Microsoft Security Intelligence Report v12–South Africa’s Perspective

Microsoft produces the Microsoft Security Intelligence Report twice a year to keep the industry informed on the changing threat landscape and provide actionable guidance for customers in an effort to create safer more trusted computing experiences for everyone. The latest report, Volume 12 provides insight into online threat data with new information for July 2011 through December 2011 and analysis of data from more than 100 countries/regions around the world. This include Africa and our focus being South Africa (pdf).  More information about Microsoft Security Intelligence Report Volume 12 (SIRv12) is available at

SIRv12 found that the Conficker worm is still one of the biggest on-going threats to enterprises. The Conficker worm, first detected in November 2008,  is a computer worm that can infect your computer and spread itself to other computers across a network automatically, without human interaction. Conficker worm was detected almost 220 million times worldwide in the past two and a half years. The study also revealed that the worm continues to spread as a result of weak or stolen passwords and vulnerabilities for which a security update exists.

Conficker Spread

According to the SIRv12, quarterly detections of the Conficker worm have increased by over 225% since the beginning of 2009. In the fourth quarter of 2011 alone, Conficker was detected on 1.7 million systems worldwide. In examining the reasons behind Conficker’s prevalence in organizations, research showed that 92% of Conficker infections were a result of weak or stolen passwords, and 8% of infections exploited vulnerabilities for which a security update exists.

Computers detected with Worms in South Africa are still sitting at 42.8% compared to worldwide figure of 11.3%. Worms are found to be the most common threat category  in 4Q11,  down from 43.7% in 3Q11. Miscellaneous Potentially Unwanted Software is the second most common category which affected 30.1% of all infected computers, down from 31.2% in 3Q11. The figure below clearly shows an improvement in terms of computers cleaned per 1000 scanned (CCM) both in SA and worldwide. The third most common category in 4Q11 is Miscellaneous Trojans, which affected 20.7% of all infected computers, down from 20.8% in 3Q11.

Malicious Software

South Africa generally performed below the worldwide average with the exception of Trojan Downloaders & Droppers, Exploits, Password Stealers & Monitoring Tools. The top two identified malware families driving worms were Win32/Autorun (18.4% of detected computers) which spreads by copying itself to the mapped drives (including network or removable media like USB drives and instant messaging) of an infected computer and Win32/Vobfus (12.1%) which spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. Win32/Conficker  affected 4.4% of detected computers and sit well in the top 10 bracket of threats in SA . It infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Depending on the specific variant, it may also spread via removable drives and by exploiting weak passwords. It disables several important system services and security products and downloads arbitrary files.

Threat Category

Cybercriminals are also trying to do business in South Africa using the following:

  • Number of websites found that were phishing websites per 1000 hosts has decreased from 0.11 in 2010 to 0.04 in 2011 – worldwide 0.02
  • Malware hosting sites (per 1000 hosts) has decreased from 0.10 in 2010 to 0.08 in 2011 – worldwide 0.06
  • Percentage of sites hosting  drive-by downloads has decreased from 0.042% in 2010 to 0.031%. This is an improvement when compared to a pick of 1.071% in 1Q11 and it’s way below the worldwide rate of 3.644%.


What You Need to Do:

To ensure protections aligned with today’s threats and to mitigate risks, it is critically important that organizations focus on the security fundamentals to help protect against the most common threats.

For businesses, as Scott Charney, corporate vice president of Microsoft Trustworthy Computing, outlined in his keynote at RSA 2012, Microsoft recommends a more holistic approach to risk management to help protect against both broad-based and targeted attacks that includes:

  • Prevention: Employ security fundamentals and pay close attention to configuration management and timely security update deployment.
  • Detection: Carefully monitor and perform advanced analysis to identify threats. Keep abreast of security events and leverage credible sources of security intelligence.
  • Containment: If the targeted organization has configured its environment with targeted attacks by determined adversaries in mind, it is possible to contain the attacker’s activities and thereby buy time to detect, respond to, and mitigate the attack. To contain an attack, consideration should be given to architecting domain administration models that limit the availability of administrator credentials and apply available technologies such as IPsec-based network encryption to restrict unnecessary interconnectivity on the network.
  • Recovery: It is important to have a well-conceived recovery plan, supported by suitably skilled incident response capability. Maintain a “crisis committee” to set response priorities and engage in exercises to test the organization’s ability to recover from different attack scenarios.

Microsoft recommends that customers and businesses adhere to the following security fundamentals to help ensure they are protected:

  • Use strong passwords and educate employees on their importance
  • Keep systems up to date by regularly applying available updates for all products
  • Use antivirus software from a trusted source
  • Invest in newer products with a higher quality of software protection
  • Consider the cloud as a business resource

How do I remove the Conficker worm?

“Conficker is one of the biggest security problems we face and yet it is well within our power to defend against,” said Tim Rains, director of Microsoft Trustworthy Computing. “It is critically important that organizations focus on the security fundamentals to help protect against the most common threats.”

Tim Rains, Director, Microsoft Trustworthy Computing, provides a report overview of the Security Intelligence Report Volume 12, highlighting the latest vulnerability disclosure, exploit and malware trends focusing on the second half of 2011.


If your computer is infected with the Conficker worm, you may be unable to download certain virus protection security products, such as the Microsoft Malicious Software Removal Tool or you may be unable to access certain websites, such as Microsoft Update. If you can’t access those tools, try using the Microsoft Safety Scanner for virus removal.

In Conclusion:

Key questions on this data:

1. The malware infection rates in SA have been trending down – what factors are contributing to this trend?

2. Conficker and Autorun are among the top ten threats in SA.  What citizens, government and organizations need to do in order to protect themselves against these specific threats? 

3. Worms appear to be at higher levels in SA than the world wide average. What can citizens, government and organizations in SA do to protect themselves from these threats?

I will be presenting this data at the ITWeb Security Summit 2012 – Agenda 15 May and will follow with a blog.

One response to “Microsoft Security Intelligence Report v12–South Africa’s Perspective

  1. Pingback: Cybersecurity Agenda – How are we doing in South Africa? | Dr Khomotso Kganyago on Security·

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s