Remarks by Kroes:

"The Internet does not belong to any one group, but attacks on it affect every group. So let's work together, all sectors, all levels, public and private, national, international and European. So that we can safeguard the security of the systems that increasingly underpin our lives, today and in the future."

"In tomorrow's world, if the Internet is not secured, nothing will be."

Full statement published here.

ACMA receives a major compliment

In 2004, when I first entered the anti-spam arena, this was a mantra that I had to hear very often: "Spam is international. We cannot do anything", spoken with a lot of emphasis and some despair. Unfortunately in 2012 this is still true for many countries. Not because of the fact that it is impossible to do something about spam, no, but due to a lack of initiatives. I think that a great compliment to Australia's ACMA (Australian Communications and Media Authority) was published on CircleID in a comment to an article about the impact of Canada's spam law on local businesses. Brett Watson, an Australian internet engineer, writes:

"However, my present (and general) lack of anything to complain about reflects well on the law and its enforcement… Perhaps what's most telling is that I have, for the first time, subscribed to some advertising newsletters in recent years. I don't feel the need to jealously protect my email address any more, or diligently use uniquely tagged addresses when handing them over. I trust ACMA to keep the companies in line, and the trust seems well placed so far."

This proves that fighting spam is effective and that the combination enforcement with filtering by ISPs keeps mailboxes clean. Spam hasn't gone away, but at national level companies are disciplined and mostly act within the law in the few countries with vigorous enforcement bodies.

Who enforces what?

Privacy and spam are closely related. Spam is seen as an invasion of privacy. But it goes way beyond mere privacy. Privacy sensitive data is often used, sold or worse stolen in order to approach people. Whether to sell a(n illegal) product, phish for more (bank)data or industrial espionage, a stolen e-mail address is often the basis of law violations. The patchwork of enforcement agencies, unclear enforcement powers, the lack of understanding of the issues at stake, of resources, training or powers, the unavailability of online reporting of spam or cyber crime, all make that enforcement is far from optimal in most countries.

Standardisation of spam and cyber crime law

Could a standardised law, with a standardised toolkit for enforcement agencies make a difference? Yes, I think that it would. For the public it would mean that there is the certainty that when the law is broken, it is clear who to report to and that it is likely that an investigation follows. That it makes a difference to complain. For senders it also sets clear boundaries. Their business continues, as is proven in e.g. The Netherlands, but in compliance with the law. Next to that it offers this clearness in 27 states.

As spam, e-fraud, phishing, cyber crime and worse are all so closely related and often involves several countries, it makes sense to be more directive from Brussels. At national level there are so many different laws, ministries and enforcement agencies involved, that coordination there is almost utopian. Next to the fact that success without industry participation is clearly unthinkable. Despite the fact that the Dutch National Cyber Security Centre is a promising initiative, it is obvious that for most countries this form of public-private cooperation is hard to attain.

A proposed course of action for the EU Cyber Security Centre

The discussion about the EU Cyber Security Centre is under way. Let me give a pointer on what the centre could do. To my mind it ought, also, to actively collect, analyse and share data with those involved: public and private entities, universities. This gives the centre coordinative powers in matters cross border and across different enforcement organisations as well. Two difficult hurdles taken… should this come to pass. The combination of the overview and oversight with the transparency caused by available, shared data makes all concerned answerable for their (lack of) actions to the centre and each other. I am also convinced that this model will lay the foundation for cooperation with whole new groups of Internet industry partners that are now harder to reach/convince.

Ambition at Commissioner level

If Commissioners Kroes, Malmström and Reding used their powers to harmonise the laws and enforcement in the way Ms. Reding proposes for privacy, i.e. the same law and enforcement tools, standardised enforcement agencies and a point of case handling, the fighting of privacy infringements, spam, malware and cyber crime may actually take a turn for the better. They are so intertwined that another approach is (well, should be) almost unthinkable.

The combination of a pro-active EU Cyber Security Centre with a layer of harmonisation where enforcement is concerned will prove to be a structural step forward from the present situation in many countries. Yes, this is ambitious, but it is clear that the present approach is not going to change much. Everything cyber is still a field day for criminals and a private company, Microsoft, so far is the most successful in fighting botnets. This ought to be different, shouldn't it?

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

Lying at the heart of the cycle is the fact that these hot threats have never been particularly new. Within the security community, we tend to talk about the evolution of the threat landscape. If you speak with the relevant experts about a particular threat category you'll uncover that the back story to many of these "hot threats" often goes back a decade or two. Mobile malware threats are certainly no exception.

A history lesson in the evolution of mobile malware is hopefully not required, beyond to say that today's hot threat has evolved over a couple of decades and poses less of a technical challenge than many believe or commonly portray. But as history so often reveals in these cases, when a new threat is similarly labeled and thrust into the limelight for the first time, there's all too often a stampede towards apparently novel and threat-specific solutions.

Solutions (and I use that term very loosely) within the mobile malware threat mitigation arena are increasingly difficult to differentiate from one another. In the confusion of defining a new threat and the nomenclature that accompanies it, the underlying technologies and viability of their approaches can get lost rather easily.

What is the "Mobile Threat"?

When I meet with customers, prospects and journalists, I get a lot of questions about the Mobile Threat. In particular, how should businesses work to defend against it? My immediate response tends to be "what do you define as the mobile threat?"

The term "Mobile Threat" is amorphous — it has become a catch-all to encompass anything not physically tethered to a network and happens to be newish from a technology perspective, and likely subject to some new (previously unencountered) formulation of evilness. That sounds like a kind of wishy-washy definition (and it is), but catch-all's usually are. Instead, I'd rather focus on one aspect of the Mobile Threat — that of the mobile malware threat.

As I described in a blog entry illuminating a handful of security predictions for 2012, mobile malware threats continue to be misunderstood. It's all too easy to dive deep in to the various technologies that expose mobile devices to new forms of attack and vectors of compromise; just as it's rather easy to describe the various built-in technologies that the developers and engineers of the mobile devices have included to prevent many of the "legacy" threat categories we're already all too familiar with.

You could spin a lot of cycles looking into the "what if's" of mobile security threats but, at the end of the day, if you want to determine which threats and attack vectors are going to be the most immediate and protectable concern for your organization you only need to understand two things — how do your employees really use their mobile devices, and how are cybercriminals going to monetize their control of these devices?

For a moment, think about this. While Smartphones and Tablets often share a common operating system and maybe even the same application markets or stores, they are used in different ways, at different times, to accomplish different tasks. For this reason the attack vectors cybercriminals (and espionage-focused agencies) choose to launch against them are different for each category of mobile device. The tools — of which the most commonly encountered category is "malware" — are likely to be transportable between devices, but the vectors for installation and the type of meaningful information that can be extracted via them are quite different.

When it comes to the cybercriminals that target mobile devices (which constitute the core element of the "Mobile Threat"), it is interesting to note that they're pretty much the same entities that have been historically successful in targeting traditional non-mobile devices. That shouldn't really be a surprise to anyone — it's all about monetizing the victims. If a particular cybercriminal group specializes in online banking fraud and a third of their potential target list shifts to tablet-based banking applications, they need to make a business decision — do they target the new platform or optimize their attacks against the traditional devices. As mobile application use increases, there's an increasing driver for cybercriminals to invest in new mobile tool development. Similarly, if employees are wirelessly connecting to corporate systems and assets using mobile devices in preference to other traditional platforms, the attackers are forced to target these new devices and develop the appropriate tools.

It's important to note that, while the end-point device is physically changing and the specifics of the tools the criminals need to develop and install upon the compromised devices is also changing, at the enterprise network and Internet infrastructure level there has been no change in criminal behaviors; nor is any change actually needed by them. The vast majority of C&C communications are HTTP-based regardless of the malware family or compromised device type. By speaking the same language, the cybercriminals can keep their existing infrastructure… business as usual!

Written by Gunter Ollmann, VP of Research at Damballa

After thinking about it for a while, I came up with the following representation:

The two axes represent how skilled the attacker is, and how much a particular victim is being targeted.

I dub the lower left "joy hacks". These are the province of the script kiddie or the novice hacker. They've learned about "cool" tools, and they try them out on anyone in reach. Ordinary care will generally deflect joy hackers.

As the attackers' skill level moves up, you get what I call "random hacks". (I'm not fond of that name; any better suggestions?) People who write new worms often fall into this class, especially if the worms exploit 0-days. But worms are generally random in their targets. If you're a spammer or a botnet builder, though, that's fine; a low-bandwidth node may not be able to spew as much garbage as a well-connected one, but as the saying goes, "from each according to his ability". Your best defense here is the usual technical litany: turning off unneeded services, keeping up to date on patches, etc.

The X axis, which reflects targeting, does not necessarily imply particular technical measures. In general, though, it means that the attacker will gather as much intelligence as is feasible about the target. (Again, I'm quite unhappy with my name, especially when I have to translate it into the noun for the attacker.) Spear-phishing attacks, which show a knowledge of the organization and the victim and perhaps the purported source of the message, show the efficacy of this. The attacks themselves may not be novel, but the extra information the attacker has helps immensely. This is an arena where education and process help.

The upper right (or the upper right of the upper right) is, of course, the Advanced Persistent Threat, what John Erlichman so memorably called the "big enchilada”. Here, you need everything you can bring to bear and then some: patches, education, process, luck, and perhaps sacrificing the entrails of a virgin artichoke on your keyboards.

Do APTs exist? Assuredly; if it accomplished nothing else, Stuxnet showed that. Are most attacks on high-profile companies APTs? I suspect that some are and some are not — but I haven't investigated or even reviewed the investigation of any of them, so I won't comment. Are nation-states behind APTs? Unknown and probably unknowable, though the more sophisticated the attack (and especially the more comprehensive and sophisticated the target intelligence was), I'd say it becomes more likely (which is not the same as "likely"). Should you worry about APTs? Ask yourself this: who would be likely to target you, and how good are they?

Written by Steven Bellovin, Professor of Computer Science at Columbia University

Top 10 Featured Blogs in 2011:

1. A Fairness 'Scorecard' for Trademark Protection Under the New gTLDs
   By Konstantinos Komaitis, Feb 23, 2011 (33,350 views)
2. IP Addressing in the New Age of Scarcity
   By Peter Thimmesch, May 27, 2011 (21,563 views)
3. Smartphones: Too Smart for Mobile Operators?
   By Henry Lancaster, Aug 03, 2011 (21,144 views)
4. On Mandated Content Blocking in the Domain Name System
   By Paul Vixie, Mar 18, 2011 (16,315 views)
5. Court Approves Nortel's Sale of IPv4 Addresses to Microsoft
   By Benson Schliesser, Apr 27, 2011 (13,173 views)
6. The Design of the Domain Name System, Part VIII - Names Outside the DNS
   By John Levine, Sep 17, 2011 (12,399 views)
7. Top Public DNS Resolvers Compared
   By Michael Meisel, Apr 07, 2011 (12,217 views)
8. Why the Lawsuit Against .XXX Maybe the Best Sales Tool Ever For New gTLD Applicants
   By Michael Berkens, Nov 17, 2011 (9,466 views)
9. Independence and Security Online Have Not Yet Been Won
   By Mike Dailey Jul 03, 2011 (9,373 views)
10. Comcast’s Impressive System for Notifying Infected Users
    By J.D. Falk, Mar 01, 2011 (9,216 views)

Top 10 News in 2011:

1. New Top-Level Domains Approved By ICANN
   Jun 19, 2011 (44,312 views)
2. ICANN Approves .XXX
   Mar 18, 2011 (20,936 views)
3. Experts Urge Congress to Reject DNS Filtering from PROTECT IP Act, Serious Technical Concerns Raised
   May 26, 2011 (12,284 views)
4. Microsoft Offers $7.5 Million to Buy 666,624 IPv4 Addresses
   Mar 25, 2011 (9,600 views)
5. Egyptian Government Shuts Down Most Internet and Cell Services
   Jan 28, 2011 (3,988 views)
6. US Government Domain Seizure Results in Unintended Shutdown of Thousands of Websites
   Feb 16, 2011 (3,962 views)
7. J.D. Falk: 1974 - 2011
   Nov 17, 2011 (3,918 views)
8. Cybercriminals Shifting Focus From Windows PCs to Other Systems and Mobile
   Jan 20, 2011 (3,823 views)
9. Researchers Report New Method for Detecting Domain-Fluxing
   Mar 28, 2011 (3,633 views)
10. Microsoft, Federal Agencies Take Down Rustock Botnet
    Mar 18, 2011 (3,607 views)

Top 10 Industry News in 2011 (sponsored posts):

1. Google Says "Think Mobile" ...and then goMobi
   By dotMobi, Feb 15, 2011 (6,120 views)
2. The Botnet-Counterfeit Drugs Connection
   By MarkMonitor, Apr 01, 2011 (4,928 views)
3. New gTLD Timeline Announced and .XXX Approved
   By MarkMonitor (4,253 views)
4. Second Half 2010 "Dashboard" Domain Name Report - Released
   By PIR, Feb 14, 2011 (3,666 views)
5. MarkMonitor Report: How Scammers Generate Significant Traffic Promoting Suspected Counterfeit Goods
   By MarkMonitor, Feb 01, 2011 (3,536 views)
6. AusRegistry Int. and Crowell & Moring Join Forces to Support New Top-Level Domain Applicants
   By ARI Registry Services, Mar 14, 2011 (3,507 views)
7. Celebrity Marketing Guru Jeffrey Hayzlett to Promote New TLDs for AusRegistry International
   By ARI Registry Services, Jun 17, 2011 (3,472 views)
8. Minds + Machines’ Parent Company, TLDH, Appoints Peter Dengate Thrush as Executive Chairman
   By Minds + Machines, Jul 17, 2011 (3,457 views)
9. DNSSEC is Just the Beginning
   By .CO Internet, Mar 02, 2011 (3,421 views)
10. Landrush for New Domain Extension - .GR.COM
    By CentralNic, Jan 11, 2011 (3,421 views)

Written by CircleID Reporter

Ducklin wrote: "We recently surveyed a batch of lost USB keys bought from a transit authority's Lost Property auction; we hoped that the infection rate would be about 10%, but found that 66% of the keys in our study were infected. So we naively assumed that typosquat sites would be similarly incautious (either by accident or design) about malware. But out of 14,495 URLs downloaded in browsing to the 1502 sites on our list, only one contained malware. That's just 0.01% by URL, and 0.07% by fully-qualified domain name."

In his report, Ducklin analyses the data revealing unexpected results and harmful aspects of the typosquatting ecosystem.

The year still has a couple of weeks to rock on before we can comprehensively summarize the events and trends of 2011. I'm sure there will be a bunch of annual threat reports preempting the end of year — extrapolating trends etc. in order to get the jump on reports that use real data. At the highest level of navel gazing you could probably sum up 2011 with one word — "More". The bad guys got richer, more successful, invented a few new attack vectors, and generally grew in numbers; meanwhile the good guys got more efficient at causing the bad guys pain, but continued to be outspent by the bad guys.

But let's put that aside for now. What does 2012 hold in stall for us?

It's easy enough to predict the future when you're merely commenting upon the trends of past years and projecting "more" of the same. While I can offer no shortage of meaningful predictions for 2012 across a broad range of threat and security categories, I thought it would be fun to pick three topics that stole much of the limelight of 2011 — Advanced Persistent Threats (APT's), mobile malware and botnet takedowns.

