Professional Documents
Culture Documents
JulyDecember 2012
ii
Table of Contents
Albania ....................................................................................................................................................... 1 Algeria ....................................................................................................................................................... 7 Angola ......................................................................................................................................................13 Argentina .................................................................................................................................................19 Australia .................................................................................................................................................. 25 Austria.......................................................................................................................................................31 Bahamas, The ........................................................................................................................................ 37 Bahrain .................................................................................................................................................... 43 Bangladesh............................................................................................................................................. 49 Belarus ..................................................................................................................................................... 55 Belgium ....................................................................................................................................................61 Bolivia....................................................................................................................................................... 67 Brazil ........................................................................................................................................................ 73 Bulgaria ................................................................................................................................................... 79 Canada .................................................................................................................................................... 85 Chile ..........................................................................................................................................................91 China ........................................................................................................................................................ 97 Colombia .............................................................................................................................................. 103 Costa Rica ............................................................................................................................................. 109 Croatia .................................................................................................................................................... 115 Cyprus .................................................................................................................................................... 121 Czech Republic ................................................................................................................................... 127 Denmark ............................................................................................................................................... 133 Dominican Republic........................................................................................................................... 139 Ecuador ................................................................................................................................................. 145 Egypt ....................................................................................................................................................... 151 El Salvador ............................................................................................................................................ 157 Estonia ................................................................................................................................................... 163 Finland ................................................................................................................................................... 169 France .................................................................................................................................................... 175 Georgia .................................................................................................................................................. 181
JulyDecember 2012 iii
Germany ................................................................................................................................................ 187 Greece ....................................................................................................................................................193 Guatemala .............................................................................................................................................199 Honduras .............................................................................................................................................. 205 Hong Kong S.A.R. ................................................................................................................................ 211 Hungary ................................................................................................................................................. 217 Iceland ................................................................................................................................................... 223 India ....................................................................................................................................................... 229 Indonesia .............................................................................................................................................. 235 Iraq ..........................................................................................................................................................241 Ireland ................................................................................................................................................... 247 Israel....................................................................................................................................................... 253 Italy ......................................................................................................................................................... 259 Jamaica ................................................................................................................................................. 265 Japan ...................................................................................................................................................... 271 Jordan.................................................................................................................................................... 277 Kazakhstan ........................................................................................................................................... 283 Kenya ..................................................................................................................................................... 289 Korea ..................................................................................................................................................... 295 Kuwait .....................................................................................................................................................301 Latvia ..................................................................................................................................................... 307 Lebanon .................................................................................................................................................313 Lithuania ................................................................................................................................................319 Luxembourg ........................................................................................................................................ 325 Macao S.A.R. ........................................................................................................................................331 Malaysia ................................................................................................................................................ 337 Malta ...................................................................................................................................................... 343 Mexico ................................................................................................................................................... 349 Moldova................................................................................................................................................ 355 Morocco ................................................................................................................................................361 Nepal ..................................................................................................................................................... 367 Netherlands ......................................................................................................................................... 373 New Zealand ....................................................................................................................................... 379
iv
Nicaragua .............................................................................................................................................385 Nigeria ................................................................................................................................................... 391 Norway ..................................................................................................................................................397 Oman .................................................................................................................................................... 403 Pakistan ................................................................................................................................................ 409 Palestinian Authority .......................................................................................................................... 415 Panama ................................................................................................................................................. 421 Paraguay ...............................................................................................................................................427 Peru ....................................................................................................................................................... 433 Philippines ........................................................................................................................................... 439 Poland .................................................................................................................................................. 445 Portugal................................................................................................................................................. 451 Puerto Rico ...........................................................................................................................................457 Qatar ..................................................................................................................................................... 463 Romania ............................................................................................................................................... 469 Russia .....................................................................................................................................................475 Saudi Arabia ......................................................................................................................................... 481 Senegal..................................................................................................................................................487 Singapore ............................................................................................................................................ 493 Slovakia ................................................................................................................................................ 499 Slovenia .................................................................................................................................................505 South Africa........................................................................................................................................... 511 Spain ...................................................................................................................................................... 517 Sri Lanka ................................................................................................................................................523 Sweden ..................................................................................................................................................529 Switzerland ...........................................................................................................................................535 Syria ........................................................................................................................................................ 541 Taiwan ...................................................................................................................................................547 Tanzania................................................................................................................................................553 Thailand ................................................................................................................................................559 Trinidad and Tobago.........................................................................................................................565 Tunisia.................................................................................................................................................... 571 Turkey .................................................................................................................................................... 577
JulyDecember 2012
Uganda ................................................................................................................................................. 583 Ukraine .................................................................................................................................................. 589 United Arab Emirates ........................................................................................................................ 595 United Kingdom ..................................................................................................................................601 United States ....................................................................................................................................... 607 Uruguay .................................................................................................................................................613 Venezuela .............................................................................................................................................619 Vietnam ................................................................................................................................................ 625
vi
Albania
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Albania in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Albania
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Albania and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
30.0
Worldwide Albania
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
Threat categories
Malware and potentially unwanted software categories in Albania in 4Q12, by percentage of computers reporting detections
Albania
Percent of computers reporting detections
Worldwide
60%
50%
Column1 Albania
The most common category in Albania in 4Q12 was Worms. It affected 48.1 percent of all computers with detections there, up from 47.8 percent in 3Q12. The second most common category in Albania in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.2 percent of all computers with detections there, up from 38.8 percent in 3Q12. The third most common category in Albania in 4Q12 was Miscellaneous Trojans, which affected 23.9 percent of all computers with detections there, down from 24.8 percent in 3Q12.
JulyDecember 2012
Threat families
The top 10 malware and potentially unwanted software families in Albania in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Sality Win32/Helompy Win32/Keygen Win32/Conficker Win32/Rimecud Win32/Vobfus Win32/Dorkbot Win32/Hotbar Win32/Wpakill
Most significant category Misc. Potentially Unwanted Software Viruses Worms Misc. Potentially Unwanted Software Worms Misc. Trojans Worms Worms Adware Misc. Potentially Unwanted Software
% of computers with detections 22.9% 17.4% 17.0% 15.3% 11.6% 8.9% 7.0% 5.2% 5.0% 3.9%
The most common threat family in Albania in 4Q12 was INF/Autorun, which affected 22.9 percent of computers with detections in Albania. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Albania in 4Q12 was Win32/Sality, which affected 17.4 percent of computers with detections in Albania. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Albania in 4Q12 was Win32/Helompy, which affected 17.0 percent of computers with detections in Albania. Win32/Helompy is a worm that spreads via removable drives and attempts to capture and steal authentication details for a number of different websites or online services. The fourth most common threat family in Albania in 4Q12 was Win32/Keygen, which affected 15.3 percent of computers with detections in Albania. Win32/Keygen is a generic detection for tools that generate product keys for various software products.
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Albania
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
Algeria
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Algeria in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Algeria
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Algeria and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
25.0
Worldwide Algeria
20.0
15.0
10.0
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
Threat categories
Malware and potentially unwanted software categories in Algeria in 4Q12, by percentage of computers reporting detections
Algeria
Percent of computers reporting detections
Worldwide
The most common category in Algeria in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 44.8 percent of all computers with detections there, up from 36.2 percent in 3Q12. The second most common category in Algeria in 4Q12 was Worms. It affected 41.0 percent of all computers with detections there, up from 34.8 percent in 3Q12. The third most common category in Algeria in 4Q12 was Miscellaneous Trojans, which affected 37.8 percent of all computers with detections there, up from 32.7 percent in 3Q12.
JulyDecember 2012
Threat families
The top 10 malware and potentially unwanted software families in Algeria in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Ramnit INF/Autorun Win32/Sality Win32/CplLnk Win32/Vobfus Win32/Dorkbot Win32/Yeltminky Win32/Virut Win32/Mabezat
Most significant category Misc. Potentially Unwanted Software Misc. Trojans Misc. Potentially Unwanted Software Viruses Exploits Worms Worms Worms Viruses Viruses
% of computers with detections 20.6% 20.3% 19.3% 17.2% 14.2% 12.5% 10.6% 6.1% 5.1% 4.9%
The most common threat family in Algeria in 4Q12 was Win32/Keygen, which affected 20.6 percent of computers with detections in Algeria. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Algeria in 4Q12 was Win32/Ramnit, which affected 20.3 percent of computers with detections in Algeria. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The third most common threat family in Algeria in 4Q12 was INF/Autorun, which affected 19.3 percent of computers with detections in Algeria. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Algeria in 4Q12 was Win32/Sality, which affected 17.2 percent of computers with detections in Algeria. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload
10
that deletes files with certain extensions and terminates security-related processes and services.
JulyDecember 2012
11
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Algeria
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
12
Angola
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Angola in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Angola
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Angola and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
13
20.0
18.0
16.0 14.0
Worldwide Angola
12.0
10.0 8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
14
Threat categories
Malware and potentially unwanted software categories in Angola in 4Q12, by percentage of computers reporting detections
Angola
Percent of computers reporting detections
Worldwide
Column1 Angola
15%
10%
5% 0%
The most common category in Angola in 4Q12 was Worms. It affected 41.8 percent of all computers with detections there, down from 42.7 percent in 3Q12. The second most common category in Angola in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 30.5 percent of all computers with detections there, down from 31.4 percent in 3Q12. The third most common category in Angola in 4Q12 was Miscellaneous Trojans, which affected 23.2 percent of all computers with detections there, down from 24.9 percent in 3Q12.
JulyDecember 2012
15
Threat families
The top 10 malware and potentially unwanted software families in Angola in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Vobfus INF/Autorun Win32/DealPly Win32/Ramnit Win32/CplLnk Win32/Keygen Win32/Virut Win32/Dorkbot Win32/Chir JS/IframeRef
Most significant category Worms Misc. Potentially Unwanted Software Adware Misc. Trojans Exploits Misc. Potentially Unwanted Software Viruses Worms Viruses Misc. Trojans
% of computers with detections 24.7% 15.0% 13.0% 9.5% 7.5% 7.2% 6.7% 6.7% 6.2% 4.2%
The most common threat family in Angola in 4Q12 was Win32/Vobfus, which affected 24.7 percent of computers with detections in Angola. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The second most common threat family in Angola in 4Q12 was INF/Autorun, which affected 15.0 percent of computers with detections in Angola. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Angola in 4Q12 was Win32/DealPly, which affected 13.0 percent of computers with detections in Angola. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs. The fourth most common threat family in Angola in 4Q12 was Win32/Ramnit, which affected 9.5 percent of computers with detections in Angola. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
16
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
JulyDecember 2012
17
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Angola
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
18
Argentina
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Argentina in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Argentina
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Argentina and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
19
10.0
9.0
8.0 7.0
Worldwide Argentina
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
20
Threat categories
Malware and potentially unwanted software categories in Argentina in 4Q12, by percentage of computers reporting detections
Argentina
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Argentina in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 32.6 percent of all computers with detections there, down from 33.0 percent in 3Q12. The second most common category in Argentina in 4Q12 was Adware. It affected 31.3 percent of all computers with detections there, up from 18.0 percent in 3Q12. The third most common category in Argentina in 4Q12 was Worms, which affected 29.0 percent of all computers with detections there, down from 32.9 percent in 3Q12.
JulyDecember 2012
21
Threat families
The top 10 malware and potentially unwanted software families in Argentina in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/DealPly Win32/Dorkbot Win32/Keygen INF/Autorun Win32/Conficker Win32/Obfuscator ASX/Wimad JS/IframeRef Win32/Sality Win32/OpenCandy
Most significant category Adware Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Misc. Trojans Viruses Adware
% of computers with detections 25.3% 14.7% 12.3% 8.5% 5.6% 3.9% 3.5% 3.3% 3.0% 2.9%
The most common threat family in Argentina in 4Q12 was Win32/DealPly, which affected 25.3 percent of computers with detections in Argentina. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Argentina in 4Q12 was Win32/Dorkbot, which affected 14.7 percent of computers with detections in Argentina. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Argentina in 4Q12 was Win32/Keygen, which affected 12.3 percent of computers with detections in Argentina. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Argentina in 4Q12 was INF/Autorun, which affected 8.5 percent of computers with detections in Argentina. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
22
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Argentina
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
23
Australia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Australia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Australia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Australia and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
25
9.0
Worldwide Australia
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
26
Threat categories
Malware and potentially unwanted software categories in Australia in 4Q12, by percentage of computers reporting detections
Australia
Percent of computers reporting detections
Worldwide
Column1 Australia
20% 15%
10%
5% 0%
The most common category in Australia in 4Q12 was Miscellaneous Trojans. It affected 31.5 percent of all computers with detections there, down from 35.4 percent in 3Q12. The second most common category in Australia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 31.0 percent of all computers with detections there, up from 26.7 percent in 3Q12. The third most common category in Australia in 4Q12 was Exploits, which affected 18.7 percent of all computers with detections there, up from 15.4 percent in 3Q12.
JulyDecember 2012
27
Threat families
The top 10 malware and potentially unwanted software families in Australia in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc Java/Blacole Win32/Sirefef ASX/Wimad JS/IframeRef Win32/Hotbar Win32/Zbot JS/Medfos Win32/Obfuscator
Most significant category Misc. Potentially Unwanted Software Exploits Exploits Misc. Trojans Trojan Downloaders & Droppers Misc. Trojans Adware Password Stealers & Monitoring Tools Misc. Trojans Misc. Potentially Unwanted Software
% of computers with detections 12.0% 7.7% 7.3% 7.3% 6.8% 5.9% 5.8% 5.6% 4.2% 4.2%
The most common threat family in Australia in 4Q12 was Win32/Keygen, which affected 12.0 percent of computers with detections in Australia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Australia in 4Q12 was Win32/Pdfjsc, which affected 7.7 percent of computers with detections in Australia. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Australia in 4Q12 was Java/Blacole, which affected 7.3 percent of computers with detections in Australia. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in Australia in 4Q12 was Win32/Sirefef, which affected 7.3 percent of computers with detections in Australia. Win32/Sirefef is a rogue security software family distributed under the name Antivirus 2010 and others.
28
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Australia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
29
Austria
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Austria in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Austria
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Austria and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
31
9.0
Worldwide Austria
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
32
Threat categories
Malware and potentially unwanted software categories in Austria in 4Q12, by percentage of computers reporting detections
Austria
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Austria in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 29.9 percent of all computers with detections there, up from 26.8 percent in 3Q12. The second most common category in Austria in 4Q12 was Miscellaneous Trojans. It affected 27.7 percent of all computers with detections there, down from 30.6 percent in 3Q12. The third most common category in Austria in 4Q12 was Exploits, which affected 25.0 percent of all computers with detections there, up from 19.1 percent in 3Q12.
JulyDecember 2012
33
Threat families
The top 10 malware and potentially unwanted software families in Austria in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Pdfjsc Win32/DealPly Win32/Keygen Java/Blacole JS/IframeRef Win32/Reveton Win32/OpenCandy Win32/Obfuscator Win32/Zwangi Win32/Hotbar
Most significant category Exploits Adware Misc. Potentially Unwanted Software Exploits Misc. Trojans Misc. Trojans Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware
% of computers with detections 14.1% 13.5% 13.4% 10.7% 6.8% 5.2% 3.9% 3.2% 2.9% 2.7%
The most common threat family in Austria in 4Q12 was Win32/Pdfjsc, which affected 14.1 percent of computers with detections in Austria. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The second most common threat family in Austria in 4Q12 was Win32/DealPly, which affected 13.5 percent of computers with detections in Austria. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Austria in 4Q12 was Win32/Keygen, which affected 13.4 percent of computers with detections in Austria. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Austria in 4Q12 was Java/Blacole, which affected 10.7 percent of computers with detections in Austria. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run.
34
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Austria
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
35
Bahamas, The
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the Bahamas in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the Bahamas
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the Bahamas and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
37
14.0
12.0 10.0
8.0
6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
38
Threat categories
Malware and potentially unwanted software categories in the Bahamas in 4Q12, by percentage of computers reporting detections
Bahamas, The
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in the Bahamas in 4Q12 was Worms. It affected 34.7 percent of all computers with detections there, up from 31.9 percent in 3Q12. The second most common category in the Bahamas in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.0 percent of all computers with detections there, up from 27.3 percent in 3Q12. The third most common category in the Bahamas in 4Q12 was Adware, which affected 26.7 percent of all computers with detections there, down from 31.9 percent in 3Q12.
JulyDecember 2012
39
Threat families
The top 10 malware and potentially unwanted software families in the Bahamas in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Hotbar Win32/Zwangi INF/Autorun Win32/Vobfus Win32/Dorkbot Win32/ClickPotato Win32/Keygen JS/IframeRef Win32/Hamweq ASX/Wimad
Most significant category Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Worms Adware Misc. Potentially Unwanted Software Misc. Trojans Worms Trojan Downloaders & Droppers
% of computers with detections 17.8% 15.3% 12.2% 9.6% 8.7% 6.9% 6.9% 6.1% 4.3% 4.2%
The most common threat family in the Bahamas in 4Q12 was Win32/Hotbar, which affected 17.8 percent of computers with detections in the Bahamas. Win32/Hotbar is adware that displays a dynamic toolbar and targeted popup ads based on its monitoring of web-browsing activity. The second most common threat family in the Bahamas in 4Q12 was Win32/Zwangi, which affected 15.3 percent of computers with detections in the Bahamas. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. The third most common threat family in the Bahamas in 4Q12 was INF/Autorun, which affected 12.2 percent of computers with detections in the Bahamas. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in the Bahamas in 4Q12 was Win32/Vobfus, which affected 9.6 percent of computers with detections in the Bahamas. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
40
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the Bahamas
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
41
Bahrain
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Bahrain in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Bahrain
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Bahrain and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
43
20.0
18.0
16.0 14.0
Worldwide Bahrain
12.0
10.0 8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
44
Threat categories
Malware and potentially unwanted software categories in Bahrain in 4Q12, by percentage of computers reporting detections
Bahrain
Percent of computers reporting detections
Worldwide
50%
45% 40%
Column1 Bahrain
The most common category in Bahrain in 4Q12 was Worms. It affected 43.7 percent of all computers with detections there, up from 33.4 percent in 3Q12. The second most common category in Bahrain in 4Q12 was Miscellaneous Trojans. It affected 34.9 percent of all computers with detections there, up from 27.6 percent in 3Q12. The third most common category in Bahrain in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 34.6 percent of all computers with detections there, up from 27.6 percent in 3Q12.
JulyDecember 2012
45
Threat families
The top 10 malware and potentially unwanted software families in Bahrain in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Nuqel INF/Autorun Win32/Keygen Win32/Dorkbot Win32/Patched Win32/Sality Win32/Vobfus Win32/CplLnk Win32/Rimecud Win32/Ramnit
Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Trojans Viruses Worms Exploits Misc. Trojans Misc. Trojans
% of computers with detections 15.9% 15.5% 15.4% 11.9% 7.8% 7.5% 6.0% 5.9% 5.5% 5.4%
The most common threat family in Bahrain in 4Q12 was Win32/Nuqel, which affected 15.9 percent of computers with detections in Bahrain. Win32/Nuqel is a worm that spreads via mapped drives and certain instant messaging applications. It may modify system settings, connect to certain websites, download arbitrary files, or take other malicious actions. The second most common threat family in Bahrain in 4Q12 was INF/Autorun, which affected 15.5 percent of computers with detections in Bahrain. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Bahrain in 4Q12 was Win32/Keygen, which affected 15.4 percent of computers with detections in Bahrain. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Bahrain in 4Q12 was Win32/Dorkbot, which affected 11.9 percent of computers with detections in Bahrain. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits.
46
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Bahrain
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
47
Bangladesh
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Bangladesh in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Bangladesh
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Bangladesh and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
49
18.0
Worldwide Bangladesh
10.0
8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
50
Threat categories
Malware and potentially unwanted software categories in Bangladesh in 4Q12, by percentage of computers reporting detections
Bangladesh
Percent of computers reporting detections
Worldwide
60%
50%
Column1 Bangladesh
The most common category in Bangladesh in 4Q12 was Miscellaneous Trojans. It affected 49.1 percent of all computers with detections there, up from 47.9 percent in 3Q12. The second most common category in Bangladesh in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.9 percent of all computers with detections there, up from 40.2 percent in 3Q12. The third most common category in Bangladesh in 4Q12 was Viruses, which affected 38.2 percent of all computers with detections there, down from 38.6 percent in 3Q12.
JulyDecember 2012
51
Threat families
The top 10 malware and potentially unwanted software families in Bangladesh in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Ramnit Win32/CplLnk INF/Autorun Win32/Keygen Win32/Sality Win32/Conficker Win32/Virut Win32/Rimecud Win32/Dorkbot Win32/VB
Most significant category Misc. Trojans Exploits Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Worms Viruses Misc. Trojans Worms Worms
% of computers with detections 39.0% 25.3% 25.1% 25.0% 16.8% 9.4% 8.4% 7.4% 5.7% 4.9%
The most common threat family in Bangladesh in 4Q12 was Win32/Ramnit, which affected 39.0 percent of computers with detections in Bangladesh. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The second most common threat family in Bangladesh in 4Q12 was Win32/CplLnk, which affected 25.3 percent of computers with detections in Bangladesh. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046. The third most common threat family in Bangladesh in 4Q12 was INF/Autorun, which affected 25.1 percent of computers with detections in Bangladesh. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Bangladesh in 4Q12 was Win32/Keygen, which affected 25.0 percent of computers with detections in Bangladesh. Win32/Keygen is a generic detection for tools that generate product keys for various software products.
52
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Bangladesh
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
53
Belarus
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Belarus in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Belarus
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Belarus and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
55
9.0
Worldwide Belarus
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
56
Threat categories
Malware and potentially unwanted software categories in Belarus in 4Q12, by percentage of computers reporting detections
Belarus
Percent of computers reporting detections
Worldwide
The most common category in Belarus in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 50.5 percent of all computers with detections there, down from 53.9 percent in 3Q12. The second most common category in Belarus in 4Q12 was Miscellaneous Trojans. It affected 39.1 percent of all computers with detections there, up from 37.7 percent in 3Q12. The third most common category in Belarus in 4Q12 was Worms, which affected 18.5 percent of all computers with detections there, up from 15.7 percent in 3Q12.
JulyDecember 2012
57
Threat families
The top 10 malware and potentially unwanted software families in Belarus in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pameseg Win32/Dorkbot Win32/Obfuscator Win32/Vundo JS/IframeRef Win32/Dynamer JS/Redirector INF/Autorun Win32/Ramnit
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Misc. Trojans Misc. Trojans Misc. Trojans Misc. Trojans Misc. Potentially Unwanted Software Misc. Trojans
% of computers with detections 23.2% 12.9% 10.9% 8.8% 5.9% 5.4% 4.7% 4.4% 4.3% 3.6%
The most common threat family in Belarus in 4Q12 was Win32/Keygen, which affected 23.2 percent of computers with detections in Belarus. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Belarus in 4Q12 was Win32/Pameseg, which affected 12.9 percent of computers with detections in Belarus. Win32/Pameseg is a fake program installer that requires the user to send SMS messages to a premium number to successfully install certain programs. The third most common threat family in Belarus in 4Q12 was Win32/Dorkbot, which affected 10.9 percent of computers with detections in Belarus. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The fourth most common threat family in Belarus in 4Q12 was Win32/Obfuscator, which affected 8.8 percent of computers with detections in Belarus. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods,
58
JulyDecember 2012
59
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Belarus
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
60
Belgium
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Belgium in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Belgium
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Belgium and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
61
9.0
Worldwide Belgium
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
62
Threat categories
Malware and potentially unwanted software categories in Belgium in 4Q12, by percentage of computers reporting detections
Belgium
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Belgium in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 30.4 percent of all computers with detections there, up from 27.5 percent in 3Q12. The second most common category in Belgium in 4Q12 was Adware. It affected 30.1 percent of all computers with detections there, up from 28.5 percent in 3Q12. The third most common category in Belgium in 4Q12 was Miscellaneous Trojans, which affected 28.2 percent of all computers with detections there, down from 30.1 percent in 3Q12.
JulyDecember 2012
63
Threat families
The top 10 malware and potentially unwanted software families in Belgium in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/DealPly Win32/Pdfjsc Win32/Keygen Java/Blacole JS/IframeRef Win32/Hotbar Win32/Zwangi Win32/Reveton ASX/Wimad Win32/Sirefef
Most significant category Adware Exploits Misc. Potentially Unwanted Software Exploits Misc. Trojans Adware Misc. Potentially Unwanted Software Misc. Trojans Trojan Downloaders & Droppers Misc. Trojans
% of computers with detections 16.5% 13.8% 11.5% 9.2% 7.8% 7.3% 6.7% 6.3% 5.9% 3.7%
The most common threat family in Belgium in 4Q12 was Win32/DealPly, which affected 16.5 percent of computers with detections in Belgium. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Belgium in 4Q12 was Win32/Pdfjsc, which affected 13.8 percent of computers with detections in Belgium. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Belgium in 4Q12 was Win32/Keygen, which affected 11.5 percent of computers with detections in Belgium. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Belgium in 4Q12 was Java/Blacole, which affected 9.2 percent of computers with detections in Belgium. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run.
