worldwide
35.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Turkey
30.0 25.0
20.0
15.0 10.0
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
578
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Turkey in 4Q12, by percentage of computers reporting detections
Turkey
Percent of computers reporting detections
Worldwide
45% Column1 40% Turkey 35% 30% 25%
20%
15%
10%
5% 0%
The most common category in Turkey in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.7 percent of all computers with detections there, up from 29.3 percent in 3Q12. The second most common category in Turkey in 4Q12 was Miscellaneous Trojans. It affected 34.7 percent of all computers with detections there, up from 33.6 percent in 3Q12. The third most common category in Turkey in 4Q12 was Worms, which affected 34.7 percent of all computers with detections there, up from 28.7 percent in 3Q12.
July–December 2012
579
Threat families
The top 10 malware and potentially unwanted software families in Turkey in 4Q12
% of computers with detections 15.0% 13.7% 12.0% 10.3% 7.9% 6.4% 6.1% 5.7% 5.1% 5.1%
The most common threat family in Turkey in 4Q12 was Win32/Keygen, which affected 15.0 percent of computers with detections in Turkey. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Turkey in 4Q12 was INF/Autorun, which affected 13.7 percent of computers with detections in Turkey. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Turkey in 4Q12 was Win32/Sality, which affected 12.0 percent of computers with detections in Turkey. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Turkey in 4Q12 was Win32/Helompy, which affected 10.3 percent of computers with detections in Turkey. Win32/Helompy is a worm that spreads via removable drives and attempts to capture and steal authentication details for a number of different websites or online services.
580
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Turkey
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 9.03 (5.41) 13.35 (9.46) 1.41 (0.56)
4Q12 7.77 (5.10) 13.03 (10.85) 0.46 (0.33)
July–December 2012
581
Uganda
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Uganda in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Uganda
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 11.4 6.6
2Q12 11.1 7.0
3Q12 8.2 5.3
4Q12 8.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Uganda and around the world, and for explanations of the methods and terms used here.
July–December 2012
583
Infection trends (CCM)
The MSRT detected malware on 8.2 of every 1,000 computers scanned in Uganda in 4Q12 (a CCM score of 8.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Uganda over the last six quarters, compared to the world as a whole.
CCM infection trends in Uganda and worldwide
14.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Uganda
12.0 10.0
8.0
6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
584
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Uganda in 4Q12, by percentage of computers reporting detections
Uganda
Percent of computers reporting detections
Worldwide
50%
45% 40%
Column1 Uganda
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Uganda in 4Q12 was Worms. It affected 43.9 percent of all computers with detections there, down from 46.2 percent in 3Q12. The second most common category in Uganda in 4Q12 was Miscellaneous Trojans. It affected 39.3 percent of all computers with detections there, up from 34.8 percent in 3Q12. The third most common category in Uganda in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 33.9 percent of all computers with detections there, up from 33.6 percent in 3Q12.
July–December 2012
585
Threat families
The top 10 malware and potentially unwanted software families in Uganda in 4Q12
% of computers with detections 20.0% 19.3% 14.3% 14.0% 11.5% 11.1% 10.0% 7.2% 6.8% 6.4%
The most common threat family in Uganda in 4Q12 was INF/Autorun, which affected 20.0 percent of computers with detections in Uganda. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Uganda in 4Q12 was Win32/Vobfus, which affected 19.3 percent of computers with detections in Uganda. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The third most common threat family in Uganda in 4Q12 was Win32/Sality, which affected 14.3 percent of computers with detections in Uganda. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Uganda in 4Q12 was Win32/Ramnit, which affected 14.0 percent of computers with detections in Uganda. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
586
Microsoft Security Intelligence Report, Volume 14
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
July–December 2012
587
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Uganda
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 N/A (5.41) N/A (9.46) 0.35 (0.56)
4Q12 N/A (5.10) N/A (10.85) 0.43 (0.33)
588
Microsoft Security Intelligence Report, Volume 14
Ukraine
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Ukraine in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Ukraine
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 6.6 6.6
2Q12 7.0 7.0
3Q12 7.9 5.3
4Q12 7.2 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Ukraine and around the world, and for explanations of the methods and terms used here.
July–December 2012
589
Infection trends (CCM)
The MSRT detected malware on 7.2 of every 1,000 computers scanned in Ukraine in 4Q12 (a CCM score of 7.2, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Ukraine over the last six quarters, compared to the world as a whole.
CCM infection trends in Ukraine and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Ukraine
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
590
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Ukraine in 4Q12, by percentage of computers reporting detections
Ukraine
Percent of computers reporting detections
Worldwide
60% Column1 Ukraine 50% 40% 30% 20% 10% 0%
The most common category in Ukraine in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 51.6 percent of all computers with detections there, down from 54.3 percent in 3Q12. The second most common category in Ukraine in 4Q12 was Miscellaneous Trojans. It affected 43.5 percent of all computers with detections there, up from 38.9 percent in 3Q12. The third most common category in Ukraine in 4Q12 was Worms, which affected 20.6 percent of all computers with detections there, up from 17.2 percent in 3Q12.
July–December 2012
591
Threat families
The top 10 malware and potentially unwanted software families in Ukraine in 4Q12
% of computers with detections 22.5% 10.7% 10.5% 9.9% 9.3% 6.4% 5.5% 4.6% 4.6% 4.0%
The most common threat family in Ukraine in 4Q12 was Win32/Keygen, which affected 22.5 percent of computers with detections in Ukraine. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Ukraine in 4Q12 was Win32/Obfuscator, which affected 10.7 percent of computers with detections in Ukraine. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, antidebugging and anti-emulation techniques. The third most common threat family in Ukraine in 4Q12 was Win32/Pameseg, which affected 10.5 percent of computers with detections in Ukraine. Win32/Pameseg is a fake program installer that requires the user to send SMS messages to a premium number to successfully install certain programs. The fourth most common threat family in Ukraine in 4Q12 was Win32/Dorkbot, which affected 9.9 percent of computers with detections in Ukraine. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot
592
Microsoft Security Intelligence Report, Volume 14
may be distributed from compromised or malicious websites using PDF or browser exploits.
July–December 2012
593
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Ukraine
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 10.86 (5.41) 15.82 (9.46) 1.25 (0.56)
4Q12 13.11 (5.10) 26.78 (10.85) 0.78 (0.33)
594
Microsoft Security Intelligence Report, Volume 14
United Arab Emirates
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the United Arab Emirates in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the United Arab Emirates
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 16.1 6.6
2Q12 14.6 7.0
3Q12 11.9 5.3
4Q12 11.0 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the United Arab Emirates and around the world, and for explanations of the methods and terms used here.
July–December 2012
595
Infection trends (CCM)
The MSRT detected malware on 11.0 of every 1,000 computers scanned in the United Arab Emirates in 4Q12 (a CCM score of 11.0, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the United Arab Emirates over the last six quarters, compared to the world as a whole.
CCM infection trends in the United Arab Emirates and worldwide
18.0
Computers cleaned per 1 ,000 scanned (CCM)
16.0 14.0 12.0
Worldwide United Arab Emirates
10.0
8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
596
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in the United Arab Emirates in 4Q12, by percentage of computers reporting detections
United Arab Emirates
Percent of computers reporting detections
Worldwide
40% Column1 35% United Arab Emirates 30%
25%
20% 15%
10%
5% 0%
The most common category in the United Arab Emirates in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 36.0 percent of all computers with detections there, up from 29.6 percent in 3Q12. The second most common category in the United Arab Emirates in 4Q12 was Worms. It affected 34.5 percent of all computers with detections there, up from 29.6 percent in 3Q12. The third most common category in the United Arab Emirates in 4Q12 was Miscellaneous Trojans, which affected 28.4 percent of all computers with detections there, up from 26.3 percent in 3Q12.
July–December 2012
597
Threat families
The top 10 malware and potentially unwanted software families in the United Arab Emirates in 4Q12
% of computers with detections 15.7% 14.0% 8.8% 7.7% 6.6% 5.0% 4.7% 4.7% 4.7% 4.1%
The most common threat family in the United Arab Emirates in 4Q12 was INF/Autorun, which affected 15.7 percent of computers with detections in the United Arab Emirates. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in the United Arab Emirates in 4Q12 was Win32/Keygen, which affected 14.0 percent of computers with detections in the United Arab Emirates. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in the United Arab Emirates in 4Q12 was Win32/Sality, which affected 8.8 percent of computers with detections in the United Arab Emirates. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in the United Arab Emirates in 4Q12 was Win32/Nuqel, which affected 7.7 percent of computers with detections in the United Arab Emirates. Win32/Nuqel is a worm that spreads via mapped drives and certain instant messaging applications. It may modify system settings, connect to certain websites, download arbitrary files, or take other malicious actions.
598
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the United Arab Emirates
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 3.23 (5.41) 8.54 (9.46) 0.10 (0.56)
4Q12 2.47 (5.10) 11.38 (10.85) 0.09 (0.33)
July–December 2012
599
United Kingdom
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the United Kingdom in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the United Kingdom
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 3.9 6.6
2Q12 3.2 7.0
3Q12 3.0 5.3
4Q12 2.3 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the United Kingdom and around the world, and for explanations of the methods and terms used here.
July–December 2012
601
Infection trends (CCM)
The MSRT detected malware on 2.3 of every 1,000 computers scanned in the United Kingdom in 4Q12 (a CCM score of 2.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the United Kingdom over the last six quarters, compared to the world as a whole.
CCM infection trends in the United Kingdom and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide United Kingdom
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
602
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in the United Kingdom in 4Q12, by percentage of computers reporting detections
United Kingdom
Percent of computers reporting detections
Worldwide
40% Column1 35% United Kingdom 30%
25%
20% 15%
10%
5% 0%
The most common category in the United Kingdom in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 30.5 percent of all computers with detections there, up from 25.3 percent in 3Q12. The second most common category in the United Kingdom in 4Q12 was Miscellaneous Trojans. It affected 29.8 percent of all computers with detections there, down from 34.5 percent in 3Q12. The third most common category in the United Kingdom in 4Q12 was Adware, which affected 23.9 percent of all computers with detections there, down from 28.0 percent in 3Q12.
July–December 2012
603
Threat families
The top 10 malware and potentially unwanted software families in the United Kingdom in 4Q12
% of computers with detections 11.3% 10.5% 10.2% 9.8% 8.0% 7.5% 6.9% 6.1% 4.4% 3.4%
The most common threat family in the United Kingdom in 4Q12 was Win32/Pdfjsc, which affected 11.3 percent of computers with detections in the United Kingdom. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The second most common threat family in the United Kingdom in 4Q12 was Win32/Keygen, which affected 10.5 percent of computers with detections in the United Kingdom. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in the United Kingdom in 4Q12 was Java/Blacole, which affected 10.2 percent of computers with detections in the United Kingdom. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in the United Kingdom in 4Q12 was Win32/Hotbar, which affected 9.8 percent of computers with detections in the United Kingdom. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity.
604
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the United Kingdom
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 6.20 (5.41) 7.12 (9.46) 0.23 (0.56)
4Q12 6.47 (5.10) 7.89 (10.85) 0.19 (0.33)
July–December 2012
605
United States
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the United States in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the United States
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 5.0 6.6
2Q12 6.0 7.0
3Q12 5.0 5.3
4Q12 3.3 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the United States and around the world, and for explanations of the methods and terms used here.
July–December 2012
607
Infection trends (CCM)
The MSRT detected malware on 3.3 of every 1,000 computers scanned in the United States in 4Q12 (a CCM score of 3.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for the United States over the last six quarters, compared to the world as a whole.
CCM infection trends in the United States and worldwide
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
Worldwide United States
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
608
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in the United States in 4Q12, by percentage of computers reporting detections
United States
Percent of computers reporting detections
Worldwide
50%
45% 40%
Column1 United States
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in the United States in 4Q12 was Miscellaneous Trojans. It affected 43.9 percent of all computers with detections there, down from 45.3 percent in 3Q12. The second most common category in the United States in 4Q12 was Exploits. It affected 23.0 percent of all computers with detections there, up from 16.4 percent in 3Q12. The third most common category in the United States in 4Q12 was Adware, which affected 20.8 percent of all computers with detections there, down from 28.8 percent in 3Q12.