So, without further ado, here are a handful of predictions for 2012.

APT Bonanza

The volume of persistent attacks directed at large corporations will continue to increase and the victims will continue to feel as though they have been specifically targeted. There will thus be a presumption of sophistication to successful penetrations, which will lead to more organizations concluding that they have been the victim of an APT — which, after more detailed analysis and external input, will increasingly be revealed as false claims.

• More attacks will be labeled as APT's due to misunderstanding by the victims, or because of an implied "get out of jail" tactic when public disclosure of the breach is mandated by law.
• External analysts and security firms will dedicate more time and resources to analyzing breaches that are disclosed as "APT's", and will be more vocal in correcting false claims.
• A growing unease will be attributed to the "cry wolf" mentality of labeling breaches as APT's throughout the year.
• Real APT attacks will increasingly be lost in the noise of falsely-claimed APT's, and the sophisticated attackers will be able to further obfuscate the intent of their attacks.

Mobile Malware threats will continue to be misunderstood

Mobile malware will divide into two streams — Smartphone malware and tablet crimeware. Both mobile malware streams will be similarly unimpressive from a threat sophistication perspective, however their criminal intent will direct their evolutionary changes. Tablet crimeware will develop at a faster pace than Smartphone malware in 2012 as the opportunities to defraud potential victims on tablet systems grow quicker.

• The hype around mobile malware will continue to exceed the threat and the cybercriminals capabilities in 2012 — but the cybercriminals and security researchers will strive to meet that hype.
• As mobile systems become more usable for day-to-day financial transactions and online stores tune their shopping portals for larger-screened mobile devices, cybercriminals will increasingly target these platforms. This crimeware (and injection vectors) will be more "traditional" and a closer facsimile of current generation PC-based crimeware capabilities than many have projected in the past.
• Smartphones, long seen as "the" mobile threat vector and with the longest history of malware abuse (e.g. Symbian-based malware and premium-rate fraud), will technically be susceptible to the same malware as that affecting tablet systems — but will not be the primary target of attack.
• Cybercriminals that develop malware specifically for Smartphones will increasingly target the devices for propagation purposes — seeking to infect other (traditional) corporate systems and to breach corporate VPN's.
• In the corporate realm, the Bring-Your-Own-Device (BYOD) consumerization of IT will entice cybercriminals that target enterprise networks to innovate new attack and propagation vectors. Throughout 2012 new vectors will be theorized and may be developed as proof-of-concept tools, but the hype will be bigger than reality because there are technical hurdles within the operating systems of the mobile devices that have yet to be overcome.
• Security conferences of a Black Hat ilk throughout 2012 will uncover and illustrate new vectors that subvert the underlying mobile device operating systems that will be leveraged in the 2013 timeframe for the targeted propagation of crimeware via BYOD
• The traditional invasive and "scary" mobile malware capabilities (e.g. eavesdropping on the victims calls, tracking the device owner, etc.) will not advance in 2012 and will continue to be potential capabilities rather than primary objectives for attackers.
• The first generation of commercial "DIY" mobile crimeware construction and attack tools will be developed and sold by enterprising cybercriminals
• Large scale botnets will not exist on the mobile platforms in 2012. There will be several "proof-of-concept" botnet implementations and theoretical attacks but, from an overall global threat perspective, they will be insignificant.

Botnet takedowns will be ineffective

Despite a number of public and media-hyped botnet takedowns in 2011, and the prospect of increased takedowns in 2012, the overall impact on cyber-criminal operations will decrease. In response to the 2011 takedowns, cybercriminals will change some of their management tactics, further distribute their command-and-control (C&C) infrastructure, and invest in improved and more diverse infection vector operations.

• Professional criminals who build and monetize botnets will invest in more robust crimeware distribution technologies and services. The capability to infect 10,000+ computers per day will be more important than the marginal loss of 3-year old botnets with only a few hundred thousand infected devices.
• Botnet C&C infrastructure will continue to become more agile — flitting between domain names, IP addresses and physical locations at an increasing pace. In 2011 this agility was measured in weeks; by the end of 2012 it will be measured in hours.
• Botnet operators will add more layers between themselves and their victims. In 2011 cybercriminals increasingly adopted the use of commercial anonymous VPN services to connect to their C&C servers, and deployed C&C proxies between the botnet victims and the real C&C servers. In 2012 we can expect this trend to continue and there is a high probability that multiple layers of C&C proxies will be adopted to further protect the cybercriminals C&C investment.
• Noisy botnets (i.e. Spam botnets and DDoS) will continue to be the focus of legal botnet takedowns. In response, cybercriminals will in most cases reduce the noise of their botnets and will also further segment their botnets to ensure that the entire botnet is not lost in a single takedown operation.
• Botnet takedown attempts will become more "risky" as the takedown entities become more comfortable with the process. Risk will be introduced as the entities pursue remote clean-up and remediation of victim devices.
• "Good guy" botnet remediation services will become a commercial reality in 2012. As multiple security vendors and academic institutions focus upon the botnet menace they will uncover more vulnerabilities lying within the heart of both the botnet malware and the C&C portal software. There will be growing pressure to exploit these vulnerabilities for the purpose of usurping control of the botnet from the cybercriminals hands and to issue appropriate shutdown and uninstall commands directly from the compromised C&C servers.

I wonder how many of these predictions will come to fruition? I guess we'll find out in 380 days.

Written by Gunter Ollmann, VP of Research at Damballa

Another theory about greylisting is that if you defer mail from a new IP, by the time the sender retries, if it's sending spam it'll have hit spamtraps and been added to blacklists. I recently realized that I have enough log data to check that theory, so I collected some statistics for the past week, which is as long as I keep logs about mail connections from blacklisted hosts. The IPs I greylisted broke down like this:

	Count	Percent
No retry	3,803	35.8%
Retry too soon	3,345	31.5%
One retry	1,183	11.1%
More than one message	1,635	15.4%
Blacklisted	561	5.3%
Retried, blacklisted later	89	0.8%
Total	10,616	100.0%

No retry and Retry too soon are senders that greylisting kept from sending anything, again, about 2/3 of mail. (My greylister requires that the sender wait at least a minute, since some spamware sends several messages a few seconds apart.)

The next two are senders that retried successfully and sent one message, or more than one message. (If a sender retries too soon, then retries again after more than a minute, it's counted in one of those two categories.) Blacklisted means that when the IP retried, the IP was on one of the a blacklists I use, in nearly all cases Spamhaus Zen. The last line is IPs that retried successfully, but were blacklisted when they tried to send other messages later.

The 5.3% for Blacklisted probably overstates how much mail was caught by waiting to see if an IP was blacklisted. My logs don't say whether the delivery attempt that was blacklisted was trying to deliver a message with the same To and From addresses, in which case it would have been delivered, or a different message, in which case it would just have been greylisted again. Spot checking shows IPs that were greylisted repeatedly, before appearing in a blacklist, which suggests that they were sending different messages.

Also, for the few IPs that were blacklisted later, they were generally blacklisted much later, hours or days later, far longer than any reasonable greylisting strategy would force mail to wait.

So greylisting still works, but it's almost entirely because spamware doesn't retry, not because it gets blacklisted.

Written by John Levine, Author, Consultant & Speaker

We've now been using greylisting for close to a decade, and some people have argued that it's no longer useful, since the bad guys could easily fix their spamware to retry, or since bots are so cheap, they could just send everything twice. So does it still work?

I recently went through my greylister's logs and collected some statistics for both a recent week, and the past year, about hosts that I greylisted:

	Week	Year
No retry	12121	294812
One retry	7456	62402
Many messages	4956	74590

The first row is the number of hosts that got a soft fail and never came back. The second row is the number that retried the message that failed, but never sent anything again, and the third row is the number that retried and sent more messages after that.