64
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Belgium
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
65
Bolivia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Bolivia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Bolivia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Bolivia and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
67
16.0
Worldwide Bolivia
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
68
Threat categories
Malware and potentially unwanted software categories in Bolivia in 4Q12, by percentage of computers reporting detections
Bolivia
Percent of computers reporting detections
Worldwide
60%
50%
Column1 Bolivia
The most common category in Bolivia in 4Q12 was Worms. It affected 48.3 percent of all computers with detections there, up from 44.8 percent in 3Q12. The second most common category in Bolivia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 39.5 percent of all computers with detections there, up from 37.1 percent in 3Q12. The third most common category in Bolivia in 4Q12 was Miscellaneous Trojans, which affected 26.4 percent of all computers with detections there, down from 28.4 percent in 3Q12.
JulyDecember 2012
69
Threat families
The top 10 malware and potentially unwanted software families in Bolivia in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/Keygen Win32/Sohanad INF/Autorun Win32/Vobfus Win32/Sality Win32/Conficker Win32/Nuqel Win32/Ramnit Win32/Obfuscator
Most significant category Worms Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Worms Viruses Worms Worms Misc. Trojans Misc. Potentially Unwanted Software
% of computers with detections 19.9% 18.3% 15.1% 14.2% 13.8% 13.5% 5.3% 5.0% 4.1% 3.6%
The most common threat family in Bolivia in 4Q12 was Win32/Dorkbot, which affected 19.9 percent of computers with detections in Bolivia. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Bolivia in 4Q12 was Win32/Keygen, which affected 18.3 percent of computers with detections in Bolivia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Bolivia in 4Q12 was Win32/Sohanad, which affected 15.1 percent of computers with detections in Bolivia. Win32/Sohanad is a family of worms that may spread via removable or network drives and particular messenger applications. It may also modify a number of system settings and contact a remote host. The fourth most common threat family in Bolivia in 4Q12 was INF/Autorun, which affected 14.2 percent of computers with detections in Bolivia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
70
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Bolivia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
71
Brazil
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Brazil in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Brazil
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Brazil and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
73
20.0
18.0
16.0 14.0
Worldwide Brazil
12.0
10.0 8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
74
Threat categories
Malware and potentially unwanted software categories in Brazil in 4Q12, by percentage of computers reporting detections
Brazil
Percent of computers reporting detections
Worldwide
Column1 Brazil
15%
10%
5% 0%
The most common category in Brazil in 4Q12 was Adware. It affected 40.8 percent of all computers with detections there, up from 17.4 percent in 3Q12. The second most common category in Brazil in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.0 percent of all computers with detections there, down from 40.5 percent in 3Q12. The third most common category in Brazil in 4Q12 was Miscellaneous Trojans, which affected 17.1 percent of all computers with detections there, down from 23.5 percent in 3Q12.
JulyDecember 2012
75
Threat families
The top 10 malware and potentially unwanted software families in Brazil in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/DealPly Win32/Keygen Win32/Banload INF/Autorun Win32/Protlerdob Win32/Obfuscator Win32/Bancos Win32/Sality Win32/Conficker JS/IframeRef
Most significant category Adware Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Password Stealers & Monitoring Tools Viruses Worms Misc. Trojans
% of computers with detections 36.6% 13.0% 8.2% 7.1% 6.0% 5.8% 4.6% 4.4% 4.1% 3.8%
The most common threat family in Brazil in 4Q12 was Win32/DealPly, which affected 36.6 percent of computers with detections in Brazil. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Brazil in 4Q12 was Win32/Keygen, which affected 13.0 percent of computers with detections in Brazil. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Brazil in 4Q12 was Win32/Banload, which affected 8.2 percent of computers with detections in Brazil. Win32/Banload is a family of trojans that download other malware. Banload usually downloads Win32/Banker, which steals banking credentials and other sensitive data and sends it back to a remote attacker. The fourth most common threat family in Brazil in 4Q12 was INF/Autorun, which affected 7.1 percent of computers with detections in Brazil. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
76
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Brazil
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
77
Bulgaria
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Bulgaria in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Bulgaria
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Bulgaria and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
79
10.0
9.0
8.0 7.0
Worldwide Bulgaria
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
80
Threat categories
Malware and potentially unwanted software categories in Bulgaria in 4Q12, by percentage of computers reporting detections
Bulgaria
Percent of computers reporting detections
Worldwide
The most common category in Bulgaria in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 47.9 percent of all computers with detections there, up from 42.4 percent in 3Q12. The second most common category in Bulgaria in 4Q12 was Miscellaneous Trojans. It affected 35.4 percent of all computers with detections there, up from 30.8 percent in 3Q12. The third most common category in Bulgaria in 4Q12 was Worms, which affected 26.0 percent of all computers with detections there, up from 19.4 percent in 3Q12.
JulyDecember 2012
81
Threat families
The top 10 malware and potentially unwanted software families in Bulgaria in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Obfuscator INF/Autorun Win32/Phorpiex Win32/Dorkbot Win32/Conficker JS/IframeRef Win32/Bocinex Win32/Meredrop Win32/Sality
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Worms Worms Misc. Trojans Misc. Trojans Misc. Trojans Viruses
% of computers with detections 26.2% 6.7% 6.6% 5.8% 5.8% 5.4% 4.9% 4.6% 3.6% 3.6%
The most common threat family in Bulgaria in 4Q12 was Win32/Keygen, which affected 26.2 percent of computers with detections in Bulgaria. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Bulgaria in 4Q12 was Win32/Obfuscator, which affected 6.7 percent of computers with detections in Bulgaria. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The third most common threat family in Bulgaria in 4Q12 was INF/Autorun, which affected 6.6 percent of computers with detections in Bulgaria. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Bulgaria in 4Q12 was Win32/Phorpiex, which affected 5.8 percent of computers with detections in Bulgaria. Win32/Phorpiex is a family of worms that spread via removable drives and instant messaging software. The worms also allow backdoor access and control.
82
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Bulgaria
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
83
Canada
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Canada in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Canada
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Canada and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
85
9.0
Worldwide Canada
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
86
Threat categories
Malware and potentially unwanted software categories in Canada in 4Q12, by percentage of computers reporting detections
Canada
Percent of computers reporting detections
Worldwide
Column1 Canada
20% 15%
10%
5% 0%
The most common category in Canada in 4Q12 was Miscellaneous Trojans. It affected 36.6 percent of all computers with detections there, up from 36.6 percent in 3Q12. The second most common category in Canada in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 29.0 percent of all computers with detections there, up from 24.9 percent in 3Q12. The third most common category in Canada in 4Q12 was Adware, which affected 21.7 percent of all computers with detections there, down from 27.7 percent in 3Q12.
JulyDecember 2012
87
Threat families
The top 10 malware and potentially unwanted software families in Canada in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 JS/IframeRef Win32/Keygen Java/Blacole Win32/Sirefef Win32/Pdfjsc Win32/DealPly Win32/Hotbar Win32/Zwangi ASX/Wimad Win32/OpenCandy
Most significant category Misc. Trojans Misc. Potentially Unwanted Software Exploits Misc. Trojans Exploits Adware Adware Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Adware
% of computers with detections 10.7% 10.0% 8.8% 8.7% 7.6% 6.7% 6.6% 6.4% 6.2% 3.6%
The most common threat family in Canada in 4Q12 was JS/IframeRef, which affected 10.7 percent of computers with detections in Canada. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The second most common threat family in Canada in 4Q12 was Win32/Keygen, which affected 10.0 percent of computers with detections in Canada. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Canada in 4Q12 was Java/Blacole, which affected 8.8 percent of computers with detections in Canada. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in Canada in 4Q12 was Win32/Sirefef, which affected 8.7 percent of computers with detections in Canada. Win32/Sirefef is a rogue security software family distributed under the name Antivirus 2010 and others.
88
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Canada
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
89
Chile
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Chile in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Chile
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Chile and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
91
16.0
Worldwide Chile
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
92
Threat categories
Malware and potentially unwanted software categories in Chile in 4Q12, by percentage of computers reporting detections
Chile
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Chile in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 40.2 percent of all computers with detections there, up from 33.1 percent in 3Q12. The second most common category in Chile in 4Q12 was Worms. It affected 36.6 percent of all computers with detections there, up from 33.8 percent in 3Q12. The third most common category in Chile in 4Q12 was Miscellaneous Trojans, which affected 20.0 percent of all computers with detections there, down from 21.7 percent in 3Q12.
JulyDecember 2012
93
Threat families
The top 10 malware and potentially unwanted software families in Chile in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/Keygen INF/Autorun Win32/Conficker Win32/OpenCandy Win32/Zwangi Win32/Obfuscator Win32/Wpakill Win32/Brontok Win32/VBInject
Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software
% of computers with detections 21.4% 15.9% 8.6% 5.4% 4.6% 3.7% 3.5% 3.4% 3.4% 3.4%
The most common threat family in Chile in 4Q12 was Win32/Dorkbot, which affected 21.4 percent of computers with detections in Chile. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Chile in 4Q12 was Win32/Keygen, which affected 15.9 percent of computers with detections in Chile. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Chile in 4Q12 was INF/Autorun, which affected 8.6 percent of computers with detections in Chile. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Chile in 4Q12 was Win32/Conficker, which affected 5.4 percent of computers with detections in Chile. Win32/Conficker is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables several
94
important system services and security products, and downloads arbitrary files.
JulyDecember 2012
95
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Chile
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
96
China
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in China in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for China
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in China and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
97
9.0
Worldwide China
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
98
Threat categories
Malware and potentially unwanted software categories in China in 4Q12, by percentage of computers reporting detections
China
Percent of computers reporting detections
Worldwide
The most common category in China in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 49.0 percent of all computers with detections there, up from 43.5 percent in 3Q12. The second most common category in China in 4Q12 was Miscellaneous Trojans. It affected 32.1 percent of all computers with detections there, up from 28.4 percent in 3Q12. The third most common category in China in 4Q12 was Viruses, which affected 15.2 percent of all computers with detections there, up from 13.0 percent in 3Q12.
JulyDecember 2012
99
Threat families
The top 10 malware and potentially unwanted software families in China in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/BaiduSobar Win32/PossibleHostsFileHijack Win32/Obfuscator X97M/Mailcab JS/IframeRef Win32/Agent Win32/Conficker Win32/Nitol Win32/Orsam
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Misc. Trojans Trojan Downloaders & Droppers Worms Misc. Trojans Misc. Trojans
% of computers with detections 20.2% 12.5% 6.8% 6.6% 4.8% 4.6% 4.5% 4.3% 3.5% 3.5%
The most common threat family in China in 4Q12 was Win32/Keygen, which affected 20.2 percent of computers with detections in China. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in China in 4Q12 was Win32/BaiduSobar, which affected 12.5 percent of computers with detections in China. Win32/BaiduSobar is a Chinese-language web browser toolbar that delivers pop-up and contextual advertisements, blocks certain other advertisements, and changes the Internet Explorer search page. The third most common threat family in China in 4Q12 was Win32/PossibleHostsFileHijack, which affected 6.8 percent of computers with detections in China. Win32/PossibleHostsFileHijack is an indicator that the computers HOSTS file may have been modified by malicious or potentially unwanted software, which can cause access to certain Internet domains and websites to be redirected or denied. The fourth most common threat family in China in 4Q12 was Win32/Obfuscator, which affected 6.6 percent of computers with detections in China. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods,
100
JulyDecember 2012
101
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for China
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
102
Colombia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Colombia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Colombia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Colombia and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
103
10.0
9.0
8.0 7.0
Worldwide Colombia
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
104
Threat categories
Malware and potentially unwanted software categories in Colombia in 4Q12, by percentage of computers reporting detections
Colombia
Percent of computers reporting detections
Worldwide
Column1 Colombia
15%
10%
5% 0%
The most common category in Colombia in 4Q12 was Worms. It affected 41.8 percent of all computers with detections there, up from 40.7 percent in 3Q12. The second most common category in Colombia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.6 percent of all computers with detections there, up from 37.5 percent in 3Q12. The third most common category in Colombia in 4Q12 was Miscellaneous Trojans, which affected 21.9 percent of all computers with detections there, down from 24.0 percent in 3Q12.
JulyDecember 2012
105
Threat families
The top 10 malware and potentially unwanted software families in Colombia in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/Keygen INF/Autorun Win32/Conficker Win32/Sality Win32/VBInject Win32/Silly_P2P Win32/Vobfus Win32/OpenCandy Win32/Wpakill
Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Viruses Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Worms Adware Misc. Potentially Unwanted Software
% of computers with detections 21.5% 18.0% 15.7% 8.3% 6.5% 5.2% 4.3% 4.2% 3.9% 3.8%
The most common threat family in Colombia in 4Q12 was Win32/Dorkbot, which affected 21.5 percent of computers with detections in Colombia. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Colombia in 4Q12 was Win32/Keygen, which affected 18.0 percent of computers with detections in Colombia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Colombia in 4Q12 was INF/Autorun, which affected 15.7 percent of computers with detections in Colombia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Colombia in 4Q12 was Win32/Conficker, which affected 8.3 percent of computers with detections in Colombia. Win32/Conficker is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables
106
several important system services and security products, and downloads arbitrary files.
JulyDecember 2012
107
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Colombia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
108
Costa Rica
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Costa Rica in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Costa Rica
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Costa Rica and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
109
9.0
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
110
Threat categories
Malware and potentially unwanted software categories in Costa Rica in 4Q12, by percentage of computers reporting detections
Costa Rica
Percent of computers reporting detections
Worldwide
The most common category in Costa Rica in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.7 percent of all computers with detections there, up from 36.6 percent in 3Q12. The second most common category in Costa Rica in 4Q12 was Worms. It affected 27.3 percent of all computers with detections there, down from 28.1 percent in 3Q12. The third most common category in Costa Rica in 4Q12 was Miscellaneous Trojans, which affected 23.2 percent of all computers with detections there, up from 22.9 percent in 3Q12.
JulyDecember 2012
111
Threat families
The top 10 malware and potentially unwanted software families in Costa Rica in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot INF/Autorun Win32/OpenCandy Win32/Conficker JS/IframeRef Win32/Wpakill ASX/Wimad Win32/Rimecud Win32/Sality
Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Adware Worms Misc. Trojans Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Misc. Trojans Viruses
% of computers with detections 21.7% 13.7% 8.5% 5.2% 4.5% 4.4% 3.9% 3.6% 3.3% 3.1%
The most common threat family in Costa Rica in 4Q12 was Win32/Keygen, which affected 21.7 percent of computers with detections in Costa Rica. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Costa Rica in 4Q12 was Win32/Dorkbot, which affected 13.7 percent of computers with detections in Costa Rica. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Costa Rica in 4Q12 was INF/Autorun, which affected 8.5 percent of computers with detections in Costa Rica. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Costa Rica in 4Q12 was Win32/OpenCandy, which affected 5.2 percent of computers with detections in Costa Rica. Win32/OpenCandy is an adware program that may be bundled with certain third-party software installation programs. Some versions may send user-specific information, including a unique machine
112
code, operating system information, locale, and certain other information to a remote server without obtaining adequate user consent.
JulyDecember 2012
113
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Costa Rica
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
114
Croatia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Croatia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Croatia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Croatia and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
115
12.0
Worldwide Croatia
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
116
Threat categories
Malware and potentially unwanted software categories in Croatia in 4Q12, by percentage of computers reporting detections
Croatia
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Croatia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 42.7 percent of all computers with detections there, up from 34.5 percent in 3Q12. The second most common category in Croatia in 4Q12 was Miscellaneous Trojans. It affected 29.3 percent of all computers with detections there, up from 26.7 percent in 3Q12. The third most common category in Croatia in 4Q12 was Worms, which affected 23.1 percent of all computers with detections there, down from 24.1 percent in 3Q12.
JulyDecember 2012
117
Threat families
The top 10 malware and potentially unwanted software families in Croatia in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc INF/Autorun Win32/Obfuscator JS/IframeRef JS/BlacoleRef Win32/Hotbar Win32/Rimecud Win32/Wpakill Win32/Conficker
Most significant category Misc. Potentially Unwanted Software Exploits Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Trojans Misc. Trojans Adware Misc. Trojans Misc. Potentially Unwanted Software Worms
% of computers with detections 19.2% 7.4% 6.7% 6.6% 4.9% 4.8% 4.5% 4.4% 4.2% 3.8%
The most common threat family in Croatia in 4Q12 was Win32/Keygen, which affected 19.2 percent of computers with detections in Croatia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Croatia in 4Q12 was Win32/Pdfjsc, which affected 7.4 percent of computers with detections in Croatia. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Croatia in 4Q12 was INF/Autorun, which affected 6.7 percent of computers with detections in Croatia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Croatia in 4Q12 was Win32/Obfuscator, which affected 6.6 percent of computers with detections in Croatia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques.
118
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Croatia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
119
Cyprus
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Cyprus in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Cyprus
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Cyprus and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
121
12.0
Worldwide Cyprus
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
122
Threat categories
Malware and potentially unwanted software categories in Cyprus in 4Q12, by percentage of computers reporting detections
Cyprus
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Cyprus in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.8 percent of all computers with detections there, up from 34.1 percent in 3Q12. The second most common category in Cyprus in 4Q12 was Worms. It affected 22.8 percent of all computers with detections there, up from 19.3 percent in 3Q12. The third most common category in Cyprus in 4Q12 was Miscellaneous Trojans, which affected 22.5 percent of all computers with detections there, up from 21.2 percent in 3Q12.
JulyDecember 2012
123
Threat families
The top 10 malware and potentially unwanted software families in Cyprus in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Hotbar INF/Autorun Win32/Zwangi Win32/Conficker Win32/Pdfjsc JS/IframeRef Win32/OpenCandy Win32/DealPly ASX/Wimad
Most significant category Misc. Potentially Unwanted Software Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Exploits Misc. Trojans Adware Adware Trojan Downloaders & Droppers
% of computers with detections 16.8% 9.2% 8.6% 7.5% 4.8% 4.5% 4.3% 4.1% 3.8% 3.7%
The most common threat family in Cyprus in 4Q12 was Win32/Keygen, which affected 16.8 percent of computers with detections in Cyprus. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Cyprus in 4Q12 was Win32/Hotbar, which affected 9.2 percent of computers with detections in Cyprus. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The third most common threat family in Cyprus in 4Q12 was INF/Autorun, which affected 8.6 percent of computers with detections in Cyprus. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Cyprus in 4Q12 was Win32/Zwangi, which affected 7.5 percent of computers with detections in Cyprus. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website.
124
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Cyprus
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
125
Czech Republic
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the Czech Republic in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the Czech Republic
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the Czech Republic and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
127
9.0
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
128
Threat categories
Malware and potentially unwanted software categories in the Czech Republic in 4Q12, by percentage of computers reporting detections
Czech Republic
Percent of computers reporting detections
Worldwide
The most common category in the Czech Republic in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.7 percent of all computers with detections there, up from 35.1 percent in 3Q12. The second most common category in the Czech Republic in 4Q12 was Miscellaneous Trojans. It affected 31.5 percent of all computers with detections there, up from 29.9 percent in 3Q12. The third most common category in the Czech Republic in 4Q12 was Exploits, which affected 16.4 percent of all computers with detections there, up from 7.8 percent in 3Q12.
JulyDecember 2012
129
Threat families
The top 10 malware and potentially unwanted software families in the Czech Republic in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen JS/IframeRef Win32/Pdfjsc Win32/Obfuscator Win32/OpenCandy Java/Blacole Win32/Dorkbot Win32/Sirefef Win32/Reveton Win32/Dynamer
Most significant category Misc. Potentially Unwanted Software Misc. Trojans Exploits Misc. Potentially Unwanted Software Adware Exploits Worms Misc. Trojans Misc. Trojans Misc. Trojans
% of computers with detections 23.7% 11.3% 8.3% 7.9% 6.0% 5.2% 4.8% 2.9% 2.9% 2.8%
The most common threat family in the Czech Republic in 4Q12 was Win32/Keygen, which affected 23.7 percent of computers with detections in the Czech Republic. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in the Czech Republic in 4Q12 was JS/IframeRef, which affected 11.3 percent of computers with detections in the Czech Republic. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The third most common threat family in the Czech Republic in 4Q12 was Win32/Pdfjsc, which affected 8.3 percent of computers with detections in the Czech Republic. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in the Czech Republic in 4Q12 was Win32/Obfuscator, which affected 7.9 percent of computers with detections in the Czech Republic. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, antidebugging and anti-emulation techniques.
130
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the Czech Republic
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
131
Denmark
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Denmark in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Denmark
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Denmark and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
133
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Denmark
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
134
Threat categories
Malware and potentially unwanted software categories in Denmark in 4Q12, by percentage of computers reporting detections
Denmark
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Denmark in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.2 percent of all computers with detections there, up from 30.3 percent in 3Q12. The second most common category in Denmark in 4Q12 was Miscellaneous Trojans. It affected 30.4 percent of all computers with detections there, down from 34.5 percent in 3Q12. The third most common category in Denmark in 4Q12 was Adware, which affected 24.9 percent of all computers with detections there, down from 29.4 percent in 3Q12.
JulyDecember 2012
135
Threat families
The top 10 malware and potentially unwanted software families in Denmark in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/DealPly JS/IframeRef Win32/Pdfjsc Win32/Hotbar Win32/Sirefef Java/Blacole Win32/Zwangi Win32/Obfuscator ASX/Wimad
Most significant category Misc. Potentially Unwanted Software Adware Misc. Trojans Exploits Adware Misc. Trojans Exploits Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Trojan Downloaders & Droppers
% of computers with detections 14.8% 11.8% 7.9% 7.9% 7.8% 7.8% 5.0% 4.8% 4.3% 3.2%
The most common threat family in Denmark in 4Q12 was Win32/Keygen, which affected 14.8 percent of computers with detections in Denmark. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Denmark in 4Q12 was Win32/DealPly, which affected 11.8 percent of computers with detections in Denmark. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Denmark in 4Q12 was JS/IframeRef, which affected 7.9 percent of computers with detections in Denmark. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Denmark in 4Q12 was Win32/Pdfjsc, which affected 7.9 percent of computers with detections in Denmark. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened.
136
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Denmark
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
137
Dominican Republic
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the Dominican Republic in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the Dominican Republic
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the Dominican Republic and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
139
16.0
Computers cleaned per 1 ,000 scanned (CCM)
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
140
Threat categories
Malware and potentially unwanted software categories in the Dominican Republic in 4Q12, by percentage of computers reporting detections
Dominican Republic
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in the Dominican Republic in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 42.5 percent of all computers with detections there, up from 38.4 percent in 3Q12. The second most common category in the Dominican Republic in 4Q12 was Worms. It affected 40.5 percent of all computers with detections there, up from 39.6 percent in 3Q12. The third most common category in the Dominican Republic in 4Q12 was Miscellaneous Trojans, which affected 26.2 percent of all computers with detections there, down from 27.8 percent in 3Q12.
JulyDecember 2012
141
Threat families
The top 10 malware and potentially unwanted software families in the Dominican Republic in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Sality INF/Autorun Win32/Keygen Win32/Dorkbot Win32/Vobfus Win32/Brontok Win32/Pushbot Win32/Rimecud Win32/Conficker Win32/Silly_P2P
Most significant category Viruses Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Worms Worms Worms Misc. Trojans Worms Trojan Downloaders & Droppers
% of computers with detections 24.0% 22.1% 14.1% 10.6% 8.2% 7.6% 6.1% 4.8% 4.6% 4.4%
The most common threat family in the Dominican Republic in 4Q12 was Win32/Sality, which affected 24.0 percent of computers with detections in the Dominican Republic. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The second most common threat family in the Dominican Republic in 4Q12 was INF/Autorun, which affected 22.1 percent of computers with detections in the Dominican Republic. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in the Dominican Republic in 4Q12 was Win32/Keygen, which affected 14.1 percent of computers with detections in the Dominican Republic. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in the Dominican Republic in 4Q12 was Win32/Dorkbot, which affected 10.6 percent of computers with detections in the Dominican Republic. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the
142
affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits.
JulyDecember 2012
143
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the Dominican Republic
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
144
Ecuador
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Ecuador in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Ecuador
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Ecuador and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
145
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Ecuador
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
146
Threat categories
Malware and potentially unwanted software categories in Ecuador in 4Q12, by percentage of computers reporting detections
Ecuador
Percent of computers reporting detections
Worldwide
60%
50%
Column1 Ecuador
The most common category in Ecuador in 4Q12 was Worms. It affected 48.0 percent of all computers with detections there, up from 47.3 percent in 3Q12. The second most common category in Ecuador in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.2 percent of all computers with detections there, up from 36.9 percent in 3Q12. The third most common category in Ecuador in 4Q12 was Miscellaneous Trojans, which affected 24.5 percent of all computers with detections there, down from 26.4 percent in 3Q12.
JulyDecember 2012
147
Threat families
The top 10 malware and potentially unwanted software families in Ecuador in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/Keygen Win32/Vobfus INF/Autorun Win32/VBInject Win32/Sality Win32/Conficker Win32/Ramnit Win32/OpenCandy Win32/CplLnk
Most significant category Worms Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Worms Misc. Trojans Adware Exploits
% of computers with detections 26.3% 17.8% 14.2% 13.0% 6.1% 5.6% 5.3% 4.5% 4.3% 4.2%
The most common threat family in Ecuador in 4Q12 was Win32/Dorkbot, which affected 26.3 percent of computers with detections in Ecuador. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Ecuador in 4Q12 was Win32/Keygen, which affected 17.8 percent of computers with detections in Ecuador. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Ecuador in 4Q12 was Win32/Vobfus, which affected 14.2 percent of computers with detections in Ecuador. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The fourth most common threat family in Ecuador in 4Q12 was INF/Autorun, which affected 13.0 percent of computers with detections in Ecuador. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
148
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Ecuador
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
149
Egypt
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Egypt in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Egypt
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Egypt and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
151
30.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Egypt
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
152
Threat categories
Malware and potentially unwanted software categories in Egypt in 4Q12, by percentage of computers reporting detections
Egypt
Percent of computers reporting detections
Worldwide
The most common category in Egypt in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 47.6 percent of all computers with detections there, up from 37.3 percent in 3Q12. The second most common category in Egypt in 4Q12 was Worms. It affected 37.2 percent of all computers with detections there, up from 29.8 percent in 3Q12. The third most common category in Egypt in 4Q12 was Viruses, which affected 35.7 percent of all computers with detections there, up from 31.7 percent in 3Q12.
JulyDecember 2012
153
Threat families
The top 10 malware and potentially unwanted software families in Egypt in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Sality Win32/Keygen INF/Autorun Win32/Dorkbot Win32/Virut Win32/Ramnit Win32/Agent Win32/Folstart Win32/Nuqel Win32/Patch
Most significant category Viruses Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Viruses Misc. Trojans Trojan Downloaders & Droppers Worms Worms Misc. Potentially Unwanted Software
% of computers with detections 29.3% 26.6% 21.7% 9.5% 8.7% 7.4% 6.0% 5.9% 5.5% 5.0%
The most common threat family in Egypt in 4Q12 was Win32/Sality, which affected 29.3 percent of computers with detections in Egypt. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The second most common threat family in Egypt in 4Q12 was Win32/Keygen, which affected 26.6 percent of computers with detections in Egypt. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Egypt in 4Q12 was INF/Autorun, which affected 21.7 percent of computers with detections in Egypt. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Egypt in 4Q12 was Win32/Dorkbot, which affected 9.5 percent of computers with detections in Egypt. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot
154
may be distributed from compromised or malicious websites using PDF or browser exploits.
JulyDecember 2012
155
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Egypt
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
156
El Salvador
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in El Salvador in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for El Salvador
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in El Salvador and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
157
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide El Salvador
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
158
Threat categories
Malware and potentially unwanted software categories in El Salvador in 4Q12, by percentage of computers reporting detections
El Salvador
Percent of computers reporting detections
Worldwide
The most common category in El Salvador in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 44.7 percent of all computers with detections there, up from 39.6 percent in 3Q12. The second most common category in El Salvador in 4Q12 was Worms. It affected 39.6 percent of all computers with detections there, down from 39.7 percent in 3Q12. The third most common category in El Salvador in 4Q12 was Miscellaneous Trojans, which affected 22.2 percent of all computers with detections there, down from 23.0 percent in 3Q12.
JulyDecember 2012
159
Threat families
The top 10 malware and potentially unwanted software families in El Salvador in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot INF/Autorun Win32/Vobfus Win32/Conficker Win32/Brontok Win32/OpenCandy Win32/Sality Win32/Wpakill Win32/VBInject
Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Worms Worms Worms Adware Viruses Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software
% of computers with detections 21.0% 20.1% 13.7% 8.9% 5.2% 5.1% 4.7% 4.7% 4.5% 3.5%
The most common threat family in El Salvador in 4Q12 was Win32/Keygen, which affected 21.0 percent of computers with detections in El Salvador. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in El Salvador in 4Q12 was Win32/Dorkbot, which affected 20.1 percent of computers with detections in El Salvador. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in El Salvador in 4Q12 was INF/Autorun, which affected 13.7 percent of computers with detections in El Salvador. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in El Salvador in 4Q12 was Win32/Vobfus, which affected 8.9 percent of computers with detections in El Salvador. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
160
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for El Salvador
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
161
Estonia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Estonia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Estonia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Estonia and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
163
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Estonia
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
164
Threat categories
Malware and potentially unwanted software categories in Estonia in 4Q12, by percentage of computers reporting detections
Estonia
Percent of computers reporting detections
Worldwide
The most common category in Estonia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 50.4 percent of all computers with detections there, up from 43.2 percent in 3Q12. The second most common category in Estonia in 4Q12 was Miscellaneous Trojans. It affected 27.4 percent of all computers with detections there, up from 24.7 percent in 3Q12. The third most common category in Estonia in 4Q12 was Adware, which affected 19.0 percent of all computers with detections there, down from 26.7 percent in 3Q12.
JulyDecember 2012
165
Threat families
The top 10 malware and potentially unwanted software families in Estonia in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Obfuscator Win32/Hotbar JS/IframeRef Win32/Zwangi ASX/Wimad Win32/Wpakill Win32/OpenCandy JS/BlacoleRef Win32/Pameseg
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Misc. Trojans Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Adware Misc. Trojans Misc. Potentially Unwanted Software
% of computers with detections 22.7% 8.4% 7.4% 7.0% 5.9% 4.3% 3.5% 3.4% 3.3% 3.2%
The most common threat family in Estonia in 4Q12 was Win32/Keygen, which affected 22.7 percent of computers with detections in Estonia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Estonia in 4Q12 was Win32/Obfuscator, which affected 8.4 percent of computers with detections in Estonia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The third most common threat family in Estonia in 4Q12 was Win32/Hotbar, which affected 7.4 percent of computers with detections in Estonia. Win32/Hotbar is adware that displays a dynamic toolbar and targeted popup ads based on its monitoring of web-browsing activity. The fourth most common threat family in Estonia in 4Q12 was JS/IframeRef, which affected 7.0 percent of computers with detections in Estonia. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.
166
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Estonia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
167
Finland
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Finland in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Finland
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Finland and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
169
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Finland
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
170
Threat categories
Malware and potentially unwanted software categories in Finland in 4Q12, by percentage of computers reporting detections
Finland
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Finland in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.3 percent of all computers with detections there, up from 28.8 percent in 3Q12. The second most common category in Finland in 4Q12 was Miscellaneous Trojans. It affected 26.6 percent of all computers with detections there, up from 24.3 percent in 3Q12. The third most common category in Finland in 4Q12 was Exploits, which affected 24.6 percent of all computers with detections there, up from 18.2 percent in 3Q12.
JulyDecember 2012
171
Threat families
The top 10 malware and potentially unwanted software families in Finland in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc Java/Blacole Win32/Hotbar Win32/DealPly Win32/Zwangi Win32/Reveton JS/IframeRef Win32/Obfuscator ASX/Wimad
Most significant category Misc. Potentially Unwanted Software Exploits Exploits Adware Adware Misc. Potentially Unwanted Software Misc. Trojans Misc. Trojans Misc. Potentially Unwanted Software Trojan Downloaders & Droppers
% of computers with detections 13.4% 10.9% 10.5% 8.3% 7.6% 6.4% 5.9% 5.8% 4.8% 3.6%
The most common threat family in Finland in 4Q12 was Win32/Keygen, which affected 13.4 percent of computers with detections in Finland. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Finland in 4Q12 was Win32/Pdfjsc, which affected 10.9 percent of computers with detections in Finland. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Finland in 4Q12 was Java/Blacole, which affected 10.5 percent of computers with detections in Finland. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in Finland in 4Q12 was Win32/Hotbar, which affected 8.3 percent of computers with detections in Finland. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity.
172
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Finland
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
173
France
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in France in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for France
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in France and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
175
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide France
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
176
Threat categories
Malware and potentially unwanted software categories in France in 4Q12, by percentage of computers reporting detections
France
Percent of computers reporting detections
Worldwide
Column1 France
15%
10%
5% 0%
The most common category in France in 4Q12 was Adware. It affected 41.1 percent of all computers with detections there, up from 41.1 percent in 3Q12. The second most common category in France in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 34.1 percent of all computers with detections there, up from 27.0 percent in 3Q12. The third most common category in France in 4Q12 was Miscellaneous Trojans, which affected 20.0 percent of all computers with detections there, down from 22.3 percent in 3Q12.
JulyDecember 2012
177
Threat families
The top 10 malware and potentially unwanted software families in France in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/DealPly Win32/Zwangi Win32/Hotbar Win32/Keygen Win32/Pdfjsc ASX/Wimad JS/IframeRef Win32/ClickPotato Win32/OpenCandy Java/Blacole
Most significant category Adware Misc. Potentially Unwanted Software Adware Misc. Potentially Unwanted Software Exploits Trojan Downloaders & Droppers Misc. Trojans Adware Adware Exploits
% of computers with detections 19.8% 11.9% 11.0% 10.5% 5.2% 4.7% 4.2% 4.0% 3.9% 3.8%
The most common threat family in France in 4Q12 was Win32/DealPly, which affected 19.8 percent of computers with detections in France. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in France in 4Q12 was Win32/Zwangi, which affected 11.9 percent of computers with detections in France. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. The third most common threat family in France in 4Q12 was Win32/Hotbar, which affected 11.0 percent of computers with detections in France. Win32/Hotbar is adware that displays a dynamic toolbar and targeted popup ads based on its monitoring of web-browsing activity. The fourth most common threat family in France in 4Q12 was Win32/Keygen, which affected 10.5 percent of computers with detections in France. Win32/Keygen is a generic detection for tools that generate product keys for various software products.
178
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for France
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
179
Georgia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Georgia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Georgia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Georgia and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
181
30.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Georgia
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
182
Threat categories
Malware and potentially unwanted software categories in Georgia in 4Q12, by percentage of computers reporting detections
Georgia
Percent of computers reporting detections
Worldwide
The most common category in Georgia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.0 percent of all computers with detections there, up from 43.6 percent in 3Q12. The second most common category in Georgia in 4Q12 was Worms. It affected 43.3 percent of all computers with detections there, up from 39.8 percent in 3Q12. The third most common category in Georgia in 4Q12 was Miscellaneous Trojans, which affected 33.1 percent of all computers with detections there, down from 35.2 percent in 3Q12.
JulyDecember 2012
183
Threat families
The top 10 malware and potentially unwanted software families in Georgia in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot INF/Autorun JS/IframeRef Win32/Sality Win32/Obfuscator Win32/Brontok Win32/Verst Win32/Phorpiex Win32/Sohanad
Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Misc. Trojans Viruses Misc. Potentially Unwanted Software Worms Worms Worms Worms
% of computers with detections 19.5% 13.2% 13.0% 11.1% 9.7% 9.1% 7.1% 6.1% 5.7% 5.0%
The most common threat family in Georgia in 4Q12 was Win32/Keygen, which affected 19.5 percent of computers with detections in Georgia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Georgia in 4Q12 was Win32/Dorkbot, which affected 13.2 percent of computers with detections in Georgia. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Georgia in 4Q12 was INF/Autorun, which affected 13.0 percent of computers with detections in Georgia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Georgia in 4Q12 was JS/IframeRef, which affected 11.1 percent of computers with detections in Georgia. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.
184
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Georgia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
185
Germany
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Germany in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Germany
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Germany and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
187
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Germany
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
188
Threat categories
Malware and potentially unwanted software categories in Germany in 4Q12, by percentage of computers reporting detections
Germany
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Germany in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 29.2 percent of all computers with detections there, up from 24.5 percent in 3Q12. The second most common category in Germany in 4Q12 was Miscellaneous Trojans. It affected 27.2 percent of all computers with detections there, down from 31.1 percent in 3Q12. The third most common category in Germany in 4Q12 was Exploits, which affected 27.0 percent of all computers with detections there, up from 21.9 percent in 3Q12.
JulyDecember 2012
189
Threat families
The top 10 malware and potentially unwanted software families in Germany in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Pdfjsc Java/Blacole Win32/Keygen Win32/DealPly Win32/Sirefef JS/IframeRef Win32/OpenCandy Win32/Reveton Win32/Zbot Win32/Obfuscator
Most significant category Exploits Exploits Misc. Potentially Unwanted Software Adware Misc. Trojans Misc. Trojans Adware Misc. Trojans Password Stealers & Monitoring Tools Misc. Potentially Unwanted Software
% of computers with detections 14.4% 12.3% 11.6% 9.7% 5.4% 5.3% 4.7% 4.2% 4.1% 3.7%
The most common threat family in Germany in 4Q12 was Win32/Pdfjsc, which affected 14.4 percent of computers with detections in Germany. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The second most common threat family in Germany in 4Q12 was Java/Blacole, which affected 12.3 percent of computers with detections in Germany. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The third most common threat family in Germany in 4Q12 was Win32/Keygen, which affected 11.6 percent of computers with detections in Germany. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Germany in 4Q12 was Win32/DealPly, which affected 9.7 percent of computers with detections in Germany. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs.
190
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Germany
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
191
Greece
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Greece in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Greece
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Greece and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
193
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
Worldwide Greece
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
194
Threat categories
Malware and potentially unwanted software categories in Greece in 4Q12, by percentage of computers reporting detections
Greece
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Greece in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.4 percent of all computers with detections there, up from 32.6 percent in 3Q12. The second most common category in Greece in 4Q12 was Miscellaneous Trojans. It affected 27.0 percent of all computers with detections there, down from 28.7 percent in 3Q12. The third most common category in Greece in 4Q12 was Exploits, which affected 22.1 percent of all computers with detections there, up from 13.9 percent in 3Q12.
JulyDecember 2012
195
Threat families
The top 10 malware and potentially unwanted software families in Greece in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc Java/Blacole INF/Autorun JS/IframeRef Win32/DealPly Win32/Obfuscator Win32/Reveton Win32/Hotbar Win32/Zwangi
Most significant category Misc. Potentially Unwanted Software Exploits Exploits Misc. Potentially Unwanted Software Misc. Trojans Adware Misc. Potentially Unwanted Software Misc. Trojans Adware Misc. Potentially Unwanted Software
% of computers with detections 17.1% 11.2% 10.0% 8.3% 5.8% 5.8% 5.4% 4.9% 4.9% 4.3%
The most common threat family in Greece in 4Q12 was Win32/Keygen, which affected 17.1 percent of computers with detections in Greece. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Greece in 4Q12 was Win32/Pdfjsc, which affected 11.2 percent of computers with detections in Greece. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Greece in 4Q12 was Java/Blacole, which affected 10.0 percent of computers with detections in Greece. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in Greece in 4Q12 was INF/Autorun, which affected 8.3 percent of computers with detections in Greece. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
196
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Greece
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
197
Guatemala
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Guatemala in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Guatemala
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Guatemala and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
199
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
Worldwide Guatemala
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
200
Threat categories
Malware and potentially unwanted software categories in Guatemala in 4Q12, by percentage of computers reporting detections
Guatemala
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Guatemala in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.0 percent of all computers with detections there, up from 37.4 percent in 3Q12. The second most common category in Guatemala in 4Q12 was Worms. It affected 39.6 percent of all computers with detections there, down from 42.4 percent in 3Q12. The third most common category in Guatemala in 4Q12 was Miscellaneous Trojans, which affected 22.9 percent of all computers with detections there, down from 23.8 percent in 3Q12.
JulyDecember 2012
201
Threat families
The top 10 malware and potentially unwanted software families in Guatemala in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/Keygen INF/Autorun Win32/Vobfus Win32/Sality Win32/VBInject Win32/Conficker Win32/OpenCandy Win32/Wpakill Win32/Brontok
Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Viruses Misc. Potentially Unwanted Software Worms Adware Misc. Potentially Unwanted Software Worms
% of computers with detections 18.1% 17.7% 13.6% 11.5% 5.7% 4.2% 4.2% 4.0% 3.6% 3.2%
The most common threat family in Guatemala in 4Q12 was Win32/Dorkbot, which affected 18.1 percent of computers with detections in Guatemala. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Guatemala in 4Q12 was Win32/Keygen, which affected 17.7 percent of computers with detections in Guatemala. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Guatemala in 4Q12 was INF/Autorun, which affected 13.6 percent of computers with detections in Guatemala. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Guatemala in 4Q12 was Win32/Vobfus, which affected 11.5 percent of computers with detections in Guatemala. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
202
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Guatemala
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
203
Honduras
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Honduras in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Honduras
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Honduras and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
205
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Honduras
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
206
Threat categories
Malware and potentially unwanted software categories in Honduras in 4Q12, by percentage of computers reporting detections
Honduras
Percent of computers reporting detections
Worldwide
The most common category in Honduras in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.8 percent of all computers with detections there, up from 39.3 percent in 3Q12. The second most common category in Honduras in 4Q12 was Worms. It affected 42.1 percent of all computers with detections there, up from 42.0 percent in 3Q12. The third most common category in Honduras in 4Q12 was Miscellaneous Trojans, which affected 22.0 percent of all computers with detections there, down from 22.6 percent in 3Q12.
JulyDecember 2012
207
Threat families
The top 10 malware and potentially unwanted software families in Honduras in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot INF/Autorun Win32/Vobfus Win32/Nuqel Win32/Conficker Win32/Sality Win32/Wpakill Win32/OpenCandy JS/IframeRef
Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Worms Worms Worms Viruses Misc. Potentially Unwanted Software Adware Misc. Trojans
% of computers with detections 20.0% 16.4% 14.8% 14.6% 8.1% 4.9% 4.8% 4.4% 4.0% 3.4%
The most common threat family in Honduras in 4Q12 was Win32/Keygen, which affected 20.0 percent of computers with detections in Honduras. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Honduras in 4Q12 was Win32/Dorkbot, which affected 16.4 percent of computers with detections in Honduras. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Honduras in 4Q12 was INF/Autorun, which affected 14.8 percent of computers with detections in Honduras. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Honduras in 4Q12 was Win32/Vobfus, which affected 14.6 percent of computers with detections in Honduras. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
208
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Honduras
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
209
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Hong Kong S.A.R. and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
211
9.0
Computers cleaned per 1 ,000 scanned (CCM)
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
212
Threat categories
Malware and potentially unwanted software categories in Hong Kong S.A.R. in 4Q12, by percentage of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Hong Kong S.A.R. in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 42.3 percent of all computers with detections there, up from 34.2 percent in 3Q12. The second most common category in Hong Kong S.A.R. in 4Q12 was Miscellaneous Trojans. It affected 29.5 percent of all computers with detections there, up from 26.9 percent in 3Q12. The third most common category in Hong Kong S.A.R. in 4Q12 was Worms, which affected 14.4 percent of all computers with detections there, down from 14.5 percent in 3Q12.
JulyDecember 2012
213
Threat families
The top 10 malware and potentially unwanted software families in Hong Kong S.A.R. in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen JS/IframeRef INF/Autorun Win32/Obfuscator ASX/Wimad Win32/DealPly Win32/Injector Win32/OpenCandy Win32/Taterf Win32/Conficker
Most significant category Misc. Potentially Unwanted Software Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Adware Misc. Potentially Unwanted Software Adware Worms Worms
% of computers with detections 19.5% 6.9% 6.8% 5.8% 3.3% 3.0% 3.0% 2.9% 2.7% 2.7%
The most common threat family in Hong Kong S.A.R. in 4Q12 was Win32/Keygen, which affected 19.5 percent of computers with detections in Hong Kong S.A.R.. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Hong Kong S.A.R. in 4Q12 was JS/IframeRef, which affected 6.9 percent of computers with detections in Hong Kong S.A.R.. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The third most common threat family in Hong Kong S.A.R. in 4Q12 was INF/Autorun, which affected 6.8 percent of computers with detections in Hong Kong S.A.R.. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Hong Kong S.A.R. in 4Q12 was Win32/Obfuscator, which affected 5.8 percent of computers with detections in Hong Kong S.A.R.. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and antiemulation techniques.
214
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Hong Kong S.A.R.
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
215
Hungary
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Hungary in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Hungary
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Hungary and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
217
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Hungary
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
218
Threat categories
Malware and potentially unwanted software categories in Hungary in 4Q12, by percentage of computers reporting detections
Hungary
Percent of computers reporting detections
Worldwide
The most common category in Hungary in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.4 percent of all computers with detections there, up from 39.0 percent in 3Q12. The second most common category in Hungary in 4Q12 was Miscellaneous Trojans. It affected 25.2 percent of all computers with detections there, down from 26.4 percent in 3Q12. The third most common category in Hungary in 4Q12 was Worms, which affected 18.0 percent of all computers with detections there, up from 17.9 percent in 3Q12.
JulyDecember 2012
219
Threat families
The top 10 malware and potentially unwanted software families in Hungary in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun Win32/Pdfjsc Win32/Obfuscator JS/IframeRef Win32/Hotbar Win32/Conficker Java/Blacole Win32/Sality Win32/Zwangi
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Exploits Misc. Potentially Unwanted Software Misc. Trojans Adware Worms Exploits Viruses Misc. Potentially Unwanted Software
% of computers with detections 23.4% 6.5% 6.5% 6.0% 5.7% 5.2% 4.8% 3.8% 3.6% 3.2%
The most common threat family in Hungary in 4Q12 was Win32/Keygen, which affected 23.4 percent of computers with detections in Hungary. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Hungary in 4Q12 was INF/Autorun, which affected 6.5 percent of computers with detections in Hungary. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Hungary in 4Q12 was Win32/Pdfjsc, which affected 6.5 percent of computers with detections in Hungary. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in Hungary in 4Q12 was Win32/Obfuscator, which affected 6.0 percent of computers with detections in Hungary. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques.
220
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Hungary
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
221
Iceland
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Iceland in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Iceland
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Iceland and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
223
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Iceland
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
224
Threat categories
Malware and potentially unwanted software categories in Iceland in 4Q12, by percentage of computers reporting detections
Iceland
Percent of computers reporting detections
Worldwide
The most common category in Iceland in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.1 percent of all computers with detections there, up from 37.5 percent in 3Q12. The second most common category in Iceland in 4Q12 was Adware. It affected 24.5 percent of all computers with detections there, down from 37.4 percent in 3Q12. The third most common category in Iceland in 4Q12 was Miscellaneous Trojans, which affected 23.8 percent of all computers with detections there, up from 21.7 percent in 3Q12.
JulyDecember 2012
225
Threat families
The top 10 malware and potentially unwanted software families in Iceland in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Hotbar Win32/Zwangi JS/IframeRef Win32/ClickPotato Win32/Obfuscator ASX/Wimad Win95/CIH Win32/OpenCandy JS/BlacoleRef
Most significant category Misc. Potentially Unwanted Software Adware Misc. Potentially Unwanted Software Misc. Trojans Adware Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Viruses Adware Misc. Trojans
% of computers with detections 19.5% 14.3% 9.9% 8.1% 5.4% 5.2% 4.9% 4.6% 3.8% 3.2%
The most common threat family in Iceland in 4Q12 was Win32/Keygen, which affected 19.5 percent of computers with detections in Iceland. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Iceland in 4Q12 was Win32/Hotbar, which affected 14.3 percent of computers with detections in Iceland. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The third most common threat family in Iceland in 4Q12 was Win32/Zwangi, which affected 9.9 percent of computers with detections in Iceland. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. The fourth most common threat family in Iceland in 4Q12 was JS/IframeRef, which affected 8.1 percent of computers with detections in Iceland. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.
226
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Iceland
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
227
India
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in India in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for India
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in India and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
229
16.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide India
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
230
Threat categories
Malware and potentially unwanted software categories in India in 4Q12, by percentage of computers reporting detections
India
Percent of computers reporting detections
Worldwide
Column1 India
15%
10%
5% 0%
The most common category in India in 4Q12 was Worms. It affected 39.9 percent of all computers with detections there, up from 37.6 percent in 3Q12. The second most common category in India in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.6 percent of all computers with detections there, up from 35.4 percent in 3Q12. The third most common category in India in 4Q12 was Miscellaneous Trojans, which affected 34.7 percent of all computers with detections there, down from 34.8 percent in 3Q12.
