Turkey: Understanding high malware encounter rates in SIRv15
In our most recent version of the Security Intelligence Report (SIRv15), we compared the encounter rates of malware categories for the top 10 countries with computers reporting the most detections in 2Q13. Amongst these countries, Turkey stood out with considerably high encounter rates in multiple categories. Encounter rate is the percentage of computers in a country that reported at least one detection of malware.
Figure 1. Threat category prevalence worldwide and in the 10 locations with the most computers reporting detections in 2Q13. Totals for each location may exceed 100 percent because some computers reported threats from more than one category.
If you examine the above table carefully, Turkey's encounter rate in miscellaneous trojans, worms, exploits, and trojan downloaders and droppers are at least 18 percent greater than the next highest country in this list. Our research here is focused on examining contributing factors to the higher rate.
Miscellaneous trojans are malware that are self-contained and do not self-replicate. On the other hand, worms are defined as malware that send copies of themselves through various communication mechanisms. Exploits include malware that take advantage of software vulnerabilities, and trojan downloaders and droppers are trojans that download or drop other malware onto computers it has already infected. The high encounter rates of a wide area of malware types in an isolated region suggest that Turkey may have been targeted by online criminals.
Targeted encounter rate
To go about investigating this hypothesis, a definition of targeted is necessary. For this research, we define a family as targeted if at least 80 percent of the infected computers are located in a single country. Subsequently, we can update the original definition of encounter rate for this problem. Targeted encounter rate is the percentage of computers that reported at least one detection of a targeted malware family.
Figure 2. Targeted encounter rate in the 10 locations with the most computers reporting detections in 2Q13. Totals for each location may exceed 100 percent because some computers reported threats from more than one category.
Turkey has experienced extremely high targeted encounter rates in miscellaneous trojans, trojan downloaders and droppers, and worms, when compared to the other top regions/countries. Running an updated real-time antimalware solution is highly recommended for computers in any region seeing increases in these malware category types. For further information, see Running Unprotected, a deep dive into this topic in SIRv14.
Further investigation into the top targeted families in Turkey can give us more concrete evidence of targeting.
Figure 3. Machine count inside and outside Turkey for the top five targeted families in Turkey.
Top targeted families
Each of the top targeted families use the Turkish language in some aspect. Kilim and Reksner both use social media outlets, such as Facebook and Twitter, for infection. They gain access to user accounts and post false advertisements and malicious links in Turkish to continue spreading. Murkados hides its presence by setting the homepage of a Chrome browser, which it has modified, to the Turkish Google search webpage. Truado redirects user traffic between various Turkish websites. Preflayer uses a fake Adobe installer in Turkish to trick users and infect computers. All of these families leverage Turkish language as their basis for attack, rather than focusing on attacking Turkey-based computers. There are also hints of various Turkish words in the source code showing that the malware might be authored by local attackers.
Language targeting is not uncommon; many families specifically target languages, as we have seen above and in the Security Intelligence Report. A quick look at the Turkish language shows that most people who read websites in Turkish live in Turkey. So, malware authors targeting Turkey might just be an unintentional consequence of trying to infect the population of Turkish computer users.
From this data, we can confidently conclude that Turkey was indeed targeted by malware authors through language targeting. Social engineering, used by all families discussed above, is a method that online criminals use to trick users into performing actions or divulging confidential information, to gain access to their computers or hide the presence of malicious behavior. Social engineering can occur in any language that is used on computers, commonly using email, web or telephone scams. Using a language that is less prevalent does not exclude you from the dangers of malware.
We recommend commonly known protective measures, no matter what language you use. If you suspect that confidential information has been stolen by a social engineering attack that a computer user may have responded to, take a few steps to protect data, such as:
- Changing passwords or PINs on all compromised accounts.
- Place a fraud alert on credit reports.
- Do not follow the links in fraudulent email messages and be similarly wary of files on portable flash drives.
- Routinely review bank and credit card statements monthly for unexplained charges or inquiries.
IT professionals are recommended to follow best practices in security risk management, including:
- Using group policy to enforce configuration for Windows Update and SmartScreen filter
- Using Network Access Protection (NAP) and Direct Access (DA) to enforce compliance polices for firewall, antimalware, and patch management on remote systems connecting to corporate network
- Implementing a strong security awareness program for their enterprise to prevent malware and potentially unwanted software.
You can learn about Microsoft's own best practices in Malware at Microsoft: Dealing with threats in the Microsoft environment.
For additional guidelines we recommend for consumers and enterprises to leverage to protect computers from social engineering attacks:
Kevin Yeo
MMPC