In part 1 of this series on the threat landscape in the European Union in the second half of 2011, I examined the threats in the location with the highest malware infection rate, Romania. In this segment of the series I will examine what is happening in the EU member states that have seen the biggest increases in malware infection rates in the last half of 2011, Austria, Germany, Italy, and the Netherlands.
As seen in figure 1 below, some of the locations in the EU had dramatic increases in their CCM during the second half of 2011. Austria, Germany, Italy, and the Netherlands all experienced relatively large increases in their CCM.
Figure 1: Locations in the EU with significant infection rate changes in the third (3Q11) and fourth (4Q11) quarters of 2011
As seen in figure 2 below, many different families of malware and potentially unwanted software are found in varying concentrations in these locations. Four specific families of threats contributed to the steep rise in the malware infection rates of Austria, Germany, Italy, and the Netherlands: Win32/EyeStye, Win32/Zbot (also known as Zeus), Win32/Keygen, and Blacole.
Figure 2: Trends for notable threat families in the EU
Threat detections in Germany increased 30.4 percent from 3Q11 to 4Q11, primarily because of significantly increased detections of Win32/EyeStye, a family of trojans that attempt to steal sensitive data and send it to an attacker. Detection signatures for EyeStye were added to the MSRT in October 2011; within the first 10 days thereafter, more than half of the EyeStye infections detected and removed by the MSRT worldwide were in Germany. Win32/Zbot and Win32/Banker, two data stealing trojans known to target users of online banking services are also on the top 10 list of threats found in Germany during the fourth quarter of 2011. This means that at least three of the top 10 threats in Germany have been associated with bank fraud in the past – a combination rarely seen in EU member states to date in the Microsoft Security Intelligence Report.
Germany also saw increased detections of the exploit family Blacole that is contributing to sharp increases in vulnerability exploit attempts worldwide. Germany also saw increased detections of the generic detection Win32/Keygen, a tool that generates keys for illegally-obtained versions of various software products. The combination of this threat activity resulted in Germany’s malware infection rate increasing from 3.3 systems infected with malware for every 1,000 systems scanned (computers cleaned per mille or CCM) in 3Q11 to 11.0 in 4Q11. This constitutes more than a 230% increase in Germany’s malware infection rate in 90 days and moves Germany’s malware infection rate from a level well below the worldwide average to a level well above it. I asked Michael Kranawetter, Microsoft Germany’s Chief Security Advisor, about this situation in Germany and he told me:
It seems like malware distributers have discovered Germany as a promising target market finally. Maybe the economic situation in Europe might drive the criminal minded to countries with alleged better financial conditions – where they might steal more money using Trojans – or people are not as cautious as in the past and do “click more”. But the reason why is not the most important thing, it is essential to understand that cybercrime is a topic and that it will increase every day because it works. Taking those results into account it is an imperative to do more educational work an all levels, for vendors, for companies and for consumers. Security is important for the economy of the Internet, a less trustful environment will decrease our possibilities to use this great technology.
Figure 3: CCM infection trends in Germany and worldwide
The threats impacting Germany are also seen in Austria, Italy and the Netherlands where Win32/EyeStye, Win32/Zbot, and Win32/Keygen are all contributing to elevated malware infection rates in these locations.
Figure 4: Trends for notable threat families in Austria, Italy, Germany, and the Netherlands
I was just in Austria talking to customers there, so I asked Christian Wiesener, Microsoft Austria’s Chief Security Advisor, about these developments in Austria and he told me:
Austria is small country with 8.39 million people, 78% of the Austrian Households owns a computer and 75% do have internet access, this is above the average of the EU27 with 70%. More than 58% of the Austrians like online shopping very well and around 54% of the Austrians are using the Internet for their banking business (statistics source: http://www.statistik.at/web_en/statistics/information_society/ict_usage_in_households/index.html). Over the last years the Austrian Banks did face a lot of phishing attacks, the banks deployed several countermeasures against phishing like the mobileTAN procedure where you will receive a mobileTAN on your mobile phone every time you need to sign an order at your online banking account. Overall the countermeasures of the banks and the awareness that was raised against the phishing attacks over the last years let move Austria away of the interest from criminal elements or organizations. Even the Zeus botnet that was very successful all over the world did not leave a huge impact in Austria. So it could be just a matter of time till the bad guys did get used with new technologies and are attacking Austria, a country that has still a wealthy economic system compared with most of the other EU countries.
The call to action for these EU locations is:
- Install antimalware software from a trusted source and keep it up to date. Many reputable antivirus companies offer free scans such as this one, and Microsoft offers Microsoft Security Essentials for free (available in many languages).
- Keep all software in your environment up to date, not just Windows; assume attackers are targeting vulnerabilities in all prevalent software.
- Use newer versions of software and newer service packs where possible to get the security benefits of the latest security mitigations.
- Use caution when clicking on links to Web pages and opening attachments
- Avoid downloading pirated software
In part 3 of this series I will examine the countries that have the lowest malware infection rates in the EU and shares insights into how they seem to be accomplishing this.
Director, Trustworthy Computing