July–December 2012
609
Threat families
The top 10 malware and potentially unwanted software families in the United States in 4Q12
% of computers with detections 13.8% 9.0% 8.8% 8.8% 6.4% 5.6% 5.0% 5.0% 4.5% 3.9%
The most common threat family in the United States in 4Q12 was JS/IframeRef, which affected 13.8 percent of computers with detections in the United States. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The second most common threat family in the United States in 4Q12 was Win32/Sirefef, which affected 9.0 percent of computers with detections in the United States. Win32/Sirefef is a rogue security software family distributed under the name Antivirus 2010 and others. The third most common threat family in the United States in 4Q12 was Java/Blacole, which affected 8.8 percent of computers with detections in the United States. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in the United States in 4Q12 was Win32/Pdfjsc, which affected 8.8 percent of computers with detections in the United States. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened.
610
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the United States
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 6.07 (5.41) 7.68 (9.46) 0.38 (0.56)
4Q12 5.56 (5.10) 9.82 (10.85) 0.31 (0.33)
July–December 2012
611
Uruguay
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Uruguay in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Uruguay
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 4.3 6.6
2Q12 4.0 7.0
3Q12 3.9 5.3
4Q12 3.1 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Uruguay and around the world, and for explanations of the methods and terms used here.
July–December 2012
613
Infection trends (CCM)
The MSRT detected malware on 3.1 of every 1,000 computers scanned in Uruguay in 4Q12 (a CCM score of 3.1, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Uruguay over the last six quarters, compared to the world as a whole.
CCM infection trends in Uruguay and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Uruguay
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
614
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Uruguay in 4Q12, by percentage of computers reporting detections
Uruguay
Percent of computers reporting detections
Worldwide
50% Column1 45% Uruguay
40%
35% 30% 25% 20% 15% 10% 5% 0%
The most common category in Uruguay in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.5 percent of all computers with detections there, up from 34.7 percent in 3Q12. The second most common category in Uruguay in 4Q12 was Miscellaneous Trojans. It affected 21.8 percent of all computers with detections there, down from 24.7 percent in 3Q12. The third most common category in Uruguay in 4Q12 was Worms, which affected 21.4 percent of all computers with detections there, up from 21.1 percent in 3Q12.
July–December 2012
615
Threat families
The top 10 malware and potentially unwanted software families in Uruguay in 4Q12
% of computers with detections 18.3% 8.2% 7.2% 6.1% 6.0% 5.2% 5.0% 4.5% 4.1% 3.9%
The most common threat family in Uruguay in 4Q12 was Win32/Keygen, which affected 18.3 percent of computers with detections in Uruguay. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Uruguay in 4Q12 was INF/Autorun, which affected 8.2 percent of computers with detections in Uruguay. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Uruguay in 4Q12 was Win32/Dorkbot, which affected 7.2 percent of computers with detections in Uruguay. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The fourth most common threat family in Uruguay in 4Q12 was Win32/Obfuscator, which affected 6.1 percent of computers with detections in Uruguay. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods,
616
Microsoft Security Intelligence Report, Volume 14
including encryption, compression, anti-debugging and anti-emulation techniques.
July–December 2012
617
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Uruguay
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 6.94 (5.41) 9.54 (9.46) N/A (0.56)
4Q12 1.73 (5.10) 5.20 (10.85) N/A (0.33)
618
Microsoft Security Intelligence Report, Volume 14
Venezuela
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Venezuela in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Venezuela
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 7.0 6.6
2Q12 6.0 7.0
3Q12 5.8 5.3
4Q12 5.3 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Venezuela and around the world, and for explanations of the methods and terms used here.
July–December 2012
619
Infection trends (CCM)
The MSRT detected malware on 5.3 of every 1,000 computers scanned in Venezuela in 4Q12 (a CCM score of 5.3, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Venezuela over the last six quarters, compared to the world as a whole.
CCM infection trends in Venezuela and worldwide
9.0
Computers cleaned per 1 ,000 scanned (CCM)
8.0 7.0 6.0
Worldwide Venezuela
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
620
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Venezuela in 4Q12, by percentage of computers reporting detections
Venezuela
Percent of computers reporting detections
Worldwide
45% 40% 35% 30% 25%
20%
Column1 Venezuela
15%
10%
5% 0%
The most common category in Venezuela in 4Q12 was Worms. It affected 42.3 percent of all computers with detections there, up from 41.0 percent in 3Q12. The second most common category in Venezuela in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.8 percent of all computers with detections there, up from 37.8 percent in 3Q12. The third most common category in Venezuela in 4Q12 was Miscellaneous Trojans, which affected 24.0 percent of all computers with detections there, down from 25.3 percent in 3Q12.
