The Threat Landscape in South America: Examining Brazil’s Dramatic Improvement

This article, part 2 of a series on the threat landscape in South America, focuses on Brazil.  Brazil has had one of the most active threat landscapes in the world for many years.  As seen in Figure 1, in the first quarter of 2011 (1Q11), Brazil’s infection rate (19.18) was over double that of the worldwide average (8.65).  But Brazil’s infection rate dramatically improved over the following nine quarters, ending the second quarter of 2013 (2Q13) at 6.7 compared to the worldwide average of 5.8.
Figure 1: Malware infection rates (CCM) for Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay, Peru, Uruguay, and Venezuela, compared to the worldwide average between the first quarter of 2011 (1Q11) and the second quarter of 2013 (2Q13)

Figure 2 helps compare the malware infection rate (CCM) in Brazil to the malware encounter rate in Brazil. The encounter rate is the percentage of systems running Microsoft real-time security products that encountered malware that tried to install on, or stay on those systems, but Microsoft anti-malware products blocked this from happening. What’s most interesting about Figure 2 is that the encounter rate increased in 2Q13, but the malware infection rate decreased. i.e. more systems encounter malware but fewer systems were infected. One thing to note is that the threat families encountered most often are not necessarily the families that infect systems most often.

Figure 2: Malware infection and encounter trends in Brazil and worldwide in the second quarter of 2013 (2Q13)

As seen in Figure 4, Adware, Miscellaneous Potentially Unwanted Software, Trojan Downloaders and Droppers, and Password Stealers and Monitoring Tools were above the worldwide average in Brazil in 4Q12. Adware was detected on 40.8 percent of all computers with detections in Brazil in 4Q12, up from 17.4 percent in 3Q12.  I consider this change and the relatively high levels of Adware good news for Brazil because it means there is a smaller proportion of more severe threats there.

To understand how Brazil’s malware infection rate improved so dramatically we can compare the threat categories detected in Brazil in 2Q11 to those detected in 4Q12.  As seen in Figure 3, Worms were detected on almost a quarter of systems infected with malware in Brazil in 2Q11.  But by 4Q12, Worms were detected on almost 10% fewer systems with detections in Brazil.  Another very positive change was a large reduction in Password Stealers and Monitoring Tools detected in Brazil – a category of threats that Brazil has long struggled with; the number of systems in Brazil with detections of this category of threats was nearly cut in half between 2Q11 and 4Q12.  Though, as seen in Figure 5, one family of threats belonging to this threat category was still in the top ten list of threats in Brazil in 4Q12: Win32/Bancos.  Win32/Bancos is a data-stealing trojan that captures online banking credentials and relays them to the attacker. Most variants target customers of Brazilian banks.

Figure 3 (left): Malware and potentially unwanted software categories in Brazil in 2Q11, by percentage of computers reporting detections; Figure 4 (right): Malware and potentially unwanted software categories in Brazil in 4Q12, by percentage of computers reporting detections; note: totals for each time period may exceed 100 percent because some computers report more than one category of threat in each time period


Also noteworthy is Win32/Banload, a family of trojans that download other malware. Banload usually downloads Win32/Banker, which steals banking credentials and other sensitive data and sends it back to a remote attacker.  Threats targeting customers who use online banking have been prevalent in Brazil for many years.
Win32/Sality ranked 8th in the top ten list of threats found in Brazil in 4Q12.  Although Sality is a virus, this isn’t necessarily surprising.   Sality has been one of the most successful viruses in recent years. You can read more about this in an article I wrote called “Are Viruses Making a Comeback?”

Figure 5 (left): The top 10 malware and potentially unwanted software families in Brazil in 4Q12; Figure 6 (left): Malicious website statistics for Brazil, from 3Q12 to 2Q13


Although the malware infection rate in Brazil has dramatically improved, the level of malicious websites hosted in Brazil, presumably on compromised systems, is typically significantly higher than the worldwide average.  As seen in Figure 6, phishing sites and malware hosting sites were well above the worldwide average in Brazil in the second half of 2012 and the first half of 2013 – though phishing levels improved in 1Q13 and 2Q13.  High levels of web based threats is typical of regions that have high malware infection rates and consistent Internet connectivity as attackers use compromised systems to host malicious websites.

Another factor likely contributing to the malware infection rate in Brazil is the number of systems that run up-to-date anti-virus software; 21% of the systems in Brazil did not have up-to-date real-time anti-virus software protecting them in the second half of 2012.  This is better than the worldwide average of 24% of systems lacking up-to-date real-time anti-virus in the same period.  Unfortunately we don’t yet have trend data to help us understand if the number of systems in Brazil running anti-virus software has increased over time.  Socio-economic factors from 2Q11 that have been correlated to malware infection rates can be seen in Figure 7.  If you’d like more information on how these factors are correlated to region malware infection rates, please read this article: “Special Edition Security Intelligence Report Released – How Socio-economic Factors Affect Regional Malware Rates.”

Figure 7: Some of the socio-economic factors correlated to malware infection rates, with values for Brazil from the second quarter of 2011

The call to action for computer users in Brazil:

  • Avoid searching for or using pirated software as attackers take advantage of the desire for free or heavily discounted software to trick users into loading malware onto their systems.  Win32/Keygen, the number two threat in Brazil’s top ten, is evidence that attackers are using this tactic successfully in Brazil.
  • Use real-time antivirus software from a vendor you trust and keep it up-to-date.  A list of such vendors is here.  If you have Windows 8, ensure that Windows Defender is active on your system if trial anti-virus software has expired.
  • Keep all of the software on your system up-to-date including Microsoft software, Adobe, Java, etc.  Attackers are trying to take advantage of known vulnerabilities in all software – so this is a very effective way to help protect systems.

We will look at threats in Argentina and Uruguay in part 3 of this series.

Tim Rains
Trustworthy Computing











About the Author
Tim Rains

Chief Security Advisor, Microsoft Worldwide Cybersecurity & Data Protection

Tim Rains is Chief Security Advisor of Microsoft’s Worldwide Cybersecurity & Data Protection group where he helps Microsoft’s enterprise customers with cybersecurity strategy and planning. Formerly, Tim was Director Cybersecurity & Cloud Strategy in Trustworthy Computing at Microsoft, where he Read more »