JulyDecember 2012
231
Threat families
The top 10 malware and potentially unwanted software families in India in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Sality Win32/Keygen Win32/Ramnit Win32/CplLnk Win32/Nuqel Win32/Rimecud Win32/Adkubru Win32/Virut Win32/Conficker
Most significant category Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Misc. Trojans Exploits Worms Misc. Trojans Adware Viruses Worms
% of computers with detections 22.9% 16.8% 14.8% 12.9% 10.8% 7.9% 6.2% 6.0% 5.5% 4.9%
The most common threat family in India in 4Q12 was INF/Autorun, which affected 22.9 percent of computers with detections in India. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in India in 4Q12 was Win32/Sality, which affected 16.8 percent of computers with detections in India. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in India in 4Q12 was Win32/Keygen, which affected 14.8 percent of computers with detections in India. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in India in 4Q12 was Win32/Ramnit, which affected 12.9 percent of computers with detections in India. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
232
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
JulyDecember 2012
233
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for India
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
234
Indonesia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Indonesia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Indonesia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Indonesia and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
235
20.0
Computers cleaned per 1 ,000 scanned (CCM)
18.0
16.0 14.0
Worldwide Indonesia
12.0
10.0 8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
236
Threat categories
Malware and potentially unwanted software categories in Indonesia in 4Q12, by percentage of computers reporting detections
Indonesia
Percent of computers reporting detections
Worldwide
The most common category in Indonesia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.5 percent of all computers with detections there, up from 39.7 percent in 3Q12. The second most common category in Indonesia in 4Q12 was Miscellaneous Trojans. It affected 42.7 percent of all computers with detections there, up from 42.6 percent in 3Q12. The third most common category in Indonesia in 4Q12 was Viruses, which affected 40.4 percent of all computers with detections there, up from 40.0 percent in 3Q12.
JulyDecember 2012
237
Threat families
The top 10 malware and potentially unwanted software families in Indonesia in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Ramnit Win32/Keygen Win32/CplLnk Win32/Sality INF/Autorun Win32/Virut Win32/Dorkbot Win32/Vobfus Win32/Conficker Win32/Obfuscator
Most significant category Misc. Trojans Misc. Potentially Unwanted Software Exploits Viruses Misc. Potentially Unwanted Software Viruses Worms Worms Worms Misc. Potentially Unwanted Software
% of computers with detections 33.8% 23.5% 20.6% 17.1% 14.4% 12.4% 10.8% 7.6% 7.5% 6.2%
The most common threat family in Indonesia in 4Q12 was Win32/Ramnit, which affected 33.8 percent of computers with detections in Indonesia. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The second most common threat family in Indonesia in 4Q12 was Win32/Keygen, which affected 23.5 percent of computers with detections in Indonesia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Indonesia in 4Q12 was Win32/CplLnk, which affected 20.6 percent of computers with detections in Indonesia. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046. The fourth most common threat family in Indonesia in 4Q12 was Win32/Sality, which affected 17.1 percent of computers with detections in Indonesia. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a
238
damaging payload that deletes files with certain extensions and terminates security-related processes and services.
JulyDecember 2012
239
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Indonesia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
240
Iraq
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Iraq in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Iraq
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Iraq and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
241
30.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Iraq
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
242
Threat categories
Malware and potentially unwanted software categories in Iraq in 4Q12, by percentage of computers reporting detections
Iraq
Percent of computers reporting detections
Worldwide
Column1 Iraq
15%
10%
5% 0%
The most common category in Iraq in 4Q12 was Worms. It affected 41.6 percent of all computers with detections there, up from 31.7 percent in 3Q12. The second most common category in Iraq in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 36.4 percent of all computers with detections there, up from 28.8 percent in 3Q12. The third most common category in Iraq in 4Q12 was Miscellaneous Trojans, which affected 33.7 percent of all computers with detections there, up from 26.6 percent in 3Q12.
JulyDecember 2012
243
Threat families
The top 10 malware and potentially unwanted software families in Iraq in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Sality Win32/Ramnit Win32/CplLnk Win32/Dorkbot Win32/Wecykler Win32/Vobfus Win32/Brontok Win32/Virut
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Misc. Trojans Exploits Worms Worms Worms Worms Viruses
% of computers with detections 20.8% 18.5% 18.4% 14.9% 11.6% 11.0% 7.2% 6.6% 6.2% 4.7%
The most common threat family in Iraq in 4Q12 was INF/Autorun, which affected 20.8 percent of computers with detections in Iraq. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Iraq in 4Q12 was Win32/Keygen, which affected 18.5 percent of computers with detections in Iraq. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Iraq in 4Q12 was Win32/Sality, which affected 18.4 percent of computers with detections in Iraq. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Iraq in 4Q12 was Win32/Ramnit, which affected 14.9 percent of computers with detections in Iraq. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
244
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
JulyDecember 2012
245
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Iraq
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
246
Ireland
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Ireland in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Ireland
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Ireland and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
247
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Ireland
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
248
Threat categories
Malware and potentially unwanted software categories in Ireland in 4Q12, by percentage of computers reporting detections
Ireland
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Ireland in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 31.4 percent of all computers with detections there, up from 25.4 percent in 3Q12. The second most common category in Ireland in 4Q12 was Miscellaneous Trojans. It affected 30.3 percent of all computers with detections there, down from 32.8 percent in 3Q12. The third most common category in Ireland in 4Q12 was Adware, which affected 25.6 percent of all computers with detections there, down from 31.7 percent in 3Q12.
JulyDecember 2012
249
Threat families
The top 10 malware and potentially unwanted software families in Ireland in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Hotbar Win32/Keygen Win32/Zwangi Java/Blacole Win32/Pdfjsc JS/IframeRef ASX/Wimad Win32/DealPly Win32/ClickPotato Win32/Winwebsec
Most significant category Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Exploits Exploits Misc. Trojans Trojan Downloaders & Droppers Adware Adware Misc. Trojans
% of computers with detections 12.8% 10.0% 8.7% 7.3% 7.0% 6.1% 5.1% 4.5% 4.4% 4.4%
The most common threat family in Ireland in 4Q12 was Win32/Hotbar, which affected 12.8 percent of computers with detections in Ireland. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The second most common threat family in Ireland in 4Q12 was Win32/Keygen, which affected 10.0 percent of computers with detections in Ireland. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Ireland in 4Q12 was Win32/Zwangi, which affected 8.7 percent of computers with detections in Ireland. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. The fourth most common threat family in Ireland in 4Q12 was Java/Blacole, which affected 7.3 percent of computers with detections in Ireland. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run.
250
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Ireland
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
251
Israel
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Israel in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Israel
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Israel and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
253
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Israel
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
254
Threat categories
Malware and potentially unwanted software categories in Israel in 4Q12, by percentage of computers reporting detections
Israel
Percent of computers reporting detections
Worldwide
The most common category in Israel in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 47.9 percent of all computers with detections there, up from 43.5 percent in 3Q12. The second most common category in Israel in 4Q12 was Miscellaneous Trojans. It affected 24.6 percent of all computers with detections there, up from 23.2 percent in 3Q12. The third most common category in Israel in 4Q12 was Worms, which affected 23.1 percent of all computers with detections there, up from 20.4 percent in 3Q12.
JulyDecember 2012
255
Threat families
The top 10 malware and potentially unwanted software families in Israel in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/AmmyyAdmin INF/Autorun Win32/Sality Win32/Obfuscator Win32/Hotbar ASX/Wimad Win32/Brontok JS/IframeRef Win32/Dorkbot
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Adware Trojan Downloaders & Droppers Worms Misc. Trojans Worms
% of computers with detections 17.9% 9.9% 9.5% 5.8% 5.7% 5.6% 5.2% 5.0% 4.8% 3.8%
The most common threat family in Israel in 4Q12 was Win32/Keygen, which affected 17.9 percent of computers with detections in Israel. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Israel in 4Q12 was Win32/AmmyyAdmin, which affected 9.9 percent of computers with detections in Israel. Win32/AmmyyAdmin is a remote control application that allows full control of the computer in which it is installed. It can be installed for legitimate purposes, but can also be installed from a remote location by an attacker. The third most common threat family in Israel in 4Q12 was INF/Autorun, which affected 9.5 percent of computers with detections in Israel. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Israel in 4Q12 was Win32/Sality, which affected 5.8 percent of computers with detections in Israel. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.
256
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Israel
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
257
Italy
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Italy in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Italy
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Italy and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
259
9.0
Worldwide
[[COUNTRY]]
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
260
Threat categories
Malware and potentially unwanted software categories in Italy in 4Q12, by percentage of computers reporting detections
Italy
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Italy in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 32.2 percent of all computers with detections there, up from 27.5 percent in 3Q12. The second most common category in Italy in 4Q12 was Adware. It affected 25.6 percent of all computers with detections there, down from 29.3 percent in 3Q12. The third most common category in Italy in 4Q12 was Miscellaneous Trojans, which affected 23.8 percent of all computers with detections there, down from 28.7 percent in 3Q12.
JulyDecember 2012
261
Threat families
The top 10 malware and potentially unwanted software families in Italy in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Pdfjsc Win32/DealPly Win32/Keygen ASX/Wimad Java/Blacole JS/IframeRef INF/Autorun Win32/Conficker Win32/Sirefef Win32/Reveton
Most significant category Exploits Adware Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Exploits Misc. Trojans Misc. Potentially Unwanted Software Worms Misc. Trojans Misc. Trojans
% of computers with detections 13.7% 13.3% 13.2% 11.1% 8.0% 5.5% 4.7% 4.6% 3.9% 3.8%
The most common threat family in Italy in 4Q12 was Win32/Pdfjsc, which affected 13.7 percent of computers with detections in Italy. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The second most common threat family in Italy in 4Q12 was Win32/DealPly, which affected 13.3 percent of computers with detections in Italy. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Italy in 4Q12 was Win32/Keygen, which affected 13.2 percent of computers with detections in Italy. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Italy in 4Q12 was ASX/Wimad, which affected 11.1 percent of computers with detections in Italy. ASX/Wimad is a detection for malicious Windows Media files that can be used to encourage users to download and execute arbitrary files on an affected machine.
262
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Italy
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
263
Jamaica
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Jamaica in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Jamaica
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Jamaica and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
265
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
Worldwide Jamaica
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
266
Threat categories
Malware and potentially unwanted software categories in Jamaica in 4Q12, by percentage of computers reporting detections
Jamaica
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Jamaica in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.8 percent of all computers with detections there, up from 35.3 percent in 3Q12. The second most common category in Jamaica in 4Q12 was Worms. It affected 36.1 percent of all computers with detections there, up from 31.6 percent in 3Q12. The third most common category in Jamaica in 4Q12 was Adware, which affected 24.0 percent of all computers with detections there, down from 28.7 percent in 3Q12.
JulyDecember 2012
267
Threat families
The top 10 malware and potentially unwanted software families in Jamaica in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Vobfus INF/Autorun Win32/Keygen Win32/Hotbar Win32/Zwangi Win32/Dorkbot Win32/Brontok Win32/Rimecud JS/IframeRef ASX/Wimad
Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Misc. Potentially Unwanted Software Worms Worms Misc. Trojans Misc. Trojans Trojan Downloaders & Droppers
% of computers with detections 16.2% 14.8% 13.9% 13.6% 9.3% 5.8% 5.6% 4.4% 4.3% 4.2%
The most common threat family in Jamaica in 4Q12 was Win32/Vobfus, which affected 16.2 percent of computers with detections in Jamaica. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The second most common threat family in Jamaica in 4Q12 was INF/Autorun, which affected 14.8 percent of computers with detections in Jamaica. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Jamaica in 4Q12 was Win32/Keygen, which affected 13.9 percent of computers with detections in Jamaica. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Jamaica in 4Q12 was Win32/Hotbar, which affected 13.6 percent of computers with detections in Jamaica. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity.
268
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Jamaica
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
269
Japan
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Japan in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Japan
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Japan and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
271
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Japan
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
272
Threat categories
Malware and potentially unwanted software categories in Japan in 4Q12, by percentage of computers reporting detections
Japan
Percent of computers reporting detections
Worldwide
Column1 Japan
20% 15%
10%
5% 0%
The most common category in Japan in 4Q12 was Adware. It affected 37.6 percent of all computers with detections there, up from 31.7 percent in 3Q12. The second most common category in Japan in 4Q12 was Miscellaneous Trojans. It affected 26.1 percent of all computers with detections there, down from 28.7 percent in 3Q12. The third most common category in Japan in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 19.8 percent of all computers with detections there, down from 20.7 percent in 3Q12.
JulyDecember 2012
273
Threat families
The top 10 malware and potentially unwanted software families in Japan in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/DealPly JS/IframeRef Win32/Keygen INF/Autorun Win32/OpenCandy Win32/Sirefef Win32/Conficker JS/BlacoleRef Win32/Pdfjsc Win32/Obfuscator
Most significant category Adware Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Misc. Trojans Worms Misc. Trojans Exploits Misc. Potentially Unwanted Software
% of computers with detections 29.5% 9.4% 7.7% 5.5% 5.1% 4.2% 3.1% 2.7% 2.7% 2.6%
The most common threat family in Japan in 4Q12 was Win32/DealPly, which affected 29.5 percent of computers with detections in Japan. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Japan in 4Q12 was JS/IframeRef, which affected 9.4 percent of computers with detections in Japan. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The third most common threat family in Japan in 4Q12 was Win32/Keygen, which affected 7.7 percent of computers with detections in Japan. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Japan in 4Q12 was INF/Autorun, which affected 5.5 percent of computers with detections in Japan. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
274
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Japan
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
275
Jordan
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Jordan in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Jordan
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Jordan and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
277
20.0
Computers cleaned per 1 ,000 scanned (CCM)
18.0
16.0 14.0
Worldwide Jordan
12.0
10.0 8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
278
Threat categories
Malware and potentially unwanted software categories in Jordan in 4Q12, by percentage of computers reporting detections
Jordan
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Jordan in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.8 percent of all computers with detections there, up from 29.5 percent in 3Q12. The second most common category in Jordan in 4Q12 was Worms. It affected 38.3 percent of all computers with detections there, up from 27.2 percent in 3Q12. The third most common category in Jordan in 4Q12 was Miscellaneous Trojans, which affected 35.5 percent of all computers with detections there, up from 26.2 percent in 3Q12.
JulyDecember 2012
279
Threat families
The top 10 malware and potentially unwanted software families in Jordan in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Sality Win32/Ramnit Win32/CplLnk Win32/Dorkbot Win32/Vobfus Win32/Sulunch JS/IframeRef Win32/Virut
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Misc. Trojans Exploits Worms Worms Misc. Trojans Misc. Trojans Viruses
% of computers with detections 20.8% 16.6% 15.8% 10.7% 9.7% 9.3% 8.7% 6.8% 5.0% 4.4%
The most common threat family in Jordan in 4Q12 was INF/Autorun, which affected 20.8 percent of computers with detections in Jordan. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Jordan in 4Q12 was Win32/Keygen, which affected 16.6 percent of computers with detections in Jordan. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Jordan in 4Q12 was Win32/Sality, which affected 15.8 percent of computers with detections in Jordan. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Jordan in 4Q12 was Win32/Ramnit, which affected 10.7 percent of computers with detections in Jordan. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
280
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
JulyDecember 2012
281
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Jordan
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
282
Kazakhstan
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Kazakhstan in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Kazakhstan
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Kazakhstan and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
283
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Kazakhstan
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
284
Threat categories
Malware and potentially unwanted software categories in Kazakhstan in 4Q12, by percentage of computers reporting detections
Kazakhstan
Percent of computers reporting detections
Worldwide
The most common category in Kazakhstan in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 48.6 percent of all computers with detections there, down from 52.7 percent in 3Q12. The second most common category in Kazakhstan in 4Q12 was Miscellaneous Trojans. It affected 36.6 percent of all computers with detections there, up from 35.2 percent in 3Q12. The third most common category in Kazakhstan in 4Q12 was Worms, which affected 24.7 percent of all computers with detections there, up from 20.7 percent in 3Q12.
JulyDecember 2012
285
Threat families
The top 10 malware and potentially unwanted software families in Kazakhstan in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pameseg Win32/Vobfus INF/Autorun Win32/Obfuscator Win32/CplLnk Win32/Ramnit Win32/Webalta Win32/Pdfjsc Win32/Vundo
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Exploits Misc. Trojans Adware Exploits Misc. Trojans
% of computers with detections 17.9% 12.6% 12.3% 10.7% 8.3% 6.0% 5.7% 5.5% 5.5% 4.8%
The most common threat family in Kazakhstan in 4Q12 was Win32/Keygen, which affected 17.9 percent of computers with detections in Kazakhstan. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Kazakhstan in 4Q12 was Win32/Pameseg, which affected 12.6 percent of computers with detections in Kazakhstan. Win32/Pameseg is a fake program installer that requires the user to send SMS messages to a premium number to successfully install certain programs. The third most common threat family in Kazakhstan in 4Q12 was Win32/Vobfus, which affected 12.3 percent of computers with detections in Kazakhstan. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The fourth most common threat family in Kazakhstan in 4Q12 was INF/Autorun, which affected 10.7 percent of computers with detections in Kazakhstan. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
286
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Kazakhstan
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
287
Kenya
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Kenya in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Kenya
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Kenya and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
289
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Kenya
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
290
Threat categories
Malware and potentially unwanted software categories in Kenya in 4Q12, by percentage of computers reporting detections
Kenya
Percent of computers reporting detections
Worldwide
Column1 Kenya
15%
10%
5% 0%
The most common category in Kenya in 4Q12 was Miscellaneous Trojans. It affected 40.4 percent of all computers with detections there, up from 37.0 percent in 3Q12. The second most common category in Kenya in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.2 percent of all computers with detections there, up from 35.0 percent in 3Q12. The third most common category in Kenya in 4Q12 was Worms, which affected 31.0 percent of all computers with detections there, down from 32.7 percent in 3Q12.
JulyDecember 2012
291
Threat families
The top 10 malware and potentially unwanted software families in Kenya in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Comame INF/Autorun Win32/Sality Win32/Keygen Win32/Vobfus Win32/CplLnk Win32/Virut Win32/Ramnit Win32/Dorkbot Win32/Rimecud
Most significant category Misc. Trojans Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Worms Exploits Viruses Misc. Trojans Worms Misc. Trojans
% of computers with detections 18.4% 18.3% 17.1% 13.8% 8.8% 7.8% 7.1% 6.9% 6.3% 4.9%
The most common threat family in Kenya in 4Q12 was Win32/Comame, which affected 18.4 percent of computers with detections in Kenya. Win32/Comame is a generic detection for a variety of threats. The second most common threat family in Kenya in 4Q12 was INF/Autorun, which affected 18.3 percent of computers with detections in Kenya. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Kenya in 4Q12 was Win32/Sality, which affected 17.1 percent of computers with detections in Kenya. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Kenya in 4Q12 was Win32/Keygen, which affected 13.8 percent of computers with detections in Kenya. Win32/Keygen is a generic detection for tools that generate product keys for various software products.
292
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Kenya
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
293
Korea
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Korea in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Korea
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Korea and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
295
9.0
Worldwide
[[COUNTRY]]
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
296
Threat categories
Malware and potentially unwanted software categories in Korea in 4Q12, by percentage of computers reporting detections
Korea
Percent of computers reporting detections
Worldwide
Column1 Korea
40% 30%
20%
10% 0%
The most common category in Korea in 4Q12 was Miscellaneous Trojans. It affected 75.6 percent of all computers with detections there, up from 35.5 percent in 3Q12. The second most common category in Korea in 4Q12 was Adware. It affected 32.6 percent of all computers with detections there, down from 55.5 percent in 3Q12. The third most common category in Korea in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 9.7 percent of all computers with detections there, down from 14.6 percent in 3Q12.
JulyDecember 2012
297
Threat families
The top 10 malware and potentially unwanted software families in Korea in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Onescan Win32/Addendum Win32/SideOn Win32/Wingo Win32/Pluzoks Win32/WinAgir Win32/Hebogo Win32/Kremiumad JS/DonxRef Win32/Keygen
Most significant category Misc. Trojans Adware Adware Adware Trojan Downloaders & Droppers Adware Adware Adware Exploits Misc. Potentially Unwanted Software
% of computers with detections 70.6% 10.6% 10.3% 8.7% 6.4% 6.1% 3.3% 3.1% 3.0% 2.9%
The most common threat family in Korea in 4Q12 was Win32/Onescan, which affected 70.6 percent of computers with detections in Korea. Win32/Onescan is a Korean-language rogue security software family distributed under the names One Scan, Siren114, EnPrivacy, PC Trouble, Smart Vaccine, and many others. The second most common threat family in Korea in 4Q12 was Win32/Addendum, which affected 10.6 percent of computers with detections in Korea. Win32/Addendum is adware that is installed as a web browser helper object (BHO) that may display unwanted pop-up advertisements and redirect search queries when accessing certain websites. It may also download executable files to install as updates. The third most common threat family in Korea in 4Q12 was Win32/SideOn, which affected 10.3 percent of computers with detections in Korea. Win32/SideOn is a component of a program called WinPro that may redirect the users web browser to certain websites and display ads for certain products. The fourth most common threat family in Korea in 4Q12 was Win32/Wingo, which affected 8.7 percent of computers with detections in Korea. Win32/Wingo is a program that may install a browser helper object (BHO) that may display pop-up advertisements and download updates of itself.
298
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Korea
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
299
Kuwait
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Kuwait in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Kuwait
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Kuwait and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
301
14.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Kuwait
12.0 10.0
8.0
6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
302
Threat categories
Malware and potentially unwanted software categories in Kuwait in 4Q12, by percentage of computers reporting detections
Kuwait
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Kuwait in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 37.7 percent of all computers with detections there, up from 29.2 percent in 3Q12. The second most common category in Kuwait in 4Q12 was Worms. It affected 33.8 percent of all computers with detections there, up from 24.9 percent in 3Q12. The third most common category in Kuwait in 4Q12 was Miscellaneous Trojans, which affected 32.7 percent of all computers with detections there, up from 25.5 percent in 3Q12.
JulyDecember 2012
303
Threat families
The top 10 malware and potentially unwanted software families in Kuwait in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun Win32/Sality Win32/Dorkbot Win32/Vobfus Win32/Rimecud JS/IframeRef Win32/Hotbar Win32/Zwangi Win32/CplLnk
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Worms Worms Misc. Trojans Misc. Trojans Adware Misc. Potentially Unwanted Software Exploits
% of computers with detections 17.1% 15.0% 9.0% 8.2% 6.5% 6.2% 5.4% 5.2% 4.2% 4.1%
The most common threat family in Kuwait in 4Q12 was Win32/Keygen, which affected 17.1 percent of computers with detections in Kuwait. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Kuwait in 4Q12 was INF/Autorun, which affected 15.0 percent of computers with detections in Kuwait. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Kuwait in 4Q12 was Win32/Sality, which affected 9.0 percent of computers with detections in Kuwait. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Kuwait in 4Q12 was Win32/Dorkbot, which affected 8.2 percent of computers with detections in Kuwait. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot
304
may be distributed from compromised or malicious websites using PDF or browser exploits.
JulyDecember 2012
305
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Kuwait
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
306
Latvia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Latvia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Latvia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Latvia and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
307
9.0
Worldwide
[[COUNTRY]]
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
308
Threat categories
Malware and potentially unwanted software categories in Latvia in 4Q12, by percentage of computers reporting detections
Latvia
Percent of computers reporting detections
Worldwide
The most common category in Latvia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.9 percent of all computers with detections there, up from 45.6 percent in 3Q12. The second most common category in Latvia in 4Q12 was Miscellaneous Trojans. It affected 31.9 percent of all computers with detections there, up from 28.7 percent in 3Q12. The third most common category in Latvia in 4Q12 was Worms, which affected 20.1 percent of all computers with detections there, up from 14.1 percent in 3Q12.
JulyDecember 2012
309
Threat families
The top 10 malware and potentially unwanted software families in Latvia in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot Win32/Obfuscator JS/IframeRef INF/Autorun Java/Blacole Win32/Pdfjsc Win32/Hotbar Win32/Pameseg Win32/Wpakill
Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Misc. Trojans Misc. Potentially Unwanted Software Exploits Exploits Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software
% of computers with detections 21.2% 7.7% 7.3% 7.2% 5.1% 4.9% 4.7% 4.0% 3.7% 3.6%
The most common threat family in Latvia in 4Q12 was Win32/Keygen, which affected 21.2 percent of computers with detections in Latvia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Latvia in 4Q12 was Win32/Dorkbot, which affected 7.7 percent of computers with detections in Latvia. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Latvia in 4Q12 was Win32/Obfuscator, which affected 7.3 percent of computers with detections in Latvia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The fourth most common threat family in Latvia in 4Q12 was JS/IframeRef, which affected 7.2 percent of computers with detections in Latvia.
