Skip to content

Microsoft Secure


In part 1 of this series on the threat landscape in the European Union (EU) I discussed the encounter rates (ER) and infection rates (CCM) among EU countries/regions, diving a little deeper into the locations with the highest malware encounter rates and infection rates. In part 2 I discussed the locations in the EU with the lowest ERs and CCMs, as well as the top threats found in the region in the last half of 2014.

In part 3 of the series I will look at real-time antimalware usage in the EU as well as the prevalence of drive-by download sites which are typically used by some attackers to compromise unpatched systems and spread ransomware and other malware.

The latest data that we published in the Microsoft Security Intelligence Report suggests that systems in Finland, Denmark, the Czech Republic, France, and the Netherlands have the lowest number of unprotected systems in the EU. What I mean by this is that these locations have the fewest number of systems that reported not running up-to-date real-time antimalware software in the region. Figure 1 illustrates the percentage of systems in the region that reported consistently running up-to-date real-time antimalware software in the fourth quarter of 2014. Figure 2 illustrates the percentage of systems in the region that reported not running up-to-date real-time antimalware software in the fourth quarter during any of the three times the Malicious Software Removal Tool (MSRT) checked.

Figure 1: Percent of computers reporting as Protected during every Malicious Software Removal Tool (MSRT) execution in the fourth quarter of 2014 (4Q14), by country/region
0701 Figure 1

Figure 2: Percent of computers reporting as Unprotected during every Malicious Software Removal Tool (MSRT) execution in the fourth quarter of 2014 (4Q14), by country/region in the EU
0701 Figure 2

As we saw in part 1 of this series, Romania, Cyprus, Bulgaria, Lithuania, Greece, and Spain were all on the list of locations in the EU with the highest malware infection rates. Here they are again on the list of locations with the fewest protected systems in figure 2.

It might be tempting to conclude that locations that have fewer systems with up-to-date antimalware software always have higher malware infection rates – but this isn’t always true. For example, Hungary is on the list of locations with a relatively high percentage of systems not running up-to-date antimalware software in the last quarter of 2014. But, as Figure 3 illustrates, Hungary had a malware infection rate below the worldwide average for much of 2014, only exceeding the worldwide average by 0.1 CCM in the second quarter of the year (2Q14). Hungary isn’t an anomaly; there are other countries/regions in the EU and around the world that have relatively low antimalware adoption and low malware infection rates or the opposite – high antimalware adoption and high malware infection rates (France is one example of this).

Figure 3: The malware infection rate (CCM) in Hungary and worldwide during 2014
0701 Figure 3

You might be wondering what explains the differences in regional malware infection rates? If not antimalware software adoption, then what else influences the number of systems that actually get infected with malware? Antimalware adoption does influence infection rates, but so do a plethora of other factors. It’s complicated. This is a topic that I have written about extensively. If you are interested in learning more, please read some of these articles:

Next, let’s look at drive-by download sites that were hosted in the EU during the last quarter of 2014. A drive-by download site is a website that hosts one or more exploits that target vulnerabilities in web browsers and browser add-ons. Users with vulnerable computers can be infected with malware simply by visiting such a website, even without attempting to download anything. Compromised sites can be hosted anywhere in the world, making it difficult for even an experienced user to identify a compromised site. Figure 4 illustrates an example of how this type of attack works.

Figure 4: One example of a drive-by download attack
0701 Figure 4

Figure 5 illustrates the levels of drive-by attack pages hosted in locations in the EU, while Figure 6 lists the locations with the most drive-by download pages in the region in the fourth quarter of 2014. The worldwide average during this period of time was 0.45 download pages per 1,000 URLs, while the average among the 28 countries/regions in the EU was 0.34 during the same period.

Figure 5: Drive-by download pages indexed by Bing at the end of the fourth quarter of 2014, per 1,000 URLs in each country/region
0701 Figure 5

The locations with the highest number of drive-by download pages in the EU in the last quarter of 2014, above the worldwide average, include Cyprus, the United Kingdom, Slovenia, and Bulgaria.

Figure 6: The locations in the EU with the highest levels of drive-by download pages as indexed by Bing at the end of the fourth quarter of 2014 (4Q14), per 1,000 URLs in each country/region
0701 Figure 6

Cyprus is noteworthy as it had nearly 4 times the drive-by download pages as the worldwide average in Q3 and nearly 3 times in Q4. Cyprus was also on the list of locations with relatively high malware infection rates and relatively high percentages of unprotected systems. A deeper look at what’s happening in Cyprus suggests systems there are being exposed to higher levels of exploits, browser modifiers, and software bundlers than average as illustrated in Figure 8.

Figure 7: (left) The encounter rate and malware infection rate for Cyprus in 2014
0701 Figure 7

Figure 8: (left) Malware categories in Cyprus in the last quarter of 2014; (right): unwanted software categories in Cyprus in the last quarter of 2014
0701 Figure 8

As Figure 9 shows us, the most encountered threat in Cyprus was the notorious commercial exploit kit called JS/Axpergle, also known as the Angler exploit kit. This exploit kit attempts to use vulnerabilities in recent versions of Adobe Flash Player, Internet Explorer, Java, and Silverlight to install malware on systems that have not been kept up to date and are missing security updates. We have seen it try to install ransomware and other malware.

Figure 9: (left) The malware families that systems in Cyprus encountered most often in the last quarter of 2014 (4Q14)
0701 Figure 9

The good news is that Cyprus and the other locations in the EU discussed in this series can improve their ecosystem by keeping systems up to date, running up-to-date antimalware software from a trusted source and using caution when using removable media like USB drives. Over the years I have spoken to security experts, enterprise customers and governments in many of the consistently healthiest computing ecosystems in the world and have shared their lessons: Finale – Lessons from Some of the Least Malware Infected Countries in the World – Part 6.

I hope you have found this series on the threat landscape in the EU informative. The source of the data I used for this analysis was the Microsoft Security Intelligence Report which is available for free at http://microsoft.com/sir, in which we provide threat intelligence on over 100 countries/regions around the world.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection