The region, which has traditionally been infamous for housing an inordinate number of infected machines, is now creating more botnets, with Trojans targeting Latin America's popular online banking culture.
Researchers at Kaspersky Lab recently studied a crimeware kit for botnets that was customized for Latin American targets and appeared to be built for attacking online banking customers in Peru. Jorge Mieres, a security expert with Kaspersky, says the Sistema de Administracion de PCs Zombi (Zombie PCs Administration System) is a specialized version of the pervasive SdBot botnet malware. The botnet was first created in late 2009, he says.
"This botnet is further evidence that Latin America is influenced by this type of cybercrime. And although developments in Latin American crimeware -- that we have found so far -- do not compare with more sophisticated ones, [such as] from the area of Eastern Europe, it is clear that the production of local malware and collateral activities that stem from these types of activities targeting Latin American users is on the agenda," Mieres says.
The so-called SAPZ botnet initially infects victims via phishing attacks. It redirects the victim to a phony version of the Banco de Credito de Peru, where it installs the Trojan and then steals users' financial information and credentials. "Every time the user enters the bank's home site from his/her browser, Web traffic is redirected to the malicious server that hosts a clone of the real site. When this happens, unsuspecting users enter their data into the fake page and thus the info is stolen by the hacker," Mieres says.
Researchers at ESET's Latin American lab also have witnessed a botnet and banking Trojan uptick in the region during the past year or so. Sebastian Bortnik, coordinator of awareness and research for ESET Latinoamrica, says the Latin American SDbot has been around for at least two years. He says it's actually more common to see popular crimeware kits like Zeus or SpyEye spreading there. Even so, last year ESET found a Mexico-based crimeware kit called MiniBitNet.PHP, a.k.a. Mariachi Botnet. "This particular botnet kit build a piece of malware that propagates through USB devices -- the main vector for malware in Latin America -- and P2P networks. It was designed to perform DDoS attacks," Bortnick says.
Banking Trojans are widespread in Latin America: One out of 20 machines in Brazil was infected with some sort of banking Trojan this year, according to new data from ESET. Around 27 percent of malware found in Latin American machines steals some type of information from the victim's machine, and 20 percent of malware there is related to botnets or backdoors. More than 40 percent of malware in Latin America spreads via USB devices.
"We have been seeing these changes in the attacks in Latin America, moving to more cybercrime-related attacks. Crimeware kits developed in the region are growing slowly, but, specifically, banker Trojans are a massive attack, with more rates of infection than the rest of the world. These kind of Trojans are created to steal credentials for accessing [online] banking websites," Bortnik says.
Why Latin America? Gunter Ollmann, research vice president at Damballa, says the region is an attractive target due to the transient nature of the working population, which has made online banking a way of life. Brazil and Argentina have the highest percentage of online banking activity in the world, for example.
Two major problems exacerbate the cybercrime problem, he says: Most Latin American countries don't have laws that make hacking illegal, and the roving workforce from the region means many citizens rely on online banking for paychecks and other transactions. "South American banks, [for example], have streamlined the process because much of the population is a migratory workforce located in different countries," he says. That has made the region a ripe target for attackers.
"Online banking systems [that support] the population of migratory workers [so they are able] to automatically transfer funds between banks and internationally between banks is a common practice. [Online banking systems] are designed to facilitate that," Ollmann says. That provides cybercriminals with the opportunity to steal online banking credentials and commit bank fraud: "Banking Trojans are really paving the way," he says.
While the banking systems are relatively sophisticated -- namely Brazil's -- there's little legal protection against attackers. "Similar to Eastern Europe, the general education is quite high [in the region], but job opportunities are more difficult," Ollmann says. That makes malware development and cybercrime attractive careers there, he says.
Damballa tracks about 200 botnets based on SDbot, he says, and one in five have ties to Latin America.
Latin America could well become the incubator for smartphone malware and attacks: Online banking via smartphones is on the rise, Ollmann notes. "Just as banking Trojans made a splash for malware attacks against online banking ... Latin America is also going to trailblaze in the development of smartphone malware," he says.
And the quick adoption of these technologies basically leaves them unsecured. "In this context, the incorporation of technologies is sometimes does in a hurry, so thats an opportunity for attackers since security levels arent often the most optimal," ESET's Bortnik says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.