310
JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.
JulyDecember 2012
311
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Latvia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
312
Lebanon
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Lebanon in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Lebanon
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Lebanon and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
313
16.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Lebanon
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
314
Threat categories
Malware and potentially unwanted software categories in Lebanon in 4Q12, by percentage of computers reporting detections
Lebanon
Percent of computers reporting detections
Worldwide
Column1 Lebanon
15%
10%
5% 0%
The most common category in Lebanon in 4Q12 was Worms. It affected 39.1 percent of all computers with detections there, up from 29.9 percent in 3Q12. The second most common category in Lebanon in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.2 percent of all computers with detections there, up from 30.4 percent in 3Q12. The third most common category in Lebanon in 4Q12 was Miscellaneous Trojans, which affected 30.1 percent of all computers with detections there, up from 24.5 percent in 3Q12.
JulyDecember 2012
315
Threat families
The top 10 malware and potentially unwanted software families in Lebanon in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun Win32/Sality Win32/CplLnk Win32/Dorkbot Win32/Ramnit Win32/Folstart Win32/Nuqel JS/IframeRef Win32/Rimecud
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Exploits Worms Misc. Trojans Worms Worms Misc. Trojans Misc. Trojans
% of computers with detections 17.5% 16.3% 11.2% 11.2% 8.8% 8.6% 8.3% 6.0% 5.8% 5.5%
The most common threat family in Lebanon in 4Q12 was Win32/Keygen, which affected 17.5 percent of computers with detections in Lebanon. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Lebanon in 4Q12 was INF/Autorun, which affected 16.3 percent of computers with detections in Lebanon. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Lebanon in 4Q12 was Win32/Sality, which affected 11.2 percent of computers with detections in Lebanon. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Lebanon in 4Q12 was Win32/CplLnk, which affected 11.2 percent of computers with detections in Lebanon. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046.
316
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Lebanon
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
317
Lithuania
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Lithuania in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Lithuania
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Lithuania and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
319
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Lithuania
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
320
Threat categories
Malware and potentially unwanted software categories in Lithuania in 4Q12, by percentage of computers reporting detections
Lithuania
Percent of computers reporting detections
Worldwide
The most common category in Lithuania in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.2 percent of all computers with detections there, up from 42.0 percent in 3Q12. The second most common category in Lithuania in 4Q12 was Miscellaneous Trojans. It affected 33.2 percent of all computers with detections there, up from 29.6 percent in 3Q12. The third most common category in Lithuania in 4Q12 was Worms, which affected 21.4 percent of all computers with detections there, up from 18.2 percent in 3Q12.
JulyDecember 2012
321
Threat families
The top 10 malware and potentially unwanted software families in Lithuania in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen JS/IframeRef Win32/Obfuscator INF/Autorun Win32/Dorkbot JS/BlacoleRef Win32/Hotbar Win32/DealPly Win32/Killav Win32/OpenCandy
Most significant category Misc. Potentially Unwanted Software Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Trojans Adware Adware Misc. Trojans Adware
% of computers with detections 23.1% 8.4% 7.3% 5.2% 5.1% 3.9% 3.7% 3.6% 3.2% 3.2%
The most common threat family in Lithuania in 4Q12 was Win32/Keygen, which affected 23.1 percent of computers with detections in Lithuania. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Lithuania in 4Q12 was JS/IframeRef, which affected 8.4 percent of computers with detections in Lithuania. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The third most common threat family in Lithuania in 4Q12 was Win32/Obfuscator, which affected 7.3 percent of computers with detections in Lithuania. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The fourth most common threat family in Lithuania in 4Q12 was INF/Autorun, which affected 5.2 percent of computers with detections in Lithuania. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
322
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Lithuania
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
323
Luxembourg
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Luxembourg in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Luxembourg
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Luxembourg and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
325
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Luxembourg
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
326
Threat categories
Malware and potentially unwanted software categories in Luxembourg in 4Q12, by percentage of computers reporting detections
Luxembourg
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Luxembourg in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.5 percent of all computers with detections there, up from 29.4 percent in 3Q12. The second most common category in Luxembourg in 4Q12 was Miscellaneous Trojans. It affected 28.4 percent of all computers with detections there, up from 26.6 percent in 3Q12. The third most common category in Luxembourg in 4Q12 was Exploits, which affected 21.6 percent of all computers with detections there, up from 7.6 percent in 3Q12.
JulyDecember 2012
327
Threat families
The top 10 malware and potentially unwanted software families in Luxembourg in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc Java/Blacole Win32/Reveton Win32/Zwangi Win32/DealPly Win32/Hotbar ASX/Wimad JS/IframeRef Win32/OpenCandy
Most significant category Misc. Potentially Unwanted Software Exploits Exploits Misc. Trojans Misc. Potentially Unwanted Software Adware Adware Trojan Downloaders & Droppers Misc. Trojans Adware
% of computers with detections 12.9% 10.4% 8.9% 7.6% 5.8% 5.6% 5.3% 5.2% 4.9% 4.3%
The most common threat family in Luxembourg in 4Q12 was Win32/Keygen, which affected 12.9 percent of computers with detections in Luxembourg. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Luxembourg in 4Q12 was Win32/Pdfjsc, which affected 10.4 percent of computers with detections in Luxembourg. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Luxembourg in 4Q12 was Java/Blacole, which affected 8.9 percent of computers with detections in Luxembourg. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in Luxembourg in 4Q12 was Win32/Reveton, which affected 7.6 percent of computers with detections in Luxembourg. Win32/Reveton is a ransomware family that targets users from certain countries. It locks the computer and displays a location-specific
328
webpage that covers the desktop and demands that the user pay a fine for the supposed possession of illicit material.
JulyDecember 2012
329
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Luxembourg
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
330
Macao S.A.R.
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Macao S.A.R. in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Macao S.A.R.
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Macao S.A.R. and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
331
9.0
Computers cleaned per 1 ,000 scanned (CCM)
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
332
Threat categories
Malware and potentially unwanted software categories in Macao S.A.R. in 4Q12, by percentage of computers reporting detections
Macao S.A.R.
Percent of computers reporting detections
Worldwide
The most common category in Macao S.A.R. in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.7 percent of all computers with detections there, up from 35.4 percent in 3Q12. The second most common category in Macao S.A.R. in 4Q12 was Miscellaneous Trojans. It affected 28.8 percent of all computers with detections there, up from 28.5 percent in 3Q12. The third most common category in Macao S.A.R. in 4Q12 was Worms, which affected 19.0 percent of all computers with detections there, up from 17.0 percent in 3Q12.
JulyDecember 2012
333
Threat families
The top 10 malware and potentially unwanted software families in Macao S.A.R. in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun JS/IframeRef Win32/Obfuscator Win32/Conficker Win32/Hotbar Win32/FlyAgent Win32/BaiduSobar Win32/Zwangi Win32/Taterf
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Trojans Misc. Potentially Unwanted Software Worms Adware Backdoors Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms
% of computers with detections 20.6% 7.5% 5.9% 5.6% 5.0% 3.5% 3.0% 3.0% 3.0% 2.6%
The most common threat family in Macao S.A.R. in 4Q12 was Win32/Keygen, which affected 20.6 percent of computers with detections in Macao S.A.R.. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Macao S.A.R. in 4Q12 was INF/Autorun, which affected 7.5 percent of computers with detections in Macao S.A.R.. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Macao S.A.R. in 4Q12 was JS/IframeRef, which affected 5.9 percent of computers with detections in Macao S.A.R.. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Macao S.A.R. in 4Q12 was Win32/Obfuscator, which affected 5.6 percent of computers with detections in Macao S.A.R.. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques.
334
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Macao S.A.R.
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
335
Malaysia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Malaysia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Malaysia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Malaysia and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
337
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Malaysia
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
338
Threat categories
Malware and potentially unwanted software categories in Malaysia in 4Q12, by percentage of computers reporting detections
Malaysia
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Malaysia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 39.6 percent of all computers with detections there, up from 32.4 percent in 3Q12. The second most common category in Malaysia in 4Q12 was Worms. It affected 38.6 percent of all computers with detections there, up from 37.3 percent in 3Q12. The third most common category in Malaysia in 4Q12 was Miscellaneous Trojans, which affected 24.5 percent of all computers with detections there, down from 24.6 percent in 3Q12.
JulyDecember 2012
339
Threat families
The top 10 malware and potentially unwanted software families in Malaysia in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot INF/Autorun Win32/Sality Win32/Conficker Win32/Obfuscator Win32/Hotbar Win32/Zwangi Win32/Nuqel Win32/Ramnit
Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Viruses Worms Misc. Potentially Unwanted Software Adware Misc. Potentially Unwanted Software Worms Misc. Trojans
% of computers with detections 15.9% 15.9% 15.1% 9.1% 5.9% 5.1% 4.6% 3.4% 3.4% 3.4%
The most common threat family in Malaysia in 4Q12 was Win32/Keygen, which affected 15.9 percent of computers with detections in Malaysia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Malaysia in 4Q12 was Win32/Dorkbot, which affected 15.9 percent of computers with detections in Malaysia. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Malaysia in 4Q12 was INF/Autorun, which affected 15.1 percent of computers with detections in Malaysia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Malaysia in 4Q12 was Win32/Sality, which affected 9.1 percent of computers with detections in Malaysia. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a
340
damaging payload that deletes files with certain extensions and terminates security-related processes and services.
JulyDecember 2012
341
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Malaysia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
342
Malta
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Malta in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Malta
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Malta and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
343
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Malta
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
344
Threat categories
Malware and potentially unwanted software categories in Malta in 4Q12, by percentage of computers reporting detections
Malta
Percent of computers reporting detections
Worldwide
The most common category in Malta in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 46.6 percent of all computers with detections there, up from 34.0 percent in 3Q12. The second most common category in Malta in 4Q12 was Adware. It affected 29.6 percent of all computers with detections there, down from 39.5 percent in 3Q12. The third most common category in Malta in 4Q12 was Miscellaneous Trojans, which affected 19.7 percent of all computers with detections there, up from 18.9 percent in 3Q12.
JulyDecember 2012
345
Threat families
The top 10 malware and potentially unwanted software families in Malta in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Hotbar Win32/Zwangi ASX/Wimad INF/Autorun JS/IframeRef Win32/ClickPotato Win32/OpenCandy Win32/Obfuscator Win32/Wpakill
Most significant category Misc. Potentially Unwanted Software Adware Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Misc. Trojans Adware Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software
% of computers with detections 18.5% 16.8% 12.6% 7.8% 6.4% 5.3% 4.9% 4.0% 3.7% 3.6%
The most common threat family in Malta in 4Q12 was Win32/Keygen, which affected 18.5 percent of computers with detections in Malta. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Malta in 4Q12 was Win32/Hotbar, which affected 16.8 percent of computers with detections in Malta. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The third most common threat family in Malta in 4Q12 was Win32/Zwangi, which affected 12.6 percent of computers with detections in Malta. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. The fourth most common threat family in Malta in 4Q12 was ASX/Wimad, which affected 7.8 percent of computers with detections in Malta. ASX/Wimad is a detection for malicious Windows Media files that can be used to encourage users to download and execute arbitrary files on an affected machine.
346
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Malta
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
347
Mexico
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Mexico in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Mexico
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Mexico and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
349
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Mexico
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
350
Threat categories
Malware and potentially unwanted software categories in Mexico in 4Q12, by percentage of computers reporting detections
Mexico
Percent of computers reporting detections
Worldwide
50%
45% 40%
Column1 Mexico
The most common category in Mexico in 4Q12 was Worms. It affected 43.2 percent of all computers with detections there, down from 45.5 percent in 3Q12. The second most common category in Mexico in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 34.8 percent of all computers with detections there, up from 34.5 percent in 3Q12. The third most common category in Mexico in 4Q12 was Adware, which affected 21.7 percent of all computers with detections there, up from 16.7 percent in 3Q12.
JulyDecember 2012
351
Threat families
The top 10 malware and potentially unwanted software families in Mexico in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/DealPly Win32/Keygen INF/Autorun Win32/Vobfus Win32/Conficker Win32/Brontok Win32/VBInject Win32/OpenCandy JS/IframeRef
Most significant category Worms Adware Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Worms Worms Misc. Potentially Unwanted Software Adware Misc. Trojans
% of computers with detections 22.5% 15.3% 14.2% 13.3% 7.9% 6.3% 5.0% 4.6% 3.4% 3.3%
The most common threat family in Mexico in 4Q12 was Win32/Dorkbot, which affected 22.5 percent of computers with detections in Mexico. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Mexico in 4Q12 was Win32/DealPly, which affected 15.3 percent of computers with detections in Mexico. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Mexico in 4Q12 was Win32/Keygen, which affected 14.2 percent of computers with detections in Mexico. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Mexico in 4Q12 was INF/Autorun, which affected 13.3 percent of computers with detections in Mexico. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
352
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Mexico
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
353
Moldova
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Moldova in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Moldova
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Moldova and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
355
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Moldova
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
356
Threat categories
Malware and potentially unwanted software categories in Moldova in 4Q12, by percentage of computers reporting detections
Moldova
Percent of computers reporting detections
Worldwide
The most common category in Moldova in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 49.6 percent of all computers with detections there, down from 49.7 percent in 3Q12. The second most common category in Moldova in 4Q12 was Miscellaneous Trojans. It affected 35.1 percent of all computers with detections there, down from 38.2 percent in 3Q12. The third most common category in Moldova in 4Q12 was Worms, which affected 30.2 percent of all computers with detections there, up from 16.6 percent in 3Q12.
JulyDecember 2012
357
Threat families
The top 10 malware and potentially unwanted software families in Moldova in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot Win32/Obfuscator Win32/Pameseg INF/Autorun JS/Tadtruss Win32/Sality Win32/Brontok Win32/Wpakill Win32/Killav
Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Trojans Viruses Worms Misc. Potentially Unwanted Software Misc. Trojans
% of computers with detections 23.1% 16.3% 7.9% 7.2% 5.3% 4.1% 3.9% 3.8% 3.5% 3.3%
The most common threat family in Moldova in 4Q12 was Win32/Keygen, which affected 23.1 percent of computers with detections in Moldova. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Moldova in 4Q12 was Win32/Dorkbot, which affected 16.3 percent of computers with detections in Moldova. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Moldova in 4Q12 was Win32/Obfuscator, which affected 7.9 percent of computers with detections in Moldova. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The fourth most common threat family in Moldova in 4Q12 was Win32/Pameseg, which affected 7.2 percent of computers with detections in Moldova. Win32/Pameseg is a fake program installer that requires the user
358
JulyDecember 2012
359
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Moldova
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
360
Morocco
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Morocco in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Morocco
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Morocco and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
361
25.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Morocco
20.0
15.0
10.0
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
362
Threat categories
Malware and potentially unwanted software categories in Morocco in 4Q12, by percentage of computers reporting detections
Morocco
Percent of computers reporting detections
Worldwide
Column1 Morocco
15%
10%
5% 0%
The most common category in Morocco in 4Q12 was Worms. It affected 41.1 percent of all computers with detections there, up from 38.7 percent in 3Q12. The second most common category in Morocco in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 36.4 percent of all computers with detections there, up from 26.6 percent in 3Q12. The third most common category in Morocco in 4Q12 was Miscellaneous Trojans, which affected 29.8 percent of all computers with detections there, up from 24.6 percent in 3Q12.
JulyDecember 2012
363
Threat families
The top 10 malware and potentially unwanted software families in Morocco in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Sality Win32/Yeltminky INF/Autorun Win32/Dorkbot Win32/Ramnit Win32/CplLnk Win32/Mabezat Win32/Vobfus Win32/Zwangi
Most significant category Misc. Potentially Unwanted Software Viruses Worms Misc. Potentially Unwanted Software Worms Misc. Trojans Exploits Viruses Worms Misc. Potentially Unwanted Software
% of computers with detections 16.3% 13.8% 13.1% 12.1% 10.1% 9.9% 7.2% 5.5% 4.6% 4.3%
The most common threat family in Morocco in 4Q12 was Win32/Keygen, which affected 16.3 percent of computers with detections in Morocco. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Morocco in 4Q12 was Win32/Sality, which affected 13.8 percent of computers with detections in Morocco. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Morocco in 4Q12 was Win32/Yeltminky, which affected 13.1 percent of computers with detections in Morocco. Win32/Yeltminky is a family of worms that spreads by making copies of itself on all available drives and creating an autorun.inf file to execute that copy. The fourth most common threat family in Morocco in 4Q12 was INF/Autorun, which affected 12.1 percent of computers with detections in Morocco. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
364
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Morocco
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
365
Nepal
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Nepal in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Nepal
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Nepal and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
367
30.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Nepal
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
368
Threat categories
Malware and potentially unwanted software categories in Nepal in 4Q12, by percentage of computers reporting detections
Nepal
Percent of computers reporting detections
Worldwide
60%
50%
Column1 Nepal
The most common category in Nepal in 4Q12 was Miscellaneous Trojans. It affected 48.6 percent of all computers with detections there, down from 48.8 percent in 3Q12. The second most common category in Nepal in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 40.4 percent of all computers with detections there, up from 38.0 percent in 3Q12. The third most common category in Nepal in 4Q12 was Worms, which affected 39.3 percent of all computers with detections there, down from 42.0 percent in 3Q12.
JulyDecember 2012
369
Threat families
The top 10 malware and potentially unwanted software families in Nepal in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Ramnit INF/Autorun Win32/CplLnk Win32/Sality Win32/Finodes Win32/Keygen Win32/Virut Win32/Nuqel Win32/Rimecud Win32/Conficker
Most significant category Misc. Trojans Misc. Potentially Unwanted Software Exploits Viruses Misc. Trojans Misc. Potentially Unwanted Software Viruses Worms Misc. Trojans Worms
% of computers with detections 28.6% 25.6% 22.1% 21.1% 18.4% 18.1% 16.0% 9.3% 5.6% 5.1%
The most common threat family in Nepal in 4Q12 was Win32/Ramnit, which affected 28.6 percent of computers with detections in Nepal. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The second most common threat family in Nepal in 4Q12 was INF/Autorun, which affected 25.6 percent of computers with detections in Nepal. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Nepal in 4Q12 was Win32/CplLnk, which affected 22.1 percent of computers with detections in Nepal. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046. The fourth most common threat family in Nepal in 4Q12 was Win32/Sality, which affected 21.1 percent of computers with detections in Nepal. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload
370
that deletes files with certain extensions and terminates security-related processes and services.
JulyDecember 2012
371
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Nepal
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
372
Netherlands
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the Netherlands in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the Netherlands
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the Netherlands and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
373
14.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Netherlands
12.0 10.0
8.0
6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
374
Threat categories
Malware and potentially unwanted software categories in the Netherlands in 4Q12, by percentage of computers reporting detections
Netherlands
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in the Netherlands in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.0 percent of all computers with detections there, up from 30.5 percent in 3Q12. The second most common category in the Netherlands in 4Q12 was Miscellaneous Trojans. It affected 26.7 percent of all computers with detections there, down from 27.2 percent in 3Q12. The third most common category in the Netherlands in 4Q12 was Adware, which affected 25.8 percent of all computers with detections there, up from 22.6 percent in 3Q12.
JulyDecember 2012
375
Threat families
The top 10 malware and potentially unwanted software families in the Netherlands in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/DealPly Win32/Pdfjsc Java/Blacole JS/IframeRef ASX/Wimad Win32/Hotbar Win32/Zbot Win32/Obfuscator Win32/Zwangi
Most significant category Misc. Potentially Unwanted Software Adware Exploits Exploits Misc. Trojans Trojan Downloaders & Droppers Adware Password Stealers & Monitoring Tools Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software
% of computers with detections 15.3% 15.1% 11.1% 10.5% 9.5% 5.9% 5.1% 4.4% 4.1% 4.1%
The most common threat family in the Netherlands in 4Q12 was Win32/Keygen, which affected 15.3 percent of computers with detections in the Netherlands. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in the Netherlands in 4Q12 was Win32/DealPly, which affected 15.1 percent of computers with detections in the Netherlands. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third -party software installation programs. The third most common threat family in the Netherlands in 4Q12 was Win32/Pdfjsc, which affected 11.1 percent of computers with detections in the Netherlands. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in the Netherlands in 4Q12 was Java/Blacole, which affected 10.5 percent of computers with detections in the Netherlands. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run.
376
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the Netherlands
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
377
New Zealand
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in New Zealand in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for New Zealand
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in New Zealand and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
379
9.0
Computers cleaned per 1 ,000 scanned (CCM)
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
380
Threat categories
Malware and potentially unwanted software categories in New Zealand in 4Q12, by percentage of computers reporting detections
New Zealand
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in New Zealand in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.1 percent of all computers with detections there, up from 25.4 percent in 3Q12. The second most common category in New Zealand in 4Q12 was Miscellaneous Trojans. It affected 28.9 percent of all computers with detections there, down from 31.1 percent in 3Q12. The third most common category in New Zealand in 4Q12 was Adware, which affected 20.4 percent of all computers with detections there, down from 25.9 percent in 3Q12.
JulyDecember 2012
381
Threat families
The top 10 malware and potentially unwanted software families in New Zealand in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Hotbar JS/IframeRef Win32/Sirefef INF/Autorun Win32/Zwangi Win32/Vobfus ASX/Wimad Win32/Obfuscator Win32/OpenCandy
Most significant category Misc. Potentially Unwanted Software Adware Misc. Trojans Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Adware
% of computers with detections 11.4% 9.3% 7.2% 6.6% 6.4% 5.9% 5.0% 4.5% 4.4% 3.6%
The most common threat family in New Zealand in 4Q12 was Win32/Keygen, which affected 11.4 percent of computers with detections in New Zealand. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in New Zealand in 4Q12 was Win32/Hotbar, which affected 9.3 percent of computers with detections in New Zealand. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The third most common threat family in New Zealand in 4Q12 was JS/IframeRef, which affected 7.2 percent of computers with detections in New Zealand. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in New Zealand in 4Q12 was Win32/Sirefef, which affected 6.6 percent of computers with detections in New Zealand. Win32/Sirefef is a rogue security software family distributed under the name Antivirus 2010 and others.
382
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for New Zealand
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
383
Nicaragua
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Nicaragua in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Nicaragua
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Nicaragua and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
385
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Nicaragua
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
386
Threat categories
Malware and potentially unwanted software categories in Nicaragua in 4Q12, by percentage of computers reporting detections
Nicaragua
Percent of computers reporting detections
Worldwide
The most common category in Nicaragua in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.1 percent of all computers with detections there, up from 39.9 percent in 3Q12. The second most common category in Nicaragua in 4Q12 was Worms. It affected 38.2 percent of all computers with detections there, down from 40.1 percent in 3Q12. The third most common category in Nicaragua in 4Q12 was Miscellaneous Trojans, which affected 22.1 percent of all computers with detections there, down from 24.5 percent in 3Q12.
JulyDecember 2012
387
Threat families
The top 10 malware and potentially unwanted software families in Nicaragua in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot INF/Autorun Win32/Vobfus Win32/Conficker Win32/Wpakill Win32/Sality Win32/Yeltminky Win32/Nuqel Win32/OpenCandy
Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Worms Worms Misc. Potentially Unwanted Software Viruses Worms Worms Adware
% of computers with detections 25.9% 17.6% 8.2% 7.3% 7.2% 4.7% 4.5% 4.4% 4.0% 3.8%
The most common threat family in Nicaragua in 4Q12 was Win32/Keygen, which affected 25.9 percent of computers with detections in Nicaragua. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Nicaragua in 4Q12 was Win32/Dorkbot, which affected 17.6 percent of computers with detections in Nicaragua. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Nicaragua in 4Q12 was INF/Autorun, which affected 8.2 percent of computers with detections in Nicaragua. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Nicaragua in 4Q12 was Win32/Vobfus, which affected 7.3 percent of computers with detections in Nicaragua. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
388
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Nicaragua
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
389
Nigeria
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Nigeria in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Nigeria
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Nigeria and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
391
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
Worldwide Nigeria
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
392
Threat categories
Malware and potentially unwanted software categories in Nigeria in 4Q12, by percentage of computers reporting detections
Nigeria
Percent of computers reporting detections
Worldwide
Column1 Nigeria
15%
10%
5% 0%
The most common category in Nigeria in 4Q12 was Worms. It affected 41.2 percent of all computers with detections there, up from 40.8 percent in 3Q12. The second most common category in Nigeria in 4Q12 was Miscellaneous Trojans. It affected 29.7 percent of all computers with detections there, up from 29.5 percent in 3Q12. The third most common category in Nigeria in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 28.8 percent of all computers with detections there, up from 26.9 percent in 3Q12.