As you can see, for the week, about half of the greylisted hosts didn't retry, and over a year, about 2/3 didn't. That's still a lot of mail my mail server didn't have to filter. I attribute the different ratios to the shutdown of several botnets over the past year, evidently botnets that didn't retry.

So it's certainly not a magic bullet (what is?) but greylisting still is an effective way to deter a lot of spam cheaply.

Next, Greylisting Still Works - Part II

Written by John Levine, Author, Consultant & Speaker

Loss of privacy sensitive data

No, apparently not. The article was mainly on privacy issues, that people are unaware of the risks they run when not securing their devices. The article gives a summary of content lost this way. Yes, this is a very important issue. We have heard about great loss of privacy sensitive data or military secrets lost on devices (and discs) in the recent past. Cyber awareness and the sense that privacy is a serious issue in cyber space is still at a low ebb with a lot of people.

But what if?

The article gave rise to some reflection on my part.

1. The amount of malware on the usb drives
a. Was this in place when bought or
b. Is this a clear sign of the amount of pcs/laptops infected?

2. Spreading usb drives as source of infections
With the price of usb drives as low as it is, this is a way to infect other devices quickly. Whether through infection from the manufacturer or through distributing some devices on trains and other public places.

Mandatory pre-checks. A solution?

What about issuing, by law, information on how usb devices (external hard disks, etc.) can be checked before use in combination with them not working before the mandatory check? Is this feasible or technically possible? It's worth considering if society wants to be more secure.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

Read full story: Krebs on Security

The tale begins with the story of Igor and Emily, two cyber criminals operating out of Brazil. Together, the two of them stole $300,000 US from a single Brazilian bank in one year. They hopped around from city to city, never staying in one place too long. They lived the good life by charging it all on stolen credit cards. The thing of it is, they were caught by the police three times… and released three times. For you see, in Brazil, there is no specific law that criminalizes their offences.

How big of a problem is Brazilian cyber crime? Well, consider the following:

• 36% of trojans that targeted banks that circulated worldwide originated in Brazil.
• 95% of all malware made in Brazil are trojan bankers.
• In 2010, $900 million was stolen from Brazilian banks, and in the first half of 2011, $685 million was stolen.

Malware created in Brazil is different than malware in other parts of the world. Brazilian spam does not use malicious pdfs, nor are they created from kits like Zeus or Spyeye. They are all created locally and are designed to target Brazilian users.

How do they do this? If you are a user and you click the link or open the attachment or whatever, and you are inside Brazil, the phishing page loads, or the file is downloaded. However, if you are outside of Brazil, you get a 404 http error, or a picture of girls in bikinis. The authors of the malware are only interested in targeting people inside Brazil. This resembles APTs in that the attacks are customized, but different than APTs in that the profit motive is clear.

Brazilian malware bypasses antimalware software with creativity. They obfuscate scripts, use command-and-control centers using malicious Twitter users, and use 64-bit rootkits.

They are also prone to spear phishing attacks. One time, they exploited a flaw in the Brazilian Ministry of Labor's website and accessed all of the data they had. They then proceeded to craft phishing messages using people's actual data — their mother's name, father's name, social security number, and so forth. Clearly, Brazilian phishers mean business.

Why do they get away with this?

1. It's like I said in the opening paragraph, in Brazil, there is no specific law that outlaws what these people are doing. It's not illegal to have malware source code on your machine, it's not considered a crime.
2. Just like any other place in the world, having good (expensive) lawyers can get you off even if you are charged with a crime. Due to the money that some of these guys have, they can afford the legal fees.
3. Even if you are convicted of a crime, sentencing is light. For citizens, prison sentences are only two years.
4. Finally, the law that is applied when fighting cybercrime was approved in the 1940's. This leaves a very gray area for people to operate.

I've known for a long time that Brazilian spam is a problem, but I didn't realize how they narrowly target their audience. This is in contrast to eastern European spammers who go after people outside of their country.

Written by Terry Zink, Program Manager