July–December 2012
621
Threat families
The top 10 malware and potentially unwanted software families in Venezuela in 4Q12
% of computers with detections 17.4% 15.4% 15.2% 9.0% 8.5% 7.3% 6.7% 5.2% 4.8% 4.2%
The most common threat family in Venezuela in 4Q12 was INF/Autorun, which affected 17.4 percent of computers with detections in Venezuela. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Venezuela in 4Q12 was Win32/Keygen, which affected 15.4 percent of computers with detections in Venezuela. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Venezuela in 4Q12 was Win32/Dorkbot, which affected 15.2 percent of computers with detections in Venezuela. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The fourth most common threat family in Venezuela in 4Q12 was Win32/Conficker, which affected 9.0 percent of computers with detections in Venezuela. Win32/Conficker is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables
622
Microsoft Security Intelligence Report, Volume 14
several important system services and security products, and downloads arbitrary files.
July–December 2012
623
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Venezuela
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 4.07 (5.41) 25.15 (9.46) 0.38 (0.56)
4Q12 4.07 (5.10) 21.56 (10.85) 0.04 (0.33)
624
Microsoft Security Intelligence Report, Volume 14
Vietnam
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Vietnam in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Vietnam
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
1Q12 17.0 6.6
2Q12 18.1 7.0
3Q12 16.9 5.3
4Q12 16.9 6.0
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Vietnam and around the world, and for explanations of the methods and terms used here.
July–December 2012
625
Infection trends (CCM)
The MSRT detected malware on 16.9 of every 1,000 computers scanned in Vietnam in 4Q12 (a CCM score of 16.9, compared to the 4Q12 worldwide average CCM of 6.0). The following figure shows the CCM trend for Vietnam over the last six quarters, compared to the world as a whole.
CCM infection trends in Vietnam and worldwide
20.0
Computers cleaned per 1 ,000 scanned (CCM)
18.0
16.0 14.0
Worldwide Vietnam
12.0
10.0 8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
626
Microsoft Security Intelligence Report, Volume 14
Threat categories
Malware and potentially unwanted software categories in Vietnam in 4Q12, by percentage of computers reporting detections
Vietnam
Percent of computers reporting detections
Worldwide
70% Column1 60% Vietnam
50%
40%
30%
20% 10% 0%
The most common category in Vietnam in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 57.8 percent of all computers with detections there, up from 56.8 percent in 3Q12. The second most common category in Vietnam in 4Q12 was Miscellaneous Trojans. It affected 38.4 percent of all computers with detections there, up from 38.2 percent in 3Q12. The third most common category in Vietnam in 4Q12 was Worms, which affected 31.2 percent of all computers with detections there, up from 29.5 percent in 3Q12.
July–December 2012
627
Threat families
The top 10 malware and potentially unwanted software families in Vietnam in 4Q12
% of computers with detections 33.8% 24.2% 20.3% 17.0% 15.4% 15.0% 11.6% 9.0% 8.1% 5.9%
The most common threat family in Vietnam in 4Q12 was Win32/Keygen, which affected 33.8 percent of computers with detections in Vietnam. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Vietnam in 4Q12 was Win32/Ramnit, which affected 24.2 percent of computers with detections in Vietnam. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The third most common threat family in Vietnam in 4Q12 was Win32/CplLnk, which affected 20.3 percent of computers with detections in Vietnam. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046. The fourth most common threat family in Vietnam in 4Q12 was INF/Autorun, which affected 17.0 percent of computers with detections in Vietnam. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
628
Microsoft Security Intelligence Report, Volume 14
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Vietnam
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
3Q12 11.42 (5.41) 20.32 (9.46) 1.29 (0.56)
4Q12 7.76 (5.10) 25.11 (10.85) 0.52 (0.33)
July–December 2012
629
One Microsoft Way Redmond, WA 98052-6399 microsoft.com/security