JulyDecember 2012
393
Threat families
The top 10 malware and potentially unwanted software families in Nigeria in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Vobfus INF/Autorun Win32/Sality Win32/Ramnit Win32/CplLnk Win32/Keygen Win32/Virut Win32/Rimecud Win32/Dorkbot Win32/Conficker
Most significant category Worms Misc. Potentially Unwanted Software Viruses Misc. Trojans Exploits Misc. Potentially Unwanted Software Viruses Misc. Trojans Worms Worms
% of computers with detections 17.1% 16.1% 11.4% 10.7% 10.1% 9.4% 8.6% 7.8% 6.1% 5.3%
The most common threat family in Nigeria in 4Q12 was Win32/Vobfus, which affected 17.1 percent of computers with detections in Nigeria. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The second most common threat family in Nigeria in 4Q12 was INF/Autorun, which affected 16.1 percent of computers with detections in Nigeria. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Nigeria in 4Q12 was Win32/Sality, which affected 11.4 percent of computers with detections in Nigeria. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Nigeria in 4Q12 was Win32/Ramnit, which affected 10.7 percent of computers with detections in Nigeria. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
394
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
JulyDecember 2012
395
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Nigeria
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
396
Norway
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Norway in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Norway
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Norway and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
397
9.0
Worldwide Norway
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
398
Threat categories
Malware and potentially unwanted software categories in Norway in 4Q12, by percentage of computers reporting detections
Norway
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Norway in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 32.4 percent of all computers with detections there, up from 28.9 percent in 3Q12. The second most common category in Norway in 4Q12 was Miscellaneous Trojans. It affected 25.8 percent of all computers with detections there, down from 28.0 percent in 3Q12. The third most common category in Norway in 4Q12 was Adware, which affected 24.5 percent of all computers with detections there, down from 28.9 percent in 3Q12.
JulyDecember 2012
399
Threat families
The top 10 malware and potentially unwanted software families in Norway in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/DealPly JS/IframeRef Win32/Hotbar Win32/Pdfjsc Java/Blacole Win32/Zwangi ASX/Wimad Win32/Obfuscator Win32/Sinowal
Most significant category Misc. Potentially Unwanted Software Adware Misc. Trojans Adware Exploits Exploits Misc. Potentially Unwanted Software Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Password Stealers & Monitoring Tools
% of computers with detections 13.1% 9.9% 8.5% 8.2% 8.1% 7.3% 5.4% 4.6% 4.1% 3.5%
The most common threat family in Norway in 4Q12 was Win32/Keygen, which affected 13.1 percent of computers with detections in Norway. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Norway in 4Q12 was Win32/DealPly, which affected 9.9 percent of computers with detections in Norway. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Norway in 4Q12 was JS/IframeRef, which affected 8.5 percent of computers with detections in Norway. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Norway in 4Q12 was Win32/Hotbar, which affected 8.2 percent of computers with detections in Norway. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity.
400
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Norway
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
401
Oman
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Oman in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Oman
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Oman and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
403
18.0
Worldwide Oman
10.0
8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
404
Threat categories
Malware and potentially unwanted software categories in Oman in 4Q12, by percentage of computers reporting detections
Oman
Percent of computers reporting detections
Worldwide
50%
45% 40%
Column1 Oman
The most common category in Oman in 4Q12 was Worms. It affected 46.8 percent of all computers with detections there, up from 33.0 percent in 3Q12. The second most common category in Oman in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 39.7 percent of all computers with detections there, up from 30.3 percent in 3Q12. The third most common category in Oman in 4Q12 was Miscellaneous Trojans, which affected 28.9 percent of all computers with detections there, up from 24.1 percent in 3Q12.
JulyDecember 2012
405
Threat families
The top 10 malware and potentially unwanted software families in Oman in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Vobfus INF/Autorun Win32/Keygen Win32/Sality Win32/Nuqel Win32/Dorkbot JS/IframeRef Win32/Ramnit Win32/CplLnk Win32/Folstart
Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Worms Worms Misc. Trojans Misc. Trojans Exploits Worms
% of computers with detections 22.5% 22.5% 15.2% 8.0% 6.9% 6.4% 5.8% 4.8% 4.6% 4.3%
The most common threat family in Oman in 4Q12 was Win32/Vobfus, which affected 22.5 percent of computers with detections in Oman. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The second most common threat family in Oman in 4Q12 was INF/Autorun, which affected 22.5 percent of computers with detections in Oman. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Oman in 4Q12 was Win32/Keygen, which affected 15.2 percent of computers with detections in Oman. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Oman in 4Q12 was Win32/Sality, which affected 8.0 percent of computers with detections in Oman. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.
406
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Oman
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
407
Pakistan
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Pakistan in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Pakistan
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Pakistan and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
409
40.0
Worldwide Pakistan
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
410
Threat categories
Malware and potentially unwanted software categories in Pakistan in 4Q12, by percentage of computers reporting detections
Pakistan
Percent of computers reporting detections
Worldwide
60%
50%
Column1 Pakistan
The most common category in Pakistan in 4Q12 was Worms. It affected 50.2 percent of all computers with detections there, up from 47.0 percent in 3Q12. The second most common category in Pakistan in 4Q12 was Viruses. It affected 44.2 percent of all computers with detections there, up from 42.1 percent in 3Q12. The third most common category in Pakistan in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 42.0 percent of all computers with detections there, up from 37.6 percent in 3Q12.
JulyDecember 2012
411
Threat families
The top 10 malware and potentially unwanted software families in Pakistan in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Sality Win32/Ramnit Win32/Keygen Win32/CplLnk Win32/Virut Win32/Chir Win32/VB Win32/Bifrose Win32/Conficker
Most significant category Misc. Potentially Unwanted Software Viruses Misc. Trojans Misc. Potentially Unwanted Software Exploits Viruses Viruses Worms Backdoors Worms
% of computers with detections 34.9% 27.5% 21.3% 18.1% 16.3% 16.2% 13.9% 11.0% 8.0% 7.1%
The most common threat family in Pakistan in 4Q12 was INF/Autorun, which affected 34.9 percent of computers with detections in Pakistan. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Pakistan in 4Q12 was Win32/Sality, which affected 27.5 percent of computers with detections in Pakistan. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Pakistan in 4Q12 was Win32/Ramnit, which affected 21.3 percent of computers with detections in Pakistan. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The fourth most common threat family in Pakistan in 4Q12 was Win32/Keygen, which affected 18.1 percent of computers with detections in
412
Pakistan. Win32/Keygen is a generic detection for tools that generate product keys for various software products.
JulyDecember 2012
413
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Pakistan
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
414
Palestinian Authority
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the Palestinian territories (West Bank and Gaza Strip) in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the Palestinian territories
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the Palestinian territories and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
415
35.0
30.0 25.0
20.0
15.0 10.0
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
416
Threat categories
Malware and potentially unwanted software categories in the Palestinian territories in 4Q12, by percentage of computers reporting detections
Palestinian Authority
Percent of computers reporting detections
Worldwide
The most common category in the Palestinian territories in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 44.2 percent of all computers with detections there, up from 36.8 percent in 3Q12. The second most common category in the Palestinian territories in 4Q12 was Worms. It affected 40.4 percent of all computers with detections there, up from 31.4 percent in 3Q12. The third most common category in the Palestinian territories in 4Q12 was Miscellaneous Trojans, which affected 39.8 percent of all computers with detections there, up from 31.9 percent in 3Q12.
JulyDecember 2012
417
Threat families
The top 10 malware and potentially unwanted software families in the Palestinian territories in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Sality Win32/Keygen INF/Autorun Win32/CplLnk Win32/Ramnit Win32/Vobfus Win32/Sulunch Win32/Virut Win32/Nuqel Win32/Dorkbot
Most significant category Viruses Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Exploits Misc. Trojans Worms Misc. Trojans Viruses Worms Worms
% of computers with detections 23.7% 22.9% 21.3% 13.3% 12.7% 11.1% 10.0% 8.9% 6.1% 5.9%
The most common threat family in the Palestinian territories in 4Q12 was Win32/Sality, which affected 23.7 percent of computers with detections in the Palestinian territories. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The second most common threat family in the Palestinian territories in 4Q12 was Win32/Keygen, which affected 22.9 percent of computers with detections in the Palestinian territories. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in the Palestinian territories in 4Q12 was INF/Autorun, which affected 21.3 percent of computers with detections in the Palestinian territories. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in the Palestinian territories in 4Q12 was Win32/CplLnk, which affected 13.3 percent of computers with detections in the Palestinian territories. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046.
418
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the Palestinian territories
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
419
Panama
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Panama in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Panama
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Panama and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
421
12.0
Worldwide Panama
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
422
Threat categories
Malware and potentially unwanted software categories in Panama in 4Q12, by percentage of computers reporting detections
Panama
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Panama in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.3 percent of all computers with detections there, up from 34.2 percent in 3Q12. The second most common category in Panama in 4Q12 was Worms. It affected 35.6 percent of all computers with detections there, down from 36.9 percent in 3Q12. The third most common category in Panama in 4Q12 was Miscellaneous Trojans, which affected 24.6 percent of all computers with detections there, down from 25.3 percent in 3Q12.
JulyDecember 2012
423
Threat families
The top 10 malware and potentially unwanted software families in Panama in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/Keygen INF/Autorun Win32/Vobfus Win32/Sality JS/IframeRef Win32/Conficker Win32/VBInject Win32/Nuqel Win32/OpenCandy
Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Viruses Misc. Trojans Worms Misc. Potentially Unwanted Software Worms Adware
% of computers with detections 17.5% 14.3% 11.0% 10.1% 5.9% 5.2% 4.5% 3.9% 3.8% 3.7%
The most common threat family in Panama in 4Q12 was Win32/Dorkbot, which affected 17.5 percent of computers with detections in Panama. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Panama in 4Q12 was Win32/Keygen, which affected 14.3 percent of computers with detections in Panama. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Panama in 4Q12 was INF/Autorun, which affected 11.0 percent of computers with detections in Panama. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Panama in 4Q12 was Win32/Vobfus, which affected 10.1 percent of computers with detections in Panama. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
424
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Panama
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
425
Paraguay
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Paraguay in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Paraguay
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Paraguay and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
427
9.0
Worldwide Paraguay
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
428
Threat categories
Malware and potentially unwanted software categories in Paraguay in 4Q12, by percentage of computers reporting detections
Paraguay
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Paraguay in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 40.4 percent of all computers with detections there, up from 34.5 percent in 3Q12. The second most common category in Paraguay in 4Q12 was Worms. It affected 37.7 percent of all computers with detections there, up from 34.9 percent in 3Q12. The third most common category in Paraguay in 4Q12 was Miscellaneous Trojans, which affected 19.9 percent of all computers with detections there, down from 21.5 percent in 3Q12.
JulyDecember 2012
429
Threat families
The top 10 malware and potentially unwanted software families in Paraguay in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Dorkbot Win32/Keygen INF/Autorun Win32/DealPly Win32/Sality Win32/OpenCandy Win32/Obfuscator Win32/Brontok Win32/Wpakill Win32/Conficker
Most significant category Worms Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Viruses Adware Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Worms
% of computers with detections 21.2% 17.6% 11.3% 5.0% 4.8% 4.7% 4.0% 3.8% 3.6% 3.4%
The most common threat family in Paraguay in 4Q12 was Win32/Dorkbot, which affected 21.2 percent of computers with detections in Paraguay. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The second most common threat family in Paraguay in 4Q12 was Win32/Keygen, which affected 17.6 percent of computers with detections in Paraguay. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Paraguay in 4Q12 was INF/Autorun, which affected 11.3 percent of computers with detections in Paraguay. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Paraguay in 4Q12 was Win32/DealPly, which affected 5.0 percent of computers with detections in Paraguay. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs.
430
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Paraguay
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
431
Peru
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Peru in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Peru
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Peru and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
433
12.0
Worldwide Peru
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
434
Threat categories
Malware and potentially unwanted software categories in Peru in 4Q12, by percentage of computers reporting detections
Peru
Percent of computers reporting detections
Worldwide
50%
45% 40%
Column1 Peru
The most common category in Peru in 4Q12 was Worms. It affected 45.1 percent of all computers with detections there, up from 43.0 percent in 3Q12. The second most common category in Peru in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.9 percent of all computers with detections there, up from 38.4 percent in 3Q12. The third most common category in Peru in 4Q12 was Miscellaneous Trojans, which affected 23.1 percent of all computers with detections there, down from 24.6 percent in 3Q12.
JulyDecember 2012
435
Threat families
The top 10 malware and potentially unwanted software families in Peru in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Dorkbot INF/Autorun Win32/Vobfus Win32/Conficker Win32/Yeltminky Win32/Sality Win32/Obfuscator Win32/Nuqel JS/IframeRef
Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Worms Worms Worms Viruses Misc. Potentially Unwanted Software Worms Misc. Trojans
% of computers with detections 20.6% 19.6% 11.9% 11.3% 6.9% 6.0% 5.9% 5.0% 4.6% 4.5%
The most common threat family in Peru in 4Q12 was Win32/Keygen, which affected 20.6 percent of computers with detections in Peru. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Peru in 4Q12 was Win32/Dorkbot, which affected 19.6 percent of computers with detections in Peru. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The third most common threat family in Peru in 4Q12 was INF/Autorun, which affected 11.9 percent of computers with detections in Peru. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Peru in 4Q12 was Win32/Vobfus, which affected 11.3 percent of computers with detections in Peru. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
436
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Peru
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
437
Philippines
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Philippines in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Philippines
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Philippines and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
439
12.0
Worldwide Philippines
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
440
Threat categories
Malware and potentially unwanted software categories in Philippines in 4Q12, by percentage of computers reporting detections
Philippines
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Philippines in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.7 percent of all computers with detections there, up from 38.7 percent in 3Q12. The second most common category in Philippines in 4Q12 was Worms. It affected 41.5 percent of all computers with detections there, up from 40.8 percent in 3Q12. The third most common category in Philippines in 4Q12 was Miscellaneous Trojans, which affected 30.4 percent of all computers with detections there, up from 30.0 percent in 3Q12.
JulyDecember 2012
441
Threat families
The top 10 malware and potentially unwanted software families in Philippines in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Sality Win32/Keygen Win32/Dorkbot Win32/Conficker Win32/Ramnit Win32/CplLnk Win32/Nuqel Win32/Hotbar Win32/Vobfus
Most significant category Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Worms Worms Misc. Trojans Exploits Worms Adware Worms
% of computers with detections 19.0% 18.1% 15.9% 12.1% 9.5% 8.4% 7.9% 6.5% 6.3% 5.8%
The most common threat family in Philippines in 4Q12 was INF/Autorun, which affected 19.0 percent of computers with detections in Philippines. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Philippines in 4Q12 was Win32/Sality, which affected 18.1 percent of computers with detections in Philippines. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Philippines in 4Q12 was Win32/Keygen, which affected 15.9 percent of computers with detections in Philippines. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Philippines in 4Q12 was Win32/Dorkbot, which affected 12.1 percent of computers with detections in Philippines. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot
442
may be distributed from compromised or malicious websites using PDF or browser exploits.
JulyDecember 2012
443
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Philippines
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
444
Poland
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Poland in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Poland
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Poland and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
445
10.0
9.0
8.0 7.0
Worldwide Poland
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
446
Threat categories
Malware and potentially unwanted software categories in Poland in 4Q12, by percentage of computers reporting detections
Poland
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Poland in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 31.5 percent of all computers with detections there, down from 32.7 percent in 3Q12. The second most common category in Poland in 4Q12 was Miscellaneous Trojans. It affected 25.4 percent of all computers with detections there, up from 25.2 percent in 3Q12. The third most common category in Poland in 4Q12 was Worms, which affected 21.2 percent of all computers with detections there, down from 23.3 percent in 3Q12.
JulyDecember 2012
447
Threat families
The top 10 malware and potentially unwanted software families in Poland in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/DealPly Win32/Keygen Win32/Pdfjsc INF/Autorun Java/Blacole Win32/OpenCandy Win32/Obfuscator Win32/Zbot Win32/Vobfus Win32/Reveton
Most significant category Adware Misc. Potentially Unwanted Software Exploits Misc. Potentially Unwanted Software Exploits Adware Misc. Potentially Unwanted Software Password Stealers & Monitoring Tools Worms Misc. Trojans
% of computers with detections 10.6% 10.6% 8.4% 6.9% 6.4% 4.7% 4.6% 4.4% 4.3% 4.2%
The most common threat family in Poland in 4Q12 was Win32/DealPly, which affected 10.6 percent of computers with detections in Poland. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Poland in 4Q12 was Win32/Keygen, which affected 10.6 percent of computers with detections in Poland. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Poland in 4Q12 was Win32/Pdfjsc, which affected 8.4 percent of computers with detections in Poland. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in Poland in 4Q12 was INF/Autorun, which affected 6.9 percent of computers with detections in Poland. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
448
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Poland
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
449
Portugal
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Portugal in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Portugal
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Portugal and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
451
10.0
9.0
8.0 7.0
Worldwide Portugal
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
452
Threat categories
Malware and potentially unwanted software categories in Portugal in 4Q12, by percentage of computers reporting detections
Portugal
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Portugal in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.8 percent of all computers with detections there, up from 34.5 percent in 3Q12. The second most common category in Portugal in 4Q12 was Miscellaneous Trojans. It affected 25.9 percent of all computers with detections there, down from 30.0 percent in 3Q12. The third most common category in Portugal in 4Q12 was Exploits, which affected 25.7 percent of all computers with detections there, up from 15.8 percent in 3Q12.
JulyDecember 2012
453
Threat families
The top 10 malware and potentially unwanted software families in Portugal in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc Win32/DealPly Java/Blacole JS/IframeRef Win32/Reveton Win32/Obfuscator INF/Autorun Win32/OpenCandy ASX/Wimad
Most significant category Misc. Potentially Unwanted Software Exploits Adware Exploits Misc. Trojans Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Trojan Downloaders & Droppers
% of computers with detections 17.5% 15.7% 15.2% 9.3% 7.0% 6.0% 5.8% 5.5% 3.4% 3.4%
The most common threat family in Portugal in 4Q12 was Win32/Keygen, which affected 17.5 percent of computers with detections in Portugal. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Portugal in 4Q12 was Win32/Pdfjsc, which affected 15.7 percent of computers with detections in Portugal. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Portugal in 4Q12 was Win32/DealPly, which affected 15.2 percent of computers with detections in Portugal. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs. The fourth most common threat family in Portugal in 4Q12 was Java/Blacole, which affected 9.3 percent of computers with detections in Portugal. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run.
454
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Portugal
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
455
Puerto Rico
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Puerto Rico in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Puerto Rico
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Puerto Rico and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
457
9.0
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
458
Threat categories
Malware and potentially unwanted software categories in Puerto Rico in 4Q12, by percentage of computers reporting detections
Puerto Rico
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Puerto Rico in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 32.7 percent of all computers with detections there, up from 27.2 percent in 3Q12. The second most common category in Puerto Rico in 4Q12 was Worms. It affected 32.6 percent of all computers with detections there, up from 29.5 percent in 3Q12. The third most common category in Puerto Rico in 4Q12 was Miscellaneous Trojans, which affected 24.8 percent of all computers with detections there, up from 22.6 percent in 3Q12.
JulyDecember 2012
459
Threat families
The top 10 malware and potentially unwanted software families in Puerto Rico in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Vobfus Win32/Keygen Win32/Hotbar JS/IframeRef Win32/Zwangi Win32/Brontok Win32/OpenCandy Win32/Dorkbot Win32/Hamweq
Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Adware Misc. Trojans Misc. Potentially Unwanted Software Worms Adware Worms Worms
% of computers with detections 12.3% 11.4% 11.0% 8.3% 8.1% 7.6% 6.7% 4.1% 3.2% 3.2%
The most common threat family in Puerto Rico in 4Q12 was INF/Autorun, which affected 12.3 percent of computers with detections in Puerto Rico. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Puerto Rico in 4Q12 was Win32/Vobfus, which affected 11.4 percent of computers with detections in Puerto Rico. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The third most common threat family in Puerto Rico in 4Q12 was Win32/Keygen, which affected 11.0 percent of computers with detections in Puerto Rico. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Puerto Rico in 4Q12 was Win32/Hotbar, which affected 8.3 percent of computers with detections in Puerto Rico. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity.
460
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Puerto Rico
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
461
Qatar
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Qatar in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Qatar
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Qatar and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
463
16.0
Worldwide Qatar
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
464
Threat categories
Malware and potentially unwanted software categories in Qatar in 4Q12, by percentage of computers reporting detections
Qatar
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Qatar in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 36.5 percent of all computers with detections there, up from 29.5 percent in 3Q12. The second most common category in Qatar in 4Q12 was Worms. It affected 35.4 percent of all computers with detections there, up from 28.2 percent in 3Q12. The third most common category in Qatar in 4Q12 was Miscellaneous Trojans, which affected 30.0 percent of all computers with detections there, up from 24.3 percent in 3Q12.
JulyDecember 2012
465
Threat families
The top 10 malware and potentially unwanted software families in Qatar in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Hotbar Win32/Nuqel Win32/Sality Win32/Dorkbot Win32/Zwangi JS/IframeRef Win32/Rimecud Win32/Conficker
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Worms Viruses Worms Misc. Potentially Unwanted Software Misc. Trojans Misc. Trojans Worms
% of computers with detections 15.8% 15.2% 7.6% 7.5% 7.4% 5.7% 5.7% 5.6% 4.2% 4.0%
The most common threat family in Qatar in 4Q12 was INF/Autorun, which affected 15.8 percent of computers with detections in Qatar. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Qatar in 4Q12 was Win32/Keygen, which affected 15.2 percent of computers with detections in Qatar. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Qatar in 4Q12 was Win32/Hotbar, which affected 7.6 percent of computers with detections in Qatar. Win32/Hotbar is adware that displays a dynamic toolbar and targeted popup ads based on its monitoring of web-browsing activity. The fourth most common threat family in Qatar in 4Q12 was Win32/Nuqel, which affected 7.5 percent of computers with detections in Qatar. Win32/Nuqel is a worm that spreads via mapped drives and certain instant messaging applications. It may modify system settings, connect to certain websites, download arbitrary files, or take other malicious actions.
466
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Qatar
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
467
Romania
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Romania in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Romania
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Romania and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
469
16.0
Worldwide Romania
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
470
Threat categories
Malware and potentially unwanted software categories in Romania in 4Q12, by percentage of computers reporting detections
Romania
Percent of computers reporting detections
Worldwide
The most common category in Romania in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.3 percent of all computers with detections there, up from 37.4 percent in 3Q12. The second most common category in Romania in 4Q12 was Miscellaneous Trojans. It affected 30.1 percent of all computers with detections there, up from 29.3 percent in 3Q12. The third most common category in Romania in 4Q12 was Worms, which affected 22.1 percent of all computers with detections there, up from 21.9 percent in 3Q12.
JulyDecember 2012
471
Threat families
The top 10 malware and potentially unwanted software families in Romania in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Sality INF/Autorun Win32/Conficker JS/IframeRef Win32/Obfuscator Win32/Wpakill Win32/Brontok Win32/Pdfjsc Win32/Dorkbot
Most significant category Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Worms Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Exploits Worms
% of computers with detections 20.0% 12.7% 11.1% 5.8% 5.8% 5.5% 4.4% 3.9% 3.8% 3.2%
The most common threat family in Romania in 4Q12 was Win32/Keygen, which affected 20.0 percent of computers with detections in Romania. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Romania in 4Q12 was Win32/Sality, which affected 12.7 percent of computers with detections in Romania. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Romania in 4Q12 was INF/Autorun, which affected 11.1 percent of computers with detections in Romania. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Romania in 4Q12 was Win32/Conficker, which affected 5.8 percent of computers with detections in Romania. Win32/Conficker is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables
472
several important system services and security products, and downloads arbitrary files.
JulyDecember 2012
473
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Romania
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
474
Russia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Russia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Russia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Russia and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
475
9.0
Worldwide Russia
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
476
Threat categories
Malware and potentially unwanted software categories in Russia in 4Q12, by percentage of computers reporting detections
Russia
Percent of computers reporting detections
Worldwide
The most common category in Russia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 50.0 percent of all computers with detections there, down from 52.3 percent in 3Q12. The second most common category in Russia in 4Q12 was Miscellaneous Trojans. It affected 37.1 percent of all computers with detections there, up from 36.6 percent in 3Q12. The third most common category in Russia in 4Q12 was Worms, which affected 17.5 percent of all computers with detections there, up from 15.1 percent in 3Q12.
