Many customers I have talked to who have operations in Mexico have asked for insight into the threat landscape there. The threat landscape in Mexico has been quite active and in this article I try to provide some insight into what has been happening there based on data from the Microsoft Security Intelligence Report.
Looking back at the three year period between July 2008 and July 2011, although the raw number of detections and removals of malware by Microsoft anti-malware products in Mexico isn’t as high as many other locations, the malware infection rate (CCM) in Mexico has been consistently higher than the worldwide average and that of the United States during this time.
Figure: The infection rate, measured in Computers Cleaned per Mille (CCM), trend for Mexico over the three years spanning the second half of 2008 (2H08) to the second quarter of 2011 (2Q11), compared to the worldwide rate and that of the United States, as reported in the Microsoft Security Intelligence Report volume 6 – volume 11
 Note that the CCM figures for 1Q11 and 2Q11 are based on IP geolocation rather than on the user specified locale setting as all the previous periods are. If you are interested in a detailed explanation please see a previous article I wrote on this topic: Determining the Geolocation of Systems Infected with Malware
Looking at the specific categories and families of threats found in Mexico, worms have been the dominant category of threat there for years. The “usual suspects” are detected and cleaned on systems in Mexico as they are in so many other parts of the world: Win32/Autorun, Win32/Conficker, and Win32/Taterf. I have written about these specific threats and how to defend against them in the past: Defending Against Autorun Attacks.
Figure on left: Malware and potentially unwanted software categories in Mexico in the 2nd half of 2009, by percentage of computers affected as published in SIRv8; Figure on right: Malware and potentially unwanted software categories in Mexico in the 2nd quarter of 2011, by percentage of computers affected as published in SIRv11
Microsoft anti-malware tools and products typically clean 900,000+ systems in Mexico during each six month period. For example, in the second half of 2009, 915,786 systems were cleaned by Microsoft desktop anti-malware products; the top 25 threats found in Mexico during that period are listed in the table below where Win32/Taterf was found on about 21% of the systems infected in Mexico.
Table: Top 25 families of threats in Mexico in the 2nd half of 2009 as reported in SIRv8
Win32/Taterf was still in the top ten list of threats found in Mexico in the second quarter of 2011, but only found on 5% of the systems affected.
Table: Top 10 malware and potentially unwanted software families in Mexico in the 2nd quarter of 2011 (2Q11), by percent of computers affected, as published in SIRv11
Mexico was one of the top 5 locations around the world with the most bot infections detected and removed in 2nd quarter of 2010 (2Q10).
Figure on left: the top 10 locations around the world with the most bot infections detected and removed in 2Q10 as reported in SIRv9.; Figure on right: Bot infection rates for Mexico and the United States compared to the worldwide average, from 3Q09 to 2Q10, by bot CCM, as reported in the Microsoft Security Intelligence Report volume 9
The number of phishing sites hosted in Mexico appears to be very low in the first half of 2011, as do the number of malware hosting sites located there. The number of drive-by download sites hosted in Mexico has been in flux, while the percentage of spambot IP addresses in Mexico is relatively low (0.461% in 2Q11) compared to the United States (4.927% in 2Q11). The top three spambots found in Mexico are Win32/Cutwail, Win32/Pramro, and Win32/Lethic, all in similar concentrations.
Figure: Phishing, Malware Hosting, and Drive-by Download Hosting Site Trends for Mexico as published in SIRv11
I asked Microsoft’s Chief Security Advisor for North America, Freddy Kasprzykowski, what people and organizations in Mexico should do to protect themselves.
There are three simple steps users can take to protect themselves. These steps include making sure your Windows PC has a firewall up and running, configure Windows Update to automatically bring in the latest version of software components to your supported version of Windows and use a reputable antimalware software. Microsoft has made available for consumers and for small business up to 10 PCs its free Microsoft Security Essentials antimalware suite.
When it comes to remediation, we suggest trying to clean the malware from your computer using the Microsoft Malicious Software Removal Tool. In the event that does not resolve the issue, you may need to reinstall the PC back to its factory state by using the original copies of the software purchased or downloaded. The good news is that most PCs come with that facility in the BIOS and the operating system image on the hard disk making this task easier and no DVDs are required. As far as your data, as I talk to my friends in Mexico, USB thumb drives and USB hard drives are common now, so make sure to back up your data and keep it in a safe place in the event your system is compromised. Windows also comes with free backup software that will provide you with an easy way to restore the data you need.
For organizations, it is important to establish good security policies, procedures and guidelines, provide continuous education to both IT staff and users, and last but not least, engage with your vendors and the local C-SIRT in a bidirectional communication channel.