In this third part of our series on the threat landscape in South America, we examine threats in Argentina and Uruguay.  Of the locations represented in Figure 1, Argentina and Uruguay are among the locations with the lowest malware infection rates in South America.

Argentina
As seen in Figure 1, Argentina’s malware infection rate has trended down from 11.38 in the first quarter of 2011 (1Q11) to just slightly below the worldwide average at 5.7 in the second quarter of 2013 (2Q13).   

Figure 1 (left): Malware infection rates (CCM) for Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay, Peru, Uruguay, and Venezuela, compared to the worldwide average between the first quarter of 2011 (1Q11) and the second quarter of 2013 (2Q13); Figure 2 (right): CCM infection trends in Argentina and worldwide between the third quarter of 2011 (3Q11) and the fourth quarter of 2012 (4Q12)

   

In Figure 2 a slight increase in the infection rate can be seen in Argentina in 1Q12.  Argentina’s CCM increased from 8.3 in 4Q11 to 8.7 in 1Q12, before a multi-quarter downward trend began.  The infection rate increase in 1Q12 was a result of an increase in detections of a few threat families including Win32/Dorkbot, Trojan:JS/Redirector, ASX/Wimad, and Win32/Sirefef.

Figure 3 helps compare the malware infection rate (CCM) in Argentina to the malware encounter rate in Argentina. The encounter rate is the percentage of systems running Microsoft real-time security products that encountered malware that tried to install on, or stay on those systems, but Microsoft anti-malware products blocked this from happening. Like in the case of Brazil, what’s most interesting about Figure 3 is that the encounter rate increased in 2Q13, but the malware infection rate decreased. i.e. more systems encounter malware but fewer systems were infected. The threat families encountered most often are not necessarily the families that infect systems most often.

Figure 3: Malware infection and encounter trends in Argentina and worldwide between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13)

Win32/Dorkbot detections in Argentina increased by 73.3 percent in 1Q12.  Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Variants of Win32/Dorkbot may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.

Detections of ASX/Wimad increased more than 17 times in Argentina between 3Q11 and 4Q11. ASX/Wimad is a family of malicious URL script commands found in Advance Systems Format (ASF), a file format used by Windows Media, that downloads arbitrary files.
Trojan:JS/Redirector is the detection for JavaScript contained within Web pages. This JavaScript trojan may be present on a malicious Web site, and may redirect users to Web sites other than expected. It is also possible for an attacker to craft HTML-based e-mail messages containing the script. Detections of this threat more than doubled in 1Q12 in Argentina.

Detections of Win32/Sirefef increased almost 8 times in Argentina in 1Q12. Win32/Sirefef is a multi-component family of malware that uses stealth to hide its presence. Due to the nature of this threat, the payload may vary greatly from one infection to another, although common behavior includes downloading and running other files, contacting remote hosts, and disabling security features.

As seen in Figure 4, two of these threats were still in the top ten list of threats found in Argentina in 4Q12.  The prevalence of Win32/Dorkbot and Win32/Conficker in Argentina in 4Q12 helped drive the percentage of Worms detected there well above the worldwide average as seen in Figure 5.

Figure 4 (left): The top 10 malware and potentially unwanted software families in Argentina in 4Q12; Figure 5 (right): Malware and potentially unwanted software categories in Argentina in 4Q12, by percentage of computers reporting detections; note: totals for each time period may exceed 100 percent because some computers report more than one category of threat in each time period

   

The level of malicious websites hosted in Argentina was notably higher than the worldwide average in the second half of 2012 and the first half of 2013.  As seen in Figure 6, phishing sites and malware hosting sites were above the worldwide average in Argentina in every quarter; note that the worldwide average level of malware hosting sites increase significantly comparing 3Q12 to 2Q13.  As I wrote in part 2 of this series, which examines threats in Brazil, high levels of web based threats is typical of regions that have high malware infection rates and consistent Internet connectivity, as attackers use compromised systems to host malicious websites.  Brazil had the highest level of malware hosting sites in South America in 4Q12, almost double that of Argentina. This continued in 2Q13, when Brazil had 33.64 malware hosting sites per 1,000 hosts there, compared to 19.63 in Argentina and the worldwide average of 17.67.

Figure 6: Malicious website statistics for Argentina in the second half of 2012 and first half of 2013

In Argentina 26% of the systems did not have up-to-date real-time anti-virus software protecting them in the second half of 2012.  This is slightly higher than the worldwide average of 24%.  There are numerous other factors that are correlated with regional malware infection rates; socio-economic factors from 2Q11 that have been correlated to malware infection rates can be seen in Figure 7.  If you’d like more information on how these factors are correlated to region malware infection rates, please see: “Special Edition Security Intelligence Report Released - How Socio-economic Factors Affect Regional Malware Rates.”

Figure 7: Some of the socio-economic factors correlated to malware infection rates, with values for Argentina from the second quarter of 2011

_____________________________________________________________________________________________________

 

Uruguay
As seen in Figure 1, Uruguay has consistently had the lowest malware infection rate (CCM) of any of the locations we examined in South America, always below the worldwide average.  According to Figure 8, in 2Q13 Uruguay’s malware infection rate was 3.2 computers cleaned per 1,000 scanned there compared to the worldwide average of 5.8.

Figure 8 (left): CCM infection trends in Uruguay and worldwide between the third quarter of 2011 (3Q11) and the second quarter of 2013 (2Q13); Figure 9 (right): Malware and potentially unwanted software categories in Uruguay in 4Q12, by percentage of computers reporting detections; note: totals for each time period may exceed 100 percent because some computers report more than one category of threat in each time period

   

The most common threat category detected in Uruguay in 4Q12 was Miscellaneous Potentially Unwanted Software which affected 43.5 percent of all computers with detections there, up from 34.7 percent in 3Q12.  Miscellaneous Potentially Unwanted Software was above the worldwide average in Uruguay in 4Q12 according to Figure 9.  Four of the top ten families of threats found in Uruguay in 4Q12 were member of this category as seen in Figure 10.  Note that Win32/Conficker is ranked 5th in the top ten list of threats in Uruguay in 4Q12.  This is concerning because we know from past research that the vast majority of Conficker infections are a result of employing ridiculously simple passwords like “admin”, “admin123”, “administrator”, “default”, “test”, “12345” and “security.”  (Hint: Using Spanish instead of English words as passwords would improve password security in this instance.)  As I mentioned in Part 1 of this series, Win32/Keygen detections have been trending up in South America.  Keygen was found on 18.3 percent of systems infected with malware in Uruguay in 4Q12, making it the top threat family there.

Figure 10 (left): The top 10 malware and potentially unwanted software families in Uruguay in 4Q12; Figure 11 (right): Malicious website statistics for Uruguay in the second half of 2012 and first half of 2013

   

Levels of malicious websites in Uruguay were slightly elevated above the worldwide averages in 3Q12, but were fractions of the worldwide averages in later periods, as seen in Figure 11.

The call to action for computer users in Uruguay:

  • Use strong passwords.  Make sure you’re not using any trivial passwords that threats can just guess to penetrate systems. Instead, use strong passwords to help defend systems against Win32/Autorun, Win32/Conficker and other worms found in the region. 
  • Given that Win32/Keygen and ASX/Wimad are top threats in Uruguay, avoid searching for or using pirated software as attackers take advantage of the desire for free or heavily discounted software to trick users into loading malware onto their systems.

Tim Rains
Director
Trustworthy Computing