HackDig : Dig high-quality web security articles for hackers

Historic High Infection Rates – The Threat Landscape in the Middle East

2015-10-21 17:40

I have written about the threat landscape in the Middle East extensively over the years. It’s been about 18 months since I published my last article on this part of the world and malware infection rates in some locations in the region have since risen to historic highs – far above the highest malware infection rates ever published in the Microsoft Security Intelligence Report. So I thought I’d take a fresh look at what has been happening in some locations in the Middle East.

If you are interested in some of the analysis and insights that we have published in the past, here are some of the most recent articles:

The Threat Landscape in the Middle East and Southwest Asia – Part 1: Relatively High Malware Infection Rates
The Threat Landscape in the Middle East and Southwest Asia – Part 2: Relatively High Malware Encounter Rates
The Threat Landscape in the Middle East and Southwest Asia – Part 3: Regional Anti-virus Software Usage
The Threat Landscape in the Middle East and Southwest Asia – Part 4: Regional Windows XP Market Share
Threat Landscape in the Middle East and Southwest Asia – Part 5: Socio-economic Factors and Regional Malware Infection Rates
Threat Landscape in the Middle East and Southwest Asia – Part 6: Best Practices from Locations with Low Malware Infection Rates
Regime Stability, Demographic Instability and Regional Malware Infection Rates – Part 1: Egypt
Regime Stability, Demographic Instability and Regional Malware Infection Rates – Part 2: Syria
The Threat Landscape in the Middle East – Part 3: Israel and Saudi Arabia

The malware infection rates (CCM) in the Middle East have typically been well above the worldwide average. The exception has tended to be Israel where the infection rate has closely mirrored the worldwide average during many time periods as seen in Figure 1.

Before I explore what happened in late 2013 and 2014 to drive infection rates significantly higher in all the locations listed in Figure 1, you might also be wondering about Qatar’s relatively high infection rate in the first quarter of 2011 (1Q11) that can be seen in Figure 1? You can read about that in a previously published article: The Threat Landscape in the Middle East – Part 1: Qatar.

Figure 1: the malware infection rates (CCM) for Egypt, Iraq, Israel, Oman, the Palestinian Authority, Qatar, Saudi Arabia, Syria, the United Arab Emirates, and the worldwide average per quarter for the years 2011 through 2014
102115_01

All of the locations listed in Figure 1 had malware infection rates above the worldwide average in all four quarters of 2014. There is a clear increase in the CCM in most of these locations starting in the fourth quarter of 2013 (4Q13) or the first quarter of 2014 (1Q14). Qatar and the United Arab Emirates (UAE) saw increases in CCM in 4Q13; Qatar’s CCM increased 2.4 times from 11.4 to 27.7, while the UAE’s CCM increased 2.8 times from 12.2 to 34.0. But then the CCM in both locations leveled out and decreased in the last half of 2014, as did the worldwide average. Several other locations that saw their CCMs increase in 4Q13, continued to see large CCM increases in the following quarter.

One of the largest infection rate increases was in Iraq. The CCM in Iraq increased from 31.3 in 4Q13 to 110.7 in 1Q14, a 3.5 times increase. Examining the threat families responsible for this very large increase leads us to two families: MSIL/Bladabindi and Win32/Jenxcus. Detection for Bladabindi was added to the Microsoft Windows Malicious Software Removal Tool (MSRT) in January of 2014. Subsequently, Bladabindi was found and removed from 27.9 systems for every 1,000 systems that the MSRT executed on in Iraq in 1Q14. Detection for Jenxcus was added to MSRT in February of 2014 and it was also a prevalent threat in the region, found and removed from 25.2 systems for every 1,000 systems that the MSRT executed on in Iraq during the same period. The sudden increase in detections of these two families is the primary reason for the infection rate increase in Iraq at the beginning of 2014 and the subsequent decrease over time as fewer and fewer systems were found to be infected with these two families of threats.

MSIL/Bladabindi can steal sensitive information and send it to a malicious hacker. This threat family can also download other malware and provider attackers with backdoor access on compromised systems. Variants of this family can spread via infected removable drives, such as USB flash drives. They can also be downloaded by other malware, or spread though malicious links and hacked websites. Bladabindi variants are usually installed with an enticing name and icon to trick people into running it.

Win32/Jenxcus uses social engineering to trick the victim into running a malicious script file that is commonly bundled with other programs. When the program bundle is executed Jenxcus runs silently in the background. Win32/Jenxcus also operates as a worm that detects whether the victim’s system has a removable drive connected to it. If it does, it copies itself onto that drive. It also creates a shortcut link pointing to its copy in the removable drive. Typically, this threat gets onto vulnerable systems via drive-by download attacks or via infected removable drives.

Beyond the CCM increase seen in Iraq, Figure 1 illustrates smaller but similar CCM increases for several other locations in the region including Egypt, Oman, Palestinian Authority (West Bank and Gaza Strip), Saudi Arabia, and Syria. Win32/Jenxcus was the primary threat family driving CCMs higher in the first quarter of 2014 in all of these locations except Syria.

In Syria Win32/Gamarue and Win32/Sality were responsible for driving the infection rate from a CCM of 34.0 in the fourth quarter of 2013 to 75.5 in the first quarter of 2014.

Besides Win32/Jenxcus, Sality also contributed to the infection rate increase in Egypt, where it has been a prevalent threat for some time. I’ve written about this before: Are Viruses Making a Comeback? Egypt’s CCM increased to 73.2 in the first quarter of 2014 from 27.6 the prior quarter, a 2.7 times increase.

Whereas infection rate (CCM) data comes from the Malicious Software Removal Tool, the encounter rate (ER) is the percentage of computers running Microsoft real-time security software that report detecting malware, or report detecting a specific threat or family, during a period. Most of these encounters are from systems running Microsoft Security Essentials or Windows Defender (on Windows 8.1) reporting that they blocked malware from installing on them. For example, the worldwide average encounter rate in the fourth quarter of 2014 (4Q14) was 15.9%. As seen in Figure 2, with the exception of Israel, several locations in the Middle East have significantly higher than average ERs. I can’t show you the ER for all the countries we have CCM data for, as we don’t have enough systems reporting ER data from some of the locations in the region during this period of time.

Figure 2: the encounter rates (ER) for Egypt, Iraq, Israel, Qatar, Saudi Arabia, the United Arab Emirates, and the worldwide average per quarter for the period between the 3rd quarter of 2013 through the 4th quarter of 2014
102115_02
Notice how the ER increases in the third quarter of 2013 (3Q13) as opposed to the first quarter of 2014 where we saw large increases in infection rates in the region. A few threats were involved in this increase. In most of these locations Win32/Rotbrow, Win32/Brantall, and INF/Autorun, and VBS/Jenxcus all contributed to higher ERs during this period of time.

Malware families that use Autorun feature abuse (Win32/Autorun), have been some of the most prevalent threats encountered in the region for many years. These threats typically spread via USB drives and other removal media. I theorize that this type of threat is encountered in the Middle East so much because Internet connectivity is inconsistent in some locations, likely due to higher than average strife in places like Syria, Egypt, and Iraq. Subsequently, I postulate that people in these locations transfer files using removable media more often than many other places, exposing more systems to Autorun attacks. It’s just an educated guess. I have written about this threat before: Defending Against Autorun Attacks.

Figure 3: infographic to the right which shows how these worms can spread Autorun infographic that shows how these worms can spread
102115_03

A drive-by download site is a website that hosts one or more exploits that target vulnerabilities in web browsers and browser add-ons. Users with vulnerable computers can be infected with malware simply by visiting such a website, even without attempting to download anything. Drive-by download pages are usually hosted on legitimate websites to which an attacker has posted exploit code. Attackers gain access to legitimate sites through intrusion or by posting malicious code to a poorly secured web form,

like a comment field on a blog. Compromised sites can be hosted anywhere in the world and concern nearly any subject imaginable, making it difficult for even an experienced user to identify a compromised site from a list of search results.

Figure 4: Drive-by download pages indexed by Bing at the end of the fourth quarter of 2014 (4Q14), per 1,000 URLs in each country/region102115_04
Only Syria stands out with substantially higher concentrations of drive-by download sites in the region during 3Q13, 4Q13, and 4Q14.

Figure 5: Concentration of drive-by download URLs tracked by Bing in select locations in the Middle East on a reference date at the end of the associated quarter, expressed as the number of drive-by download URLs per every 1,000 URLs hosted in the country/region.
102115_05

I asked Cyril Voisin, Microsoft’s Chief Security Advisor in the Middle East and Africa, who is based in the UAE, how people in the region should protect themselves. The following is what Cyril recommended.

Arabic peninsula and Northern Africa countries were particularly affected by MSIL/Bladabindi and Win32/Jenxcus as these were part of attacks targeting Arabic speaking people, making them less suspicious as their language was used in order to lure them. For our larger MEA region, as well as for any other location in the world, I think the number 1 protection is the vigilance of users.

At the end of the day this boils down to:

  • Stay aware of risks and use your judgement as your best defense. And please spread the word by talking to your family and community members to increase their online safety. Anytime you are about to take any potentially harmful decision, reflect before you act and look for clues indicating phishing. Would this person really write to me in a foreign language to warn me about a picture were I look funny? Would this website confirm an order I did not make without calling me by my name? Would my bank require new urgent security information without notice? And of course everyone proposing to share their fortune with you only wants to get your money to build their own fortune… Finally beware of tech support phone scams where someone will call you directly and try to manipulate you over the phone, pretending for instance to be working for Microsoft support and asking you to install software on your machine, in order to take control of it.
  • Enforce basic hygiene. Again, this is not new, and with the risk of sounding as a broken record, I would like to remind everyone about the basics. If you want to skip that section, one recommendation though: upgrade to Windows 10 to benefit from all the security work that has been done to enhance your protection and automate some of the tasks below and beyond.
    • Keep everything up to date (all software on your PC, your tablet, your smartphone): that means applying updates for your system and applications, including browser, plug-ins, music software… as newer software is better for security.
    • Run an up-to-date antimalware solution and keep in mind that the presence of this security tool does not mean you can take inconsiderate risks
    • Use a firewall
    • Choose good passwords where they are necessary. Hint: Windows Hello and Microsoft Passport are your friends.

I hope you found this analysis informative and useful. You can find the latest data on the locations I examined in this series and many others at http://microsoft.com/sir.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection


Source: -epacsdnal-taerht-eht-setar-noitcefni-hgih-cirotsih/12/01/5102/tsurtrebyc/moc.tfosorcim.sgolb

“Historic High Infection Rates – The Threat Landscape in the Middle East”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud