The Threat Landscape in South America: Chile and Colombia

In this fourth and final part of our series on the threat landscape in South America, we examine threats in Chile and then Colombia.  As illustrated in Figure 1, both of these regions have had periods where their malware infection rates were above the worldwide average, and have more recently trended down.

Figure 1 (left): Malware infection rates (CCM) for Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay, Peru, Uruguay, and Venezuela, compared to the worldwide average between the first quarter of 2011 (1Q11) and the second quarter of 2013 (2Q13); Figure 2 (right): CCM infection trends in Chile and worldwide between the third quarter of 2011 (3Q11) and the second quarter of 2013 (2Q13)

   

Chile
As seen in Figure 2, Chile’s malware infection rate increased from 7.9 in the third quarter of 2011 (3Q11) to 13.9 in the fourth quarter (4Q11).  This was nearly double the worldwide CCM average of 7.1 in 4Q11.  After declining slightly to 13.7 in 1Q12, the infection rate in Chile improved significantly over the following three quarters.  Chile’s CCM in 4Q12 was 5.6, below the worldwide average of 6.0. 

The infection rate “spike” in 4Q11 and 1Q12 was due to significant increased detections of several threat families including Win32/Dorkbot, ASX/Wimad, Win32/Zbot, Win32/EyeStye, Blacole and BlacoleRef.  Some of these families of threats are known to be associated with banking fraud.  Detections of Win32/EyeStye increased more than eleven times between 3Q11 and 4Q11.  Interestingly, we also saw significant increases in Win32/EyeStye detections in Austria, Germany, Italy, the Netherlands, and the US in 4Q11.  Win32/Zbot detections increased more than four times during the same period and detections of Blacole more than doubled.

Detections of ASX/Wimad increased more than 14 times in Chile between 3Q11 and 4Q11. ASX/Wimad is a family of malicious URL script commands found in Advance Systems Format (ASF), a file format used by Windows Media, that downloads arbitrary files. This suggests that attackers have been using movies and music to install malware on systems in Chile, as we have seen in many other parts of the world.

Figure 3 shows how the malware encounter rate for Chile has trended below the worldwide average. This helps partially explain why the malware infection rate in Chile has also trended below the worldwide average.

Figure 3: Malware infection and encounter trends in Chile and worldwide between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13)

As seen in Figure 4, the percentage of Worms detected in Chile in 4Q12 was well above the worldwide average.  This is primarily because of detections of Win32/Dorkbot, Win32/Conficker, and Win32/Brontok as seen in Figure 5.  Win32/Dorkbot was found on 21.4% of systems that were infected with malware in Chile in 4Q12.  Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Variants of Win32/Dorkbot may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.  Two threats on the list are commonly associated with software piracy, Win32/Keygen and Win32/Wpakill.  Be aware that attackers have been known to take advantage of people looking for discounted or free software by tricking them to install malware on their systems.

Figure 4 (left): Malware and potentially unwanted software categories in Chile in 4Q12, by percentage of computers reporting detections; note: totals for each time period may exceed 100 percent because some computers report more than one category of threat in each time period; Figure 5 (right): The top 10 malware and potentially unwanted software families in Chile in 4Q12

   

The level of phishing sites hosted in Chile was significantly higher than the worldwide average in all the quarters examined, as seen in Figure 6.  If you are interested in learning more about trends in phishing, please see this article: Phishing Financial Institutions & Social Networks.  Chile had the second highest level of phishing sites in South America in 4Q12 at 9.75 sites per 1,000 hosts, just behind Brazil with 12.6.  But after the level of phishing sites in Brazil declined by almost half in 1Q13, Chile had the highest level of phishing sites in South America.  Malware hosting sites in Chile were at levels well above the worldwide average in 3Q12, but were below the worldwide average in 4Q12 and 2Q13.

Figure 6: Malicious website statistics for Chile in the second half of 2012 and the first half of 2013

In Chile 30% of the systems did not have up-to-date real-time anti-virus software protecting them in the second half of 2012.  This is worse than the worldwide average of 24%.

Colombia
As seen in Figure 7, Colombia’s malware infection rate (CCM) was consistently above the worldwide average, until the fourth quarter of 2012 (4Q12) when it was 5.8 compared to the worldwide average of 6.0.  But it rose slightly above the worldwide average again in 2Q13. Colombia has consistently had a higher malware encounter rate than the worldwide average, as Figure 8 indicates.
 
Figure 7 (left): CCM infection trends in Colombia and worldwide between the third quarter of 2011 (3Q11) and the second quarter of 2013 (2Q13); Figure 8 (right): Malware infection and encounter trends in Colombia and worldwide between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13)

   

Figure 9: Malware and potentially unwanted software categories in Colombia in 4Q12, by percentage of computers reporting detections; note: totals for each time period may exceed 100 percent because some computers report more than one category of threat in each time period

 

As seen in Figure 9, like Chile, the prevalence of Worms was well above the worldwide average in Colombia in 4Q12.  This has been the case in Colombia since at least 2010 when we started publishing threat intelligence for Colombia in the Microsoft Security Intelligence Report.

The good news for Colombia is that the level of Trojan Downloaders and Droppers, a category of threats that I consider to be very severe, has receded in Colombia since 2010/2011 when they were found on almost a quarter of systems infected with malware there. These threats are a form of trojan that installs other malicious files to a computer that it has infected, either by downloading them from a remote computer or by obtaining them directly from a copy contained in its own code. Still there was a Trojan Downloader and Dropper on the top list of threats for Colombia, Win32/Silly_P2P, that was found on 4.3 percent of systems infected with malware in 4Q12, as seen in Figure 10.

Figure 10 provides a view into the top ten threats found in Colombia in 4Q12.  Like Chile, two threats on the list are commonly associated with software piracy, Win32/Keygen and Win32/Wpakill.  Be on the lookout for attackers trying to take advantage of people using such tools.

Figure 10 (left): The top 10 malware and potentially unwanted software families in Colombia in 4Q12; Figure 11 (right): Malicious website statistics for Colombia in the second half of 2012 and the first half of 2013

 

As seen in Figure 11, levels of Phishing sites hosted in Colombia were significantly higher than the worldwide average in the second half of 2012, particularly in 3Q12.  Colombia had the highest levels of drive-by download sites of any location in South America in 3Q12 as seen in Figure 12, but saw a big decrease in 4Q12.  To put 0.72 drive-by download sites per 1,000 URLs into perspective, consider that Cyprus had the highest level in the world in 3Q12 with 6.2 URLs per 1,000 and Georgia had 4.49.

Figure 12: Drive-by download sites statistics for Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay, Peru, and Venezuela, in the second half of 2012

Many socio-economic factors have been correlated with regional malware infection rates.  A list of these, with values from 2011 for Colombia can be seen in Figure 13.  Also note that more than a quarter (26%) of the systems in Colombia did not have up-to-date real-time anti-virus software protecting them in the second half of 2012.  This is slightly worse than the worldwide average of 24%.

Figure 13: Some of the socio-economic factors correlated to malware infection rates, with values for Colombia in the second quarter of 2011

That concludes our series on the threat landscape in South America. I hope you found it interesting and useful.

Tim Rains
Director
Trustworthy Computing

 

 

 

 

 

 

 

 

About the Author
Tim Rains

Director, Cybersecurity & Cloud Strategy

Tim Rains has over 20 years of experience in the technology industry across several disciplines including engineering, consulting, and marketing communications roles. He currently manages security marketing and corporate communications in the Trustworthy Computing division at Microsoft. His expertise ranges Read more »