One region of the world I haven’t written extensively about before is South America. Recently I had the opportunity to visit a couple of countries in South America to visit customers and discuss the threats they see in their environments. This is part 1 in a series of articles that will focus on threats found in several locations including Argentina, Brazil, Chile, Colombia and Uruguay. All of these articles are based on new data published in the Microsoft Security Intelligence Report volume 15 and previous volumes.
As seen in Figure 1, several locations in South America have malware infection rates (CCM) higher than the worldwide average, while a few locations have infection rates lower than the worldwide average. In the fourth quarter of 2012 (4Q12) Bolivia had the highest infection rate with 9.4 systems infected for every 1,000 that the Microsoft Malicious Software Removal Tool (MSRT) scanned there. The worldwide average in 4Q12 was 6.0 and Uruguay had the lowest infection rate of the locations examined with a CCM of 3.1. But infection rates in the region changed dramatically in the first half of 2013. Bolivia, Ecuador, Peru, and Venezuela all saw infection rate increases during the second quarter of 2013 (2Q13). Peru’s malware infection rate increased from 9.4 in 1Q13 to 17.0 in 2Q13, a 45 percent increase in ninety days. Ecuador saw a 27 percent increase in its infection rate in 2Q13 while Bolivia saw a 29 percent increase in the same period.
The primary threat responsible for infection rate increases in Bolivia, Ecuador, and Peru was Win32/Gamarue, a family of malware that may be distributed by exploit kits, spammed emails or other malware; it can download files and steal information about your PC and some variants of this family are worms, meaning they can copy themselves to other computers by infecting removable drives, such as USB flash drives or portable hard disks. Between 1Q13 and 2Q13 Win32/Gamarue infections increased 6.9 times in Bolivia, 4.8 times in Ecuador, and 7.5 times in Peru. Meanwhile, infections of several threat families increased in Venezuela leading its infection rate higher in 2Q13. These families included Win32/Sality, Win32/Dorkbot, Win32/Nuqel, Win32/Lethic, Win32/Pramro.
Figure 1: Malware infection rates (CCM) for Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay, Peru, Uruguay, and Venezuela, compared to the worldwide average between the first quarter of 2011 (1Q11) and the second quarter of 2013 (2Q13)
The mix of threat categories found in South America between the first quarter of 2011 (1Q11) and the fourth quarter of 2012 (4Q12) can be seen in Figure 2. There are some interesting differences between how threat categories have trended in South America compared to how they have trended worldwide. Figure 3 illustrates worldwide threat category trends between 3Q11 and 4Q12. Worms were found on between 15 and 20 percent of systems infected with malware worldwide between 3Q11 and 4Q12. Worms were found on between 34 and 39 percent of systems infected with malware in South America during the same period. i.e. Worms were found in significantly higher proportions in South America compared to the worldwide average. Exploits were detected on between 12 and 16 percent of systems infected with malware worldwide, where they were only found on between 5 and 9 percent of infected systems in South America during the same period. Generally, Password Stealers and Monitoring Tools were detected on higher proportion of infected systems in South America than worldwide.
Figure 2 (top): Malware and potentially unwanted software categories in South America between the first quarter of 2011 (1Q11) and the fourth quarter of 2012 (4Q12), by percentage of computers reporting detections; Figure 3 (bottom): Malware and potentially unwanted software categories, worldwide, between the third quarter of 2011 (3Q11) and the fourth quarter of 2012 (4Q12), by percentage of computers reporting detections; note: totals for each time period may exceed 100 percent because some computers report more than one category of threat in each time period
Some of the specific threat families found in South America can be seen in Figure 4. Detections of Win32/Keygen have trended up in South America. This suggests that people in the region are looking for free or discounted software; this is a desire that attackers are known to take advantage of by attempting to fool users into installing malware on their systems. Win32/Autorun was also found on many systems in the region. Autorun worms spread by copying themselves to the mapped drives on infected computers, including network or removable drives such as USB drives. Win32/Banload is a family of trojans that downloads other malware; these downloaded malware are usually trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker. Banking trojans have been particularly active in Brazil for many years.
