Microsoft's Security Intelligence Report 12
uses the computers cleaned per mille (CCM)
metric to compare the infection rates over time and between countries.
This is, of course, no perfect measurement of the actual infection rates due to a number of factors, but nevertheless an interesting data-point.
Austria usually sports a quite low CCM score, but during Q4 2011 something strange happened: there was a clear upwards spike. So we wondered what happened to Austria (as well as to some
of our neighbors):
There seem to be various factors playing together:
- The online banking gangs (using SpyEye, ZeuS, Ice-IX, Citadel, Torpig, ...) seem to be focussing on specific banks (and countries) at each point in time. Once they have the web-injects and the money-mules lined up, they use shady services to buy either installs or web-traffic on a by-country basis. Given the effectiveness of exploit-packs, web-traffic can be easily be turned into zombies.
- MSRT added detection for SpyEye in October 2011, causing spikes in CCM in those countries that experienced active SpyEye campaigns at that time.
- SpyEye has been supplanted by other banking-malware, MSRT might not be covering all of them.
We have thus on one side the criminal gangs which are changing both their targets and the malware they use, and on the other side Microsoft, which is also adapting their MSRT. If these factors intersect in the right way, the CCM for a country spikes.
(Mike Sandee from Fox-IT provided input towards this analysis.)
Author: Otmar Lendl