Despite its hacking prowess, Russia appears to have very messy networks
Russia’s hackers may be among the best, but its computer networks are the most malware-ridden in the world, according to new data from security vendor Comodo.
Russia also has a high proportion of more primitive forms of malicious software, the data show, suggesting the security of its IT networks is in a parlous state.
The data, which comes from computers all over the world loaded with Comodo software, and covers the first quarter of 2017, is analyzed by the company’s Comodo Threat Research Labs.
“It’s a very bad sign” said Comodo Senior Research Scientist Kenneth Geers of the Russia numbers. “It suggests the networks are poorly managed … the software is pirated or out of date.”
“The networks [there] are riddled with malware that’s taking advantage of all the low-hanging fruit” in the form of poorly secured IT equipment, he added. “Probably many countries are spying on Russia pretty easily.”
The 90 million global installations of Comodo’s software provide “an extraordinarily rich data set of malware incidents” Geers told CyberScoop — more than 25 million of them, in 223 countries. “It’s really, really broad, geopolitically speaking,” he said. “We are everywhere … except maybe Chad or the Central African Republic.”
The country with the most malware infections, with more than 3 million incidents, nearly 12 percent of the 25 million global total, was Russia. Behind Russia the next nine nations were, in order: Taiwan, Hong Kong, Philippines, Indonesia, the U.S., Turkey, Poland, Brazil and the UK, which rounded out the top ten with just over 800,000 incidents, or a bit more than 3 percent.
Geers conceded that the raw numbers could be influenced by where the company’s software is installed: “It may be biased by the customer base,” he said. But he added that the analysis of those numbers — for instance to discover the prevalence of different kinds of malware in each country — would still provide very useful data.
His report breaks malware down into five categories: Backdoors that provide remote, persistent access to systems; and packed malware — programs run through a software compression tool to obfuscate any signatures — are the most advanced, and the rarest. Comodo software detected backdoors just under a million times and packed malware just over a million times during the first quarter of 2017.
“Backdoors are a high-value hacker tool that is deployed against lucrative targets,” and hence tends to be more prevalent in advanced economies, according to the report.
The third kind — and right in the middle in terms of sophistication — is the trojan horse, defined as malicious functionality hidden in a seemingly benign program. It’s the most common kind of malware: Comodo detected more than 13 million of them between January and March of this year.
At the bottom of the scale for sophistication are worms and not much above them are viruses, said Geers, adding that a lot could be gleaned by looking at which countries have the highest proportion of which kinds of malware.
The report says that, of the 4 million-plus worms it detected, more than one quarter were in the Philippines. “For countries with a minimum of 100 detected worms, Congo, Maldives, Somalia, Cape Verde, Macedonia, Philippines, Nigeria, Yemen, South Africa, and Gambia had the highest percentage of worms compared to overall malware detections,” it states. Of the nine-and-a-half million viruses, the top ten infected countries include Brazil, Russia, Indonesia and Kazakstan. “Unlike backdoors and packed malware, viruses appear to primarily affect countries that may run older and perhaps unpatched versions of software,” states the report.
“Worms and viruses are more prevalent in in less economically developed countries,” Geers told CyberScoop. “Richer countries have a very different malware profile than poorer ones.”
“It’s intuitive,” he acknowledged, “But I don’t know that anyone’s actually ever measured it like this before.”
He added that, in reports on future data, including one being prepared for release at Black Hat, he would examine malware infections over time.
“What you can see [when you lay out infection timelines] is the build-up of malware incidents …. around times of crisis,” he said.