Figure 4: Detection trends for a number of malware and potentially unwanted software families, between the first quarter of 2011 (1Q11) and the fourth quarter of 2012 (4Q12), in South America
There are several locations in South America that have above average levels of malicious websites hosted in them, as seen in figures 5 and 6. The number of systems that were hosting malware in Brazil in 4Q12 was nearly three times the worldwide average. The worldwide average increased significantly in the first half of 2013, going from 10.8 malware distribution sites per 1,000 Internet hosts in 4Q12 to 17.67 in 2Q13. Brazil’s malware hosting rate decreased from 32.0 in 4Q12 to 22.16 in 2Q13. Venezuela, Peru and Argentina also had malware hosting sites at levels significantly above the worldwide average in 4Q12. But in 2Q13 only Brazil and Venezuela still had levels above the elevated worldwide average.
Brazil also had the highest level of phishing sites hosted in it, of any location in South America in 4Q12, with 12.6 phishing sites per 1,000 Internet hosts. That was over double the worldwide average of 5.1 in the same period. But there was a big decrease in phishing sites in Brazil to 6.5 phishing sites per 1,000 Internet hosts in 2Q13 compared to the worldwide average of 4.24. Chile had the highest level of phishing sites in South America in 2Q13 with 9.0 phishing sites per 1,000 hosts.
Figure 5: Malicious website statistics for Argentina, Brazil, Chile, Colombia, Ecuador, Peru, Uruguay, and Venezuela, in 2Q13
Columbia had the highest level of drive-by download sites hosted in it, in 3Q12 (0.72 drive-by download URLs per every 1,000 URLs hosted there), but the number of drive-by download sites receded significantly in 4Q12 (0.01). The worldwide average in 4Q12 was 0.33. By 2Q13 the number of drive-by download sites hosted in Columbia had increased again, to 0.90. As seen in Figure 6, the worldwide average in 2Q13 had also increased significantly. Argentina had the highest level of drive-by download sites in 2Q13 with 1.52 drive-by download URLs per every 1,000 URLs hosted there.
Figure 6: Drive-by download sites statistics for Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay, Peru, and Venezuela, in the first half of 2013
I asked Roberto Arbelaez Cortes, Microsoft’s Chief Security Advisor for the Americas, for more local insight into what has been happening in South America. He told me the following:
South America is a very active, dynamic region from a security perspective. Threats range from DoS (Denial of Service) attacks and defacements to very complex intrusions against public and private sector organizations. Some activity appears to be hacktivism (attacks influenced by activist positions).
Some countries have embraced technology such as smartphones and broadband internet; in some cases the levels of adoption are greater than those achieved in regions where there was earlier adoption). In many of these countries law enforcement agencies have developed digital forensics and investigation capabilities, while law makers have extended or adapted their legal framework to better prosecute cybercrime and traditional crime supported by technology. On the other side of the spectrum, there are countries with low levels of internet adoption, basic or non-existent electronic public sector capabilities and limited to no e-commerce.
Despite these differences, malicious activity has increased all over the region during the past few years. These attacks are typically DDoS (Distributed Denial of Service) or web defacements.
The more advanced attacks are often times found against the financial sector, where monetary gain is the primary driver. Attacks range from basic phishing, to complex identity stealing malware, ATM hijacking, skimming and several others. Because of this, most banks in the region have enabled strong authentication including the use of RSA tokens, biometric authentication and other similar devices for retail consumer banking, well beyond what you typically see in most other countries.
Most countries in South America have also developed addendums to their penal codes to prosecute cybercrime, and although most countries are not signatories of international cybercrime cooperation treaties, multilateral organizations are working on a transnational cooperation framework based on the Budapest treaty.
ISO 27001 certification is very important in the regional marketplace, more than in other geographies. Certification services are in high demand, and companies proudly include their ISO certifications (including 9001, 14001 or 27001) on their logos and letterheads. Most security companies in the region offer these services.
In the next parts in this series of articles, we will dive deeper into the threat landscape of specific locations in South America. Part 2 of this series will examine Brazil’s dramatic malware infection rate improvement.