JulyDecember 2012
477
Threat families
The top 10 malware and potentially unwanted software families in Russia in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pameseg Win32/Obfuscator JS/Redirector Win32/Vundo Win32/Dorkbot Win32/Pdfjsc Java/Blacole INF/Autorun Win32/Webalta
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Trojans Misc. Trojans Worms Exploits Exploits Misc. Potentially Unwanted Software Adware
% of computers with detections 18.7% 11.5% 10.4% 7.9% 7.3% 6.9% 5.9% 5.3% 5.0% 4.7%
The most common threat family in Russia in 4Q12 was Win32/Keygen, which affected 18.7 percent of computers with detections in Russia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Russia in 4Q12 was Win32/Pameseg, which affected 11.5 percent of computers with detections in Russia. Win32/Pameseg is a fake program installer that requires the user to send SMS messages to a premium number to successfully install certain programs. The third most common threat family in Russia in 4Q12 was Win32/Obfuscator, which affected 10.4 percent of computers with detections in Russia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and antiemulation techniques. The fourth most common threat family in Russia in 4Q12 was JS/Redirector, which affected 7.9 percent of computers with detections in Russia. JS/Redirector is a detection for a class of JavaScript trojans that redirect users to unexpected websites, which may contain drive-by downloads.
478
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Russia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
479
Saudi Arabia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Saudi Arabia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Saudi Arabia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Saudi Arabia and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
481
16.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
482
Threat categories
Malware and potentially unwanted software categories in Saudi Arabia in 4Q12, by percentage of computers reporting detections
Saudi Arabia
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Saudi Arabia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 40.4 percent of all computers with detections there, up from 29.9 percent in 3Q12. The second most common category in Saudi Arabia in 4Q12 was Miscellaneous Trojans. It affected 33.0 percent of all computers with detections there, up from 27.3 percent in 3Q12. The third most common category in Saudi Arabia in 4Q12 was Worms, which affected 31.8 percent of all computers with detections there, up from 21.3 percent in 3Q12.
JulyDecember 2012
483
Threat families
The top 10 malware and potentially unwanted software families in Saudi Arabia in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun Win32/Sality Win32/Ramnit Win32/Dorkbot Win32/CplLnk JS/IframeRef Win32/Vobfus Win32/Hotbar Win32/Mabezat
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Misc. Trojans Worms Exploits Misc. Trojans Worms Adware Viruses
% of computers with detections 19.9% 14.4% 10.8% 7.4% 6.9% 6.7% 6.1% 4.0% 3.8% 3.5%
The most common threat family in Saudi Arabia in 4Q12 was Win32/Keygen, which affected 19.9 percent of computers with detections in Saudi Arabia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Saudi Arabia in 4Q12 was INF/Autorun, which affected 14.4 percent of computers with detections in Saudi Arabia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Saudi Arabia in 4Q12 was Win32/Sality, which affected 10.8 percent of computers with detections in Saudi Arabia. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Saudi Arabia in 4Q12 was Win32/Ramnit, which affected 7.4 percent of computers with detections in Saudi Arabia. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
484
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
JulyDecember 2012
485
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Saudi Arabia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
486
Senegal
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Senegal in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Senegal
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Senegal and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
487
14.0
Worldwide Senegal
12.0 10.0
8.0
6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
488
Threat categories
Malware and potentially unwanted software categories in Senegal in 4Q12, by percentage of computers reporting detections
Senegal
Percent of computers reporting detections
Worldwide
50%
45% 40%
Column1 Senegal
The most common category in Senegal in 4Q12 was Worms. It affected 45.3 percent of all computers with detections there, down from 48.8 percent in 3Q12. The second most common category in Senegal in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 37.9 percent of all computers with detections there, up from 35.7 percent in 3Q12. The third most common category in Senegal in 4Q12 was Miscellaneous Trojans, which affected 27.7 percent of all computers with detections there, up from 26.0 percent in 3Q12.
JulyDecember 2012
489
Threat families
The top 10 malware and potentially unwanted software families in Senegal in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Sality Win32/Keygen Win32/Vobfus VBS/Cinera Win32/Ramnit Win32/CplLnk Win32/Dorkbot Win32/DealPly Win32/Virut
Most significant category Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Worms Worms Misc. Trojans Exploits Worms Adware Viruses
% of computers with detections 27.6% 15.1% 13.0% 11.1% 11.1% 7.9% 6.4% 5.9% 5.3% 4.8%
The most common threat family in Senegal in 4Q12 was INF/Autorun, which affected 27.6 percent of computers with detections in Senegal. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Senegal in 4Q12 was Win32/Sality, which affected 15.1 percent of computers with detections in Senegal. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Senegal in 4Q12 was Win32/Keygen, which affected 13.0 percent of computers with detections in Senegal. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in Senegal in 4Q12 was Win32/Vobfus, which affected 11.1 percent of computers with detections in Senegal. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
490
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Senegal
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
491
Singapore
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Singapore in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Singapore
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Singapore and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
493
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Singapore
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
494
Threat categories
Malware and potentially unwanted software categories in Singapore in 4Q12, by percentage of computers reporting detections
Singapore
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Singapore in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.4 percent of all computers with detections there, up from 28.4 percent in 3Q12. The second most common category in Singapore in 4Q12 was Miscellaneous Trojans. It affected 27.5 percent of all computers with detections there, up from 25.6 percent in 3Q12. The third most common category in Singapore in 4Q12 was Worms, which affected 23.4 percent of all computers with detections there, up from 21.9 percent in 3Q12.
JulyDecember 2012
495
Threat families
The top 10 malware and potentially unwanted software families in Singapore in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun Win32/Hotbar Win32/Zwangi JS/IframeRef Win32/Dorkbot Win32/OpenCandy Win32/Obfuscator Win32/Sality Win32/Ramnit
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Misc. Potentially Unwanted Software Misc. Trojans Worms Adware Misc. Potentially Unwanted Software Viruses Misc. Trojans
% of computers with detections 14.6% 9.8% 9.2% 7.9% 6.2% 5.8% 4.6% 4.3% 4.0% 3.3%
The most common threat family in Singapore in 4Q12 was Win32/Keygen, which affected 14.6 percent of computers with detections in Singapore. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Singapore in 4Q12 was INF/Autorun, which affected 9.8 percent of computers with detections in Singapore. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Singapore in 4Q12 was Win32/Hotbar, which affected 9.2 percent of computers with detections in Singapore. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The fourth most common threat family in Singapore in 4Q12 was Win32/Zwangi, which affected 7.9 percent of computers with detections in Singapore. Win32/Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website.
496
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Singapore
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
497
Slovakia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Slovakia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Slovakia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Slovakia and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
499
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Slovakia
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
500
Threat categories
Malware and potentially unwanted software categories in Slovakia in 4Q12, by percentage of computers reporting detections
Slovakia
Percent of computers reporting detections
Worldwide
The most common category in Slovakia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 44.3 percent of all computers with detections there, up from 37.3 percent in 3Q12. The second most common category in Slovakia in 4Q12 was Miscellaneous Trojans. It affected 26.9 percent of all computers with detections there, down from 27.3 percent in 3Q12. The third most common category in Slovakia in 4Q12 was Adware, which affected 16.9 percent of all computers with detections there, down from 29.0 percent in 3Q12.
JulyDecember 2012
501
Threat families
The top 10 malware and potentially unwanted software families in Slovakia in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc JS/IframeRef Win32/Obfuscator INF/Autorun Java/Blacole Win32/OpenCandy Win32/Dorkbot Win32/Hotbar Win32/Reveton
Most significant category Misc. Potentially Unwanted Software Exploits Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Exploits Adware Worms Adware Misc. Trojans
% of computers with detections 23.1% 7.4% 7.1% 6.4% 5.8% 5.5% 4.8% 4.1% 3.9% 3.4%
The most common threat family in Slovakia in 4Q12 was Win32/Keygen, which affected 23.1 percent of computers with detections in Slovakia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Slovakia in 4Q12 was Win32/Pdfjsc, which affected 7.4 percent of computers with detections in Slovakia. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Slovakia in 4Q12 was JS/IframeRef, which affected 7.1 percent of computers with detections in Slovakia. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Slovakia in 4Q12 was Win32/Obfuscator, which affected 6.4 percent of computers with detections in Slovakia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques.
502
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Slovakia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
503
Slovenia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Slovenia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Slovenia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Slovenia and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
505
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Slovenia
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
506
Threat categories
Malware and potentially unwanted software categories in Slovenia in 4Q12, by percentage of computers reporting detections
Slovenia
Percent of computers reporting detections
Worldwide
The most common category in Slovenia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.5 percent of all computers with detections there, up from 37.9 percent in 3Q12. The second most common category in Slovenia in 4Q12 was Miscellaneous Trojans. It affected 27.1 percent of all computers with detections there, up from 26.6 percent in 3Q12. The third most common category in Slovenia in 4Q12 was Exploits, which affected 15.7 percent of all computers with detections there, up from 4.6 percent in 3Q12.
JulyDecember 2012
507
Threat families
The top 10 malware and potentially unwanted software families in Slovenia in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc Win32/Obfuscator JS/IframeRef JS/BlacoleRef Win32/Hotbar ASX/Wimad INF/Autorun Win32/Zwangi Java/Blacole
Most significant category Misc. Potentially Unwanted Software Exploits Misc. Potentially Unwanted Software Misc. Trojans Misc. Trojans Adware Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Exploits
% of computers with detections 23.0% 11.2% 6.5% 5.3% 5.2% 4.9% 4.8% 4.3% 3.9% 3.6%
The most common threat family in Slovenia in 4Q12 was Win32/Keygen, which affected 23.0 percent of computers with detections in Slovenia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Slovenia in 4Q12 was Win32/Pdfjsc, which affected 11.2 percent of computers with detections in Slovenia. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Slovenia in 4Q12 was Win32/Obfuscator, which affected 6.5 percent of computers with detections in Slovenia. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. The fourth most common threat family in Slovenia in 4Q12 was JS/IframeRef, which affected 5.3 percent of computers with detections in Slovenia. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.
508
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Slovenia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
509
South Africa
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in South Africa in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for South Africa
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in South Africa and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
511
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
512
Threat categories
Malware and potentially unwanted software categories in South Africa in 4Q12, by percentage of computers reporting detections
South Africa
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in South Africa in 4Q12 was Worms. It affected 41.2 percent of all computers with detections there, up from 39.9 percent in 3Q12. The second most common category in South Africa in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 36.1 percent of all computers with detections there, up from 32.9 percent in 3Q12. The third most common category in South Africa in 4Q12 was Miscellaneous Trojans, which affected 26.8 percent of all computers with detections there, up from 26.0 percent in 3Q12.
JulyDecember 2012
513
Threat families
The top 10 malware and potentially unwanted software families in South Africa in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Vobfus Win32/Keygen Win32/Rimecud Win32/Dorkbot Win32/Nuqel Win32/Virut JS/IframeRef Win32/Folstart Win32/Sality
Most significant category Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Misc. Trojans Worms Worms Viruses Misc. Trojans Worms Viruses
% of computers with detections 18.0% 12.9% 12.4% 6.7% 5.6% 5.5% 5.2% 5.2% 4.7% 4.7%
The most common threat family in South Africa in 4Q12 was INF/Autorun, which affected 18.0 percent of computers with detections in South Africa. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in South Africa in 4Q12 was Win32/Vobfus, which affected 12.9 percent of computers with detections in South Africa. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The third most common threat family in South Africa in 4Q12 was Win32/Keygen, which affected 12.4 percent of computers with detections in South Africa. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in South Africa in 4Q12 was Win32/Rimecud, which affected 6.7 percent of computers with detections in South Africa. Win32/Rimecud is a family of worms with multiple components that spread via fixed and removable drives and via instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected system.
514
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for South Africa
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
515
Spain
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Spain in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Spain
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Spain and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
517
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Spain
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
518
Threat categories
Malware and potentially unwanted software categories in Spain in 4Q12, by percentage of computers reporting detections
Spain
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Spain in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 35.0 percent of all computers with detections there, up from 26.0 percent in 3Q12. The second most common category in Spain in 4Q12 was Adware. It affected 32.4 percent of all computers with detections there, down from 35.9 percent in 3Q12. The third most common category in Spain in 4Q12 was Miscellaneous Trojans, which affected 22.4 percent of all computers with detections there, down from 25.7 percent in 3Q12.
JulyDecember 2012
519
Threat families
The top 10 malware and potentially unwanted software families in Spain in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/DealPly Win32/Keygen Win32/Pdfjsc ASX/Wimad INF/Autorun Win32/Zwangi Java/Blacole Win32/Pameseg JS/IframeRef Win32/Sirefef
Most significant category Adware Misc. Potentially Unwanted Software Exploits Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Exploits Misc. Potentially Unwanted Software Misc. Trojans Misc. Trojans
% of computers with detections 17.2% 13.5% 7.9% 5.5% 5.5% 4.9% 4.8% 4.2% 4.0% 4.0%
The most common threat family in Spain in 4Q12 was Win32/DealPly, which affected 17.2 percent of computers with detections in Spain. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs. The second most common threat family in Spain in 4Q12 was Win32/Keygen, which affected 13.5 percent of computers with detections in Spain. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Spain in 4Q12 was Win32/Pdfjsc, which affected 7.9 percent of computers with detections in Spain. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in Spain in 4Q12 was ASX/Wimad, which affected 5.5 percent of computers with detections in Spain. ASX/Wimad is a detection for malicious Windows Media files that can be used to encourage users to download and execute arbitrary files on an affected machine.
520
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Spain
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
521
Sri Lanka
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Sri Lanka in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Sri Lanka
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Sri Lanka and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
523
12.0
Computers cleaned per 1 ,000 scanned (CCM)
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
524
Threat categories
Malware and potentially unwanted software categories in Sri Lanka in 4Q12, by percentage of computers reporting detections
Sri Lanka
Percent of computers reporting detections
Worldwide
The most common category in Sri Lanka in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 46.1 percent of all computers with detections there, up from 41.6 percent in 3Q12. The second most common category in Sri Lanka in 4Q12 was Worms. It affected 40.2 percent of all computers with detections there, up from 37.7 percent in 3Q12. The third most common category in Sri Lanka in 4Q12 was Miscellaneous Trojans, which affected 32.7 percent of all computers with detections there, up from 30.8 percent in 3Q12.
JulyDecember 2012
525
Threat families
The top 10 malware and potentially unwanted software families in Sri Lanka in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Sality Win32/Ramnit Win32/CplLnk Win32/Nuqel Win32/Dorkbot Win32/Delicium Win32/Rimecud Win32/Virut
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Misc. Trojans Exploits Worms Worms Viruses Misc. Trojans Viruses
% of computers with detections 27.5% 22.1% 18.8% 13.1% 12.6% 11.4% 10.1% 9.1% 5.9% 4.9%
The most common threat family in Sri Lanka in 4Q12 was INF/Autorun, which affected 27.5 percent of computers with detections in Sri Lanka. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Sri Lanka in 4Q12 was Win32/Keygen, which affected 22.1 percent of computers with detections in Sri Lanka. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Sri Lanka in 4Q12 was Win32/Sality, which affected 18.8 percent of computers with detections in Sri Lanka. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Sri Lanka in 4Q12 was Win32/Ramnit, which affected 13.1 percent of computers with detections in Sri Lanka. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
526
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
JulyDecember 2012
527
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Sri Lanka
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
528
Sweden
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Sweden in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Sweden
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Sweden and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
529
9.0
Worldwide
[[COUNTRY]]
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
530
Threat categories
Malware and potentially unwanted software categories in Sweden in 4Q12, by percentage of computers reporting detections
Sweden
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Sweden in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 32.6 percent of all computers with detections there, up from 27.7 percent in 3Q12. The second most common category in Sweden in 4Q12 was Miscellaneous Trojans. It affected 30.0 percent of all computers with detections there, down from 32.2 percent in 3Q12. The third most common category in Sweden in 4Q12 was Adware, which affected 25.4 percent of all computers with detections there, down from 27.9 percent in 3Q12.
JulyDecember 2012
531
Threat families
The top 10 malware and potentially unwanted software families in Sweden in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/DealPly Win32/Pdfjsc JS/IframeRef Java/Blacole Win32/Hotbar Win32/Sirefef Win32/Obfuscator Win32/Zwangi Win32/OpenCandy
Most significant category Misc. Potentially Unwanted Software Adware Exploits Misc. Trojans Exploits Adware Misc. Trojans Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware
% of computers with detections 14.5% 12.0% 10.5% 8.0% 7.2% 6.7% 5.3% 4.7% 4.6% 3.0%
The most common threat family in Sweden in 4Q12 was Win32/Keygen, which affected 14.5 percent of computers with detections in Sweden. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Sweden in 4Q12 was Win32/DealPly, which affected 12.0 percent of computers with detections in Sweden. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third-party software installation programs. The third most common threat family in Sweden in 4Q12 was Win32/Pdfjsc, which affected 10.5 percent of computers with detections in Sweden. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The fourth most common threat family in Sweden in 4Q12 was JS/IframeRef, which affected 8.0 percent of computers with detections in Sweden. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.
532
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Sweden
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
533
Switzerland
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Switzerland in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Switzerland
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Switzerland and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
535
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Switzerland
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
536
Threat categories
Malware and potentially unwanted software categories in Switzerland in 4Q12, by percentage of computers reporting detections
Switzerland
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in Switzerland in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 33.0 percent of all computers with detections there, up from 25.1 percent in 3Q12. The second most common category in Switzerland in 4Q12 was Miscellaneous Trojans. It affected 27.6 percent of all computers with detections there, down from 32.2 percent in 3Q12. The third most common category in Switzerland in 4Q12 was Adware, which affected 20.8 percent of all computers with detections there, down from 29.0 percent in 3Q12.
JulyDecember 2012
537
Threat families
The top 10 malware and potentially unwanted software families in Switzerland in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Pdfjsc JS/IframeRef Win32/DealPly Java/Blacole Win32/Zwangi Win32/Hotbar ASX/Wimad Win32/OpenCandy Win32/Obfuscator
Most significant category Misc. Potentially Unwanted Software Exploits Misc. Trojans Adware Exploits Misc. Potentially Unwanted Software Adware Trojan Downloaders & Droppers Adware Misc. Potentially Unwanted Software
% of computers with detections 12.2% 9.3% 7.7% 6.8% 6.4% 5.7% 5.4% 4.7% 4.2% 3.4%
The most common threat family in Switzerland in 4Q12 was Win32/Keygen, which affected 12.2 percent of computers with detections in Switzerland. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Switzerland in 4Q12 was Win32/Pdfjsc, which affected 9.3 percent of computers with detections in Switzerland. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The third most common threat family in Switzerland in 4Q12 was JS/IframeRef, which affected 7.7 percent of computers with detections in Switzerland. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Switzerland in 4Q12 was Win32/DealPly, which affected 6.8 percent of computers with detections in Switzerland. Win32/DealPly is adware that displays offers related to the users web browsing habits. It may be bundled with certain third -party software installation programs.
538
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Switzerland
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
539
Syria
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Syria in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Syria
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Syria and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
541
9.0
Worldwide
[[COUNTRY]]
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
542
Threat categories
Malware and potentially unwanted software categories in Syria in 4Q12, by percentage of computers reporting detections
Syria
Percent of computers reporting detections
Worldwide
The most common category in Syria in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 46.4 percent of all computers with detections there, up from 37.8 percent in 3Q12. The second most common category in Syria in 4Q12 was Worms. It affected 42.3 percent of all computers with detections there, up from 33.7 percent in 3Q12. The third most common category in Syria in 4Q12 was Miscellaneous Trojans, which affected 35.4 percent of all computers with detections there, up from 30.9 percent in 3Q12.
JulyDecember 2012
543
Threat families
The top 10 malware and potentially unwanted software families in Syria in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Sality INF/Autorun Win32/Ramnit Win32/CplLnk Win32/Dorkbot Win32/Virut Win32/Folstart Win32/Nuqel JS/IframeRef
Most significant category Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Misc. Trojans Exploits Worms Viruses Worms Worms Misc. Trojans
% of computers with detections 26.1% 20.5% 18.9% 17.3% 13.3% 12.4% 9.1% 9.0% 6.4% 5.4%
The most common threat family in Syria in 4Q12 was Win32/Keygen, which affected 26.1 percent of computers with detections in Syria. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Syria in 4Q12 was Win32/Sality, which affected 20.5 percent of computers with detections in Syria. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Syria in 4Q12 was INF/Autorun, which affected 18.9 percent of computers with detections in Syria. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Syria in 4Q12 was Win32/Ramnit, which affected 17.3 percent of computers with detections in Syria. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
544
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
JulyDecember 2012
545
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Syria
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
546
Taiwan
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Taiwan in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Taiwan
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Taiwan and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
547
12.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Taiwan
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
548
Threat categories
Malware and potentially unwanted software categories in Taiwan in 4Q12, by percentage of computers reporting detections
Taiwan
Percent of computers reporting detections
Worldwide
The most common category in Taiwan in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 44.4 percent of all computers with detections there, up from 40.2 percent in 3Q12. The second most common category in Taiwan in 4Q12 was Miscellaneous Trojans. It affected 32.9 percent of all computers with detections there, up from 29.6 percent in 3Q12. The third most common category in Taiwan in 4Q12 was Worms, which affected 21.0 percent of all computers with detections there, down from 21.4 percent in 3Q12.
JulyDecember 2012
549
Threat families
The top 10 malware and potentially unwanted software families in Taiwan in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun JS/IframeRef Win32/Conficker Win32/Taterf Win32/Nitol Win32/Rimecud Win32/Obfuscator Win32/FlyAgent ASX/Wimad
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Trojans Worms Worms Misc. Trojans Misc. Trojans Misc. Potentially Unwanted Software Backdoors Trojan Downloaders & Droppers
% of computers with detections 22.5% 12.1% 6.5% 6.0% 4.9% 4.9% 4.4% 4.0% 3.8% 3.6%
The most common threat family in Taiwan in 4Q12 was Win32/Keygen, which affected 22.5 percent of computers with detections in Taiwan. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Taiwan in 4Q12 was INF/Autorun, which affected 12.1 percent of computers with detections in Taiwan. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Taiwan in 4Q12 was JS/IframeRef, which affected 6.5 percent of computers with detections in Taiwan. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The fourth most common threat family in Taiwan in 4Q12 was Win32/Conficker, which affected 6.0 percent of computers with detections in Taiwan. Win32/Conficker is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables several important system services and security products, and downloads arbitrary files.
550
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Taiwan
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
551
Tanzania
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Tanzania in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Tanzania
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Tanzania and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
553
14.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Tanzania
12.0 10.0
8.0
6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
554
Threat categories
Malware and potentially unwanted software categories in Tanzania in 4Q12, by percentage of computers reporting detections
Tanzania
Percent of computers reporting detections
Worldwide
Column1 Tanzania
15%
10%
5% 0%
The most common category in Tanzania in 4Q12 was Worms. It affected 39.1 percent of all computers with detections there, down from 41.8 percent in 3Q12. The second most common category in Tanzania in 4Q12 was Miscellaneous Trojans. It affected 38.3 percent of all computers with detections there, up from 35.2 percent in 3Q12. The third most common category in Tanzania in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 34.4 percent of all computers with detections there, up from 33.5 percent in 3Q12.
JulyDecember 2012
555
Threat families
The top 10 malware and potentially unwanted software families in Tanzania in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Ramnit Win32/Vobfus Win32/Sality Win32/Keygen Win32/CplLnk Win32/Dorkbot Win32/Virut Win32/Rimecud Win32/Enosch
Most significant category Misc. Potentially Unwanted Software Misc. Trojans Worms Viruses Misc. Potentially Unwanted Software Exploits Worms Viruses Misc. Trojans Misc. Trojans
% of computers with detections 19.6% 14.9% 13.8% 13.1% 11.3% 10.2% 9.9% 9.9% 8.6% 6.8%
The most common threat family in Tanzania in 4Q12 was INF/Autorun, which affected 19.6 percent of computers with detections in Tanzania. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Tanzania in 4Q12 was Win32/Ramnit, which affected 14.9 percent of computers with detections in Tanzania. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The third most common threat family in Tanzania in 4Q12 was Win32/Vobfus, which affected 13.8 percent of computers with detections in Tanzania. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The fourth most common threat family in Tanzania in 4Q12 was Win32/Sality, which affected 13.1 percent of computers with detections in Tanzania. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a
556
damaging payload that deletes files with certain extensions and terminates security-related processes and services.
JulyDecember 2012
557
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Tanzania
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
558
Thailand
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Thailand in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Thailand
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Thailand and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
559
25.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Thailand
20.0
15.0
10.0
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
560
Threat categories
Malware and potentially unwanted software categories in Thailand in 4Q12, by percentage of computers reporting detections
Thailand
Percent of computers reporting detections
Worldwide
The most common category in Thailand in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.0 percent of all computers with detections there, up from 41.0 percent in 3Q12. The second most common category in Thailand in 4Q12 was Miscellaneous Trojans. It affected 37.0 percent of all computers with detections there, up from 36.8 percent in 3Q12. The third most common category in Thailand in 4Q12 was Worms, which affected 29.3 percent of all computers with detections there, down from 32.5 percent in 3Q12.
JulyDecember 2012
561
Threat families
The top 10 malware and potentially unwanted software families in Thailand in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Sality INF/Autorun Win32/Dorkbot JS/IframeRef Win32/Ramnit Win32/Nitol Win32/Obfuscator Win32/Nuqel Win32/Conficker
Most significant category Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Worms Misc. Trojans Misc. Trojans Misc. Trojans Misc. Potentially Unwanted Software Worms Worms
% of computers with detections 24.4% 17.0% 12.2% 8.0% 7.6% 6.7% 6.1% 5.6% 4.7% 4.7%
The most common threat family in Thailand in 4Q12 was Win32/Keygen, which affected 24.4 percent of computers with detections in Thailand. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Thailand in 4Q12 was Win32/Sality, which affected 17.0 percent of computers with detections in Thailand. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The third most common threat family in Thailand in 4Q12 was INF/Autorun, which affected 12.2 percent of computers with detections in Thailand. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The fourth most common threat family in Thailand in 4Q12 was Win32/Dorkbot, which affected 8.0 percent of computers with detections in Thailand. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot
562
may be distributed from compromised or malicious websites using PDF or browser exploits.
JulyDecember 2012
563
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Thailand
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
564
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Trinidad and Tobago and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
565
12.0
Computers cleaned per 1 ,000 scanned (CCM)
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
566
Threat categories
Malware and potentially unwanted software categories in Trinidad and Tobago in 4Q12, by percentage of computers reporting detections
Worldwide
The most common category in Trinidad and Tobago in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.3 percent of all computers with detections there, up from 34.5 percent in 3Q12. The second most common category in Trinidad and Tobago in 4Q12 was Worms. It affected 31.1 percent of all computers with detections there, up from 28.7 percent in 3Q12. The third most common category in Trinidad and Tobago in 4Q12 was Adware, which affected 24.5 percent of all computers with detections there, down from 32.5 percent in 3Q12.
JulyDecember 2012
567
Threat families
The top 10 malware and potentially unwanted software families in Trinidad and Tobago in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Hotbar Win32/Vobfus Win32/Zwangi Win32/Dorkbot Win32/Brontok Win32/VBInject Win32/OpenCandy JS/IframeRef
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Adware Worms Misc. Potentially Unwanted Software Worms Worms Misc. Potentially Unwanted Software Adware Misc. Trojans
% of computers with detections 14.6% 14.1% 13.2% 10.5% 9.6% 6.3% 4.9% 4.8% 4.1% 4.0%
The most common threat family in Trinidad and Tobago in 4Q12 was INF/Autorun, which affected 14.6 percent of computers with detections in Trinidad and Tobago. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Trinidad and Tobago in 4Q12 was Win32/Keygen, which affected 14.1 percent of computers with detections in Trinidad and Tobago. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Trinidad and Tobago in 4Q12 was Win32/Hotbar, which affected 13.2 percent of computers with detections in Trinidad and Tobago. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. The fourth most common threat family in Trinidad and Tobago in 4Q12 was Win32/Vobfus, which affected 10.5 percent of computers with detections in Trinidad and Tobago. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware.
568
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Trinidad and Tobago
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
569
Tunisia
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Tunisia in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Tunisia
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Tunisia and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
571
18.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Tunisia
10.0
8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
572
Threat categories
Malware and potentially unwanted software categories in Tunisia in 4Q12, by percentage of computers reporting detections
Tunisia
Percent of computers reporting detections
Worldwide
The most common category in Tunisia in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 45.3 percent of all computers with detections there, up from 35.9 percent in 3Q12. The second most common category in Tunisia in 4Q12 was Worms. It affected 34.9 percent of all computers with detections there, up from 30.9 percent in 3Q12. The third most common category in Tunisia in 4Q12 was Miscellaneous Trojans, which affected 29.3 percent of all computers with detections there, up from 24.6 percent in 3Q12.
JulyDecember 2012
573
Threat families
The top 10 malware and potentially unwanted software families in Tunisia in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Ramnit Win32/Sality Win32/Vobfus Win32/CplLnk Win32/Zwangi Win32/Mabezat Win32/Hotbar Win32/Dorkbot
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Trojans Viruses Worms Exploits Misc. Potentially Unwanted Software Viruses Adware Worms
% of computers with detections 19.0% 19.0% 13.4% 11.5% 11.0% 10.9% 6.6% 6.4% 6.1% 5.7%
The most common threat family in Tunisia in 4Q12 was INF/Autorun, which affected 19.0 percent of computers with detections in Tunisia. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Tunisia in 4Q12 was Win32/Keygen, which affected 19.0 percent of computers with detections in Tunisia. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Tunisia in 4Q12 was Win32/Ramnit, which affected 13.4 percent of computers with detections in Tunisia. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The fourth most common threat family in Tunisia in 4Q12 was Win32/Sality, which affected 11.5 percent of computers with detections in Tunisia. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload
574
that deletes files with certain extensions and terminates security-related processes and services.
JulyDecember 2012
575
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Tunisia
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
576
Turkey
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Turkey in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Turkey
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Turkey and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
577
35.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Turkey
30.0 25.0
20.0
15.0 10.0
5.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
578
Threat categories
Malware and potentially unwanted software categories in Turkey in 4Q12, by percentage of computers reporting detections
Turkey
Percent of computers reporting detections
Worldwide
15%
10%
5% 0%
The most common category in Turkey in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 38.7 percent of all computers with detections there, up from 29.3 percent in 3Q12. The second most common category in Turkey in 4Q12 was Miscellaneous Trojans. It affected 34.7 percent of all computers with detections there, up from 33.6 percent in 3Q12. The third most common category in Turkey in 4Q12 was Worms, which affected 34.7 percent of all computers with detections there, up from 28.7 percent in 3Q12.
JulyDecember 2012
579
Threat families
The top 10 malware and potentially unwanted software families in Turkey in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun Win32/Sality Win32/Helompy Win32/Nuqel JS/BlacoleRef Win32/DealPly Win32/Obfuscator Win32/Brontok JS/IframeRef
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Worms Worms Misc. Trojans Adware Misc. Potentially Unwanted Software Worms Misc. Trojans
% of computers with detections 15.0% 13.7% 12.0% 10.3% 7.9% 6.4% 6.1% 5.7% 5.1% 5.1%
The most common threat family in Turkey in 4Q12 was Win32/Keygen, which affected 15.0 percent of computers with detections in Turkey. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Turkey in 4Q12 was INF/Autorun, which affected 13.7 percent of computers with detections in Turkey. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Turkey in 4Q12 was Win32/Sality, which affected 12.0 percent of computers with detections in Turkey. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Turkey in 4Q12 was Win32/Helompy, which affected 10.3 percent of computers with detections in Turkey. Win32/Helompy is a worm that spreads via removable drives and attempts to capture and steal authentication details for a number of different websites or online services.
580
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Turkey
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
581
Uganda
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Uganda in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Uganda
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Uganda and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
583
14.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Uganda
12.0 10.0
8.0
6.0 4.0
2.0
0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
584
Threat categories
Malware and potentially unwanted software categories in Uganda in 4Q12, by percentage of computers reporting detections
Uganda
Percent of computers reporting detections
Worldwide
50%
45% 40%
Column1 Uganda
The most common category in Uganda in 4Q12 was Worms. It affected 43.9 percent of all computers with detections there, down from 46.2 percent in 3Q12. The second most common category in Uganda in 4Q12 was Miscellaneous Trojans. It affected 39.3 percent of all computers with detections there, up from 34.8 percent in 3Q12. The third most common category in Uganda in 4Q12 was Miscellaneous Potentially Unwanted Software, which affected 33.9 percent of all computers with detections there, up from 33.6 percent in 3Q12.
JulyDecember 2012
585
Threat families
The top 10 malware and potentially unwanted software families in Uganda in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Vobfus Win32/Sality Win32/Ramnit Win32/CplLnk Win32/Dorkbot Win32/Keygen Win32/Virut Win32/Rimecud Win32/Enosch
Most significant category Misc. Potentially Unwanted Software Worms Viruses Misc. Trojans Exploits Worms Misc. Potentially Unwanted Software Viruses Misc. Trojans Misc. Trojans
% of computers with detections 20.0% 19.3% 14.3% 14.0% 11.5% 11.1% 10.0% 7.2% 6.8% 6.4%
The most common threat family in Uganda in 4Q12 was INF/Autorun, which affected 20.0 percent of computers with detections in Uganda. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Uganda in 4Q12 was Win32/Vobfus, which affected 19.3 percent of computers with detections in Uganda. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The third most common threat family in Uganda in 4Q12 was Win32/Sality, which affected 14.3 percent of computers with detections in Uganda. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in Uganda in 4Q12 was Win32/Ramnit, which affected 14.0 percent of computers with detections in Uganda. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved
586
FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker.
JulyDecember 2012
587
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Uganda
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
588
Ukraine
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Ukraine in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Ukraine
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Ukraine and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
589
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Ukraine
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
590
Threat categories
Malware and potentially unwanted software categories in Ukraine in 4Q12, by percentage of computers reporting detections
Ukraine
Percent of computers reporting detections
Worldwide
The most common category in Ukraine in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 51.6 percent of all computers with detections there, down from 54.3 percent in 3Q12. The second most common category in Ukraine in 4Q12 was Miscellaneous Trojans. It affected 43.5 percent of all computers with detections there, up from 38.9 percent in 3Q12. The third most common category in Ukraine in 4Q12 was Worms, which affected 20.6 percent of all computers with detections there, up from 17.2 percent in 3Q12.
JulyDecember 2012
591
Threat families
The top 10 malware and potentially unwanted software families in Ukraine in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Obfuscator Win32/Pameseg Win32/Dorkbot JS/IframeRef Win32/Vundo INF/Autorun JS/Redirector Win32/Webalta Win32/Dynamer
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Trojans Misc. Trojans Misc. Potentially Unwanted Software Misc. Trojans Adware Misc. Trojans
% of computers with detections 22.5% 10.7% 10.5% 9.9% 9.3% 6.4% 5.5% 4.6% 4.6% 4.0%
The most common threat family in Ukraine in 4Q12 was Win32/Keygen, which affected 22.5 percent of computers with detections in Ukraine. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Ukraine in 4Q12 was Win32/Obfuscator, which affected 10.7 percent of computers with detections in Ukraine. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, antidebugging and anti-emulation techniques. The third most common threat family in Ukraine in 4Q12 was Win32/Pameseg, which affected 10.5 percent of computers with detections in Ukraine. Win32/Pameseg is a fake program installer that requires the user to send SMS messages to a premium number to successfully install certain programs. The fourth most common threat family in Ukraine in 4Q12 was Win32/Dorkbot, which affected 9.9 percent of computers with detections in Ukraine. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot
592
may be distributed from compromised or malicious websites using PDF or browser exploits.
JulyDecember 2012
593
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Ukraine
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
594
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the United Arab Emirates and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
595
18.0
Computers cleaned per 1 ,000 scanned (CCM)
10.0
8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
596
Threat categories
Malware and potentially unwanted software categories in the United Arab Emirates in 4Q12, by percentage of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in the United Arab Emirates in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 36.0 percent of all computers with detections there, up from 29.6 percent in 3Q12. The second most common category in the United Arab Emirates in 4Q12 was Worms. It affected 34.5 percent of all computers with detections there, up from 29.6 percent in 3Q12. The third most common category in the United Arab Emirates in 4Q12 was Miscellaneous Trojans, which affected 28.4 percent of all computers with detections there, up from 26.3 percent in 3Q12.
JulyDecember 2012
597
Threat families
The top 10 malware and potentially unwanted software families in the United Arab Emirates in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Sality Win32/Nuqel Win32/Hotbar Win32/Ramnit Win32/Vobfus Win32/Zwangi Win32/Dorkbot ASX/Wimad
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Viruses Worms Adware Misc. Trojans Worms Misc. Potentially Unwanted Software Worms Trojan Downloaders & Droppers
% of computers with detections 15.7% 14.0% 8.8% 7.7% 6.6% 5.0% 4.7% 4.7% 4.7% 4.1%
The most common threat family in the United Arab Emirates in 4Q12 was INF/Autorun, which affected 15.7 percent of computers with detections in the United Arab Emirates. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in the United Arab Emirates in 4Q12 was Win32/Keygen, which affected 14.0 percent of computers with detections in the United Arab Emirates. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in the United Arab Emirates in 4Q12 was Win32/Sality, which affected 8.8 percent of computers with detections in the United Arab Emirates. Win32/Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The fourth most common threat family in the United Arab Emirates in 4Q12 was Win32/Nuqel, which affected 7.7 percent of computers with detections in the United Arab Emirates. Win32/Nuqel is a worm that spreads via mapped drives and certain instant messaging applications. It may modify system settings, connect to certain websites, download arbitrary files, or take other malicious actions.
598
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the United Arab Emirates
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
599
United Kingdom
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the United Kingdom in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the United Kingdom
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the United Kingdom and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
601
9.0
Computers cleaned per 1 ,000 scanned (CCM)
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
602
Threat categories
Malware and potentially unwanted software categories in the United Kingdom in 4Q12, by percentage of computers reporting detections
United Kingdom
Percent of computers reporting detections
Worldwide
20% 15%
10%
5% 0%
The most common category in the United Kingdom in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 30.5 percent of all computers with detections there, up from 25.3 percent in 3Q12. The second most common category in the United Kingdom in 4Q12 was Miscellaneous Trojans. It affected 29.8 percent of all computers with detections there, down from 34.5 percent in 3Q12. The third most common category in the United Kingdom in 4Q12 was Adware, which affected 23.9 percent of all computers with detections there, down from 28.0 percent in 3Q12.
JulyDecember 2012
603
Threat families
The top 10 malware and potentially unwanted software families in the United Kingdom in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Pdfjsc Win32/Keygen Java/Blacole Win32/Hotbar JS/IframeRef Win32/Zwangi Win32/DealPly Win32/Sirefef ASX/Wimad Win32/Obfuscator
Most significant category Exploits Misc. Potentially Unwanted Software Exploits Adware Misc. Trojans Misc. Potentially Unwanted Software Adware Misc. Trojans Trojan Downloaders & Droppers Misc. Potentially Unwanted Software
% of computers with detections 11.3% 10.5% 10.2% 9.8% 8.0% 7.5% 6.9% 6.1% 4.4% 3.4%
The most common threat family in the United Kingdom in 4Q12 was Win32/Pdfjsc, which affected 11.3 percent of computers with detections in the United Kingdom. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. The second most common threat family in the United Kingdom in 4Q12 was Win32/Keygen, which affected 10.5 percent of computers with detections in the United Kingdom. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in the United Kingdom in 4Q12 was Java/Blacole, which affected 10.2 percent of computers with detections in the United Kingdom. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in the United Kingdom in 4Q12 was Win32/Hotbar, which affected 9.8 percent of computers with detections in the United Kingdom. Win32/Hotbar is adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity.
604
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the United Kingdom
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
605
United States
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in the United States in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for the United States
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in the United States and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
607
10.0
Computers cleaned per 1 ,000 scanned (CCM)
9.0
8.0 7.0
6.0
5.0 4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
608
Threat categories
Malware and potentially unwanted software categories in the United States in 4Q12, by percentage of computers reporting detections
United States
Percent of computers reporting detections
Worldwide
50%
45% 40%
The most common category in the United States in 4Q12 was Miscellaneous Trojans. It affected 43.9 percent of all computers with detections there, down from 45.3 percent in 3Q12. The second most common category in the United States in 4Q12 was Exploits. It affected 23.0 percent of all computers with detections there, up from 16.4 percent in 3Q12. The third most common category in the United States in 4Q12 was Adware, which affected 20.8 percent of all computers with detections there, down from 28.8 percent in 3Q12.
JulyDecember 2012
609
Threat families
The top 10 malware and potentially unwanted software families in the United States in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 JS/IframeRef Win32/Sirefef Java/Blacole Win32/Pdfjsc Win32/Tracur Win32/Keygen Win32/Hotbar Win32/GameVance Win32/Zwangi Win32/Adkubru
Most significant category Misc. Trojans Misc. Trojans Exploits Exploits Misc. Trojans Misc. Potentially Unwanted Software Adware Adware Misc. Potentially Unwanted Software Adware
% of computers with detections 13.8% 9.0% 8.8% 8.8% 6.4% 5.6% 5.0% 5.0% 4.5% 3.9%
The most common threat family in the United States in 4Q12 was JS/IframeRef, which affected 13.8 percent of computers with detections in the United States. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content. The second most common threat family in the United States in 4Q12 was Win32/Sirefef, which affected 9.0 percent of computers with detections in the United States. Win32/Sirefef is a rogue security software family distributed under the name Antivirus 2010 and others. The third most common threat family in the United States in 4Q12 was Java/Blacole, which affected 8.8 percent of computers with detections in the United States. Java/Blacole is an exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. The fourth most common threat family in the United States in 4Q12 was Win32/Pdfjsc, which affected 8.8 percent of computers with detections in the United States. Win32/Pdfjsc is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened.
610
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for the United States
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
611
Uruguay
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Uruguay in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Uruguay
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Uruguay and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
613
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Uruguay
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
614
Threat categories
Malware and potentially unwanted software categories in Uruguay in 4Q12, by percentage of computers reporting detections
Uruguay
Percent of computers reporting detections
Worldwide
The most common category in Uruguay in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 43.5 percent of all computers with detections there, up from 34.7 percent in 3Q12. The second most common category in Uruguay in 4Q12 was Miscellaneous Trojans. It affected 21.8 percent of all computers with detections there, down from 24.7 percent in 3Q12. The third most common category in Uruguay in 4Q12 was Worms, which affected 21.4 percent of all computers with detections there, up from 21.1 percent in 3Q12.
JulyDecember 2012
615
Threat families
The top 10 malware and potentially unwanted software families in Uruguay in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen INF/Autorun Win32/Dorkbot Win32/Obfuscator Win32/Conficker Win32/DealPly ASX/Wimad Win32/OpenCandy Win32/Zwangi JS/IframeRef
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Misc. Potentially Unwanted Software Worms Adware Trojan Downloaders & Droppers Adware Misc. Potentially Unwanted Software Misc. Trojans
% of computers with detections 18.3% 8.2% 7.2% 6.1% 6.0% 5.2% 5.0% 4.5% 4.1% 3.9%
The most common threat family in Uruguay in 4Q12 was Win32/Keygen, which affected 18.3 percent of computers with detections in Uruguay. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Uruguay in 4Q12 was INF/Autorun, which affected 8.2 percent of computers with detections in Uruguay. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The third most common threat family in Uruguay in 4Q12 was Win32/Dorkbot, which affected 7.2 percent of computers with detections in Uruguay. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The fourth most common threat family in Uruguay in 4Q12 was Win32/Obfuscator, which affected 6.1 percent of computers with detections in Uruguay. Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods,
616
JulyDecember 2012
617
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Uruguay
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
618
Venezuela
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Venezuela in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Venezuela
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Venezuela and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
619
9.0
Computers cleaned per 1 ,000 scanned (CCM)
Worldwide Venezuela
5.0
4.0 3.0
2.0
1.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
620
Threat categories
Malware and potentially unwanted software categories in Venezuela in 4Q12, by percentage of computers reporting detections
Venezuela
Percent of computers reporting detections
Worldwide
Column1 Venezuela
15%
10%
5% 0%
The most common category in Venezuela in 4Q12 was Worms. It affected 42.3 percent of all computers with detections there, up from 41.0 percent in 3Q12. The second most common category in Venezuela in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 41.8 percent of all computers with detections there, up from 37.8 percent in 3Q12. The third most common category in Venezuela in 4Q12 was Miscellaneous Trojans, which affected 24.0 percent of all computers with detections there, down from 25.3 percent in 3Q12.
JulyDecember 2012
621
Threat families
The top 10 malware and potentially unwanted software families in Venezuela in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 INF/Autorun Win32/Keygen Win32/Dorkbot Win32/Conficker Win32/Sality Win32/Vobfus Win32/Nuqel Win32/Lamin Win32/Rimecud Win32/Silly_P2P
Most significant category Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Worms Viruses Worms Worms Backdoors Misc. Trojans Trojan Downloaders & Droppers
% of computers with detections 17.4% 15.4% 15.2% 9.0% 8.5% 7.3% 6.7% 5.2% 4.8% 4.2%
The most common threat family in Venezuela in 4Q12 was INF/Autorun, which affected 17.4 percent of computers with detections in Venezuela. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in Venezuela in 4Q12 was Win32/Keygen, which affected 15.4 percent of computers with detections in Venezuela. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The third most common threat family in Venezuela in 4Q12 was Win32/Dorkbot, which affected 15.2 percent of computers with detections in Venezuela. Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32/Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits. The fourth most common threat family in Venezuela in 4Q12 was Win32/Conficker, which affected 9.0 percent of computers with detections in Venezuela. Win32/Conficker is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables
622
several important system services and security products, and downloads arbitrary files.
JulyDecember 2012
623
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Venezuela
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
624
Vietnam
The global threat landscape is evolving. Malware and potentially unwanted software have become more regional, and different locations around the world exhibit different threat patterns. The statistics presented here are generated by Microsoft security programs and services running on computers in Vietnam in 4Q12 and previous quarters. This data is provided from administrators or users who choose to opt in to provide data to Microsoft, using IP address geolocation to determine country or region.
Infection rate statistics for Vietnam
Metric Computers cleaned per 1,000 MSRT executions (CCM) Worldwide average CCM
See the Security Intelligence Report website at www.microsoft.com/sir for more information about threats in Vietnam and around the world, and for explanations of the methods and terms used here.
JulyDecember 2012
625
20.0
Computers cleaned per 1 ,000 scanned (CCM)
18.0
16.0 14.0
Worldwide Vietnam
12.0
10.0 8.0 6.0
4.0
2.0 0.0
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
626
Threat categories
Malware and potentially unwanted software categories in Vietnam in 4Q12, by percentage of computers reporting detections
Vietnam
Percent of computers reporting detections
Worldwide
40%
30%
20% 10% 0%
The most common category in Vietnam in 4Q12 was Miscellaneous Potentially Unwanted Software. It affected 57.8 percent of all computers with detections there, up from 56.8 percent in 3Q12. The second most common category in Vietnam in 4Q12 was Miscellaneous Trojans. It affected 38.4 percent of all computers with detections there, up from 38.2 percent in 3Q12. The third most common category in Vietnam in 4Q12 was Worms, which affected 31.2 percent of all computers with detections there, up from 29.5 percent in 3Q12.
JulyDecember 2012
627
Threat families
The top 10 malware and potentially unwanted software families in Vietnam in 4Q12
Family 1 2 3 4 5 6 7 8 9 10 Win32/Keygen Win32/Ramnit Win32/CplLnk INF/Autorun Win32/Sality Win32/PossibleHostsFileHijack Win32/Patch Win32/Conficker Win32/VB Win32/Dorkbot
Most significant category Misc. Potentially Unwanted Software Misc. Trojans Exploits Misc. Potentially Unwanted Software Viruses Misc. Potentially Unwanted Software Misc. Potentially Unwanted Software Worms Worms Worms
% of computers with detections 33.8% 24.2% 20.3% 17.0% 15.4% 15.0% 11.6% 9.0% 8.1% 5.9%
The most common threat family in Vietnam in 4Q12 was Win32/Keygen, which affected 33.8 percent of computers with detections in Vietnam. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The second most common threat family in Vietnam in 4Q12 was Win32/Ramnit, which affected 24.2 percent of computers with detections in Vietnam. Win32/Ramnit is a family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. The third most common threat family in Vietnam in 4Q12 was Win32/CplLnk, which affected 20.3 percent of computers with detections in Vietnam. Win32/CplLnk is a generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046. The fourth most common threat family in Vietnam in 4Q12 was INF/Autorun, which affected 17.0 percent of computers with detections in Vietnam. INF/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives.
628
Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected. To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.
Malicious website statistics for Vietnam
Metric Phishing sites per 1,000 hosts (Worldwide) Malware hosting sites per 1,000 hosts (Worldwide) Drive-by download per 1,000 URLs (Worldwide)
JulyDecember 2012
629