Tuesday, 14 August 2007

Malware all over the world

An interesting little post at McAfee's Avert Labs Blog notes that researchers have detected malware that downloads a different file onto victims' PCs depending on which country they are located in. This could cause problems for anti-virus companies and even those who test anti-virus software.

Why is this important? For one, it makes things more complicated for security companies, who try to stay up to date with the latest threats. It's already known that some sites provide freshly generated malware on a regular basis, sometimes creating a new variant within minutes, or even for every download.

Anti-virus companies need to gain access to samples of bad programs so that they can create signature files, which then allow their products to recognise the virus should a customer encounter one. They get samples of malware in a variety of ways, often by scanning email, websites and receiving files from customers. But if the company is small and does not have customers and malware collection systems in different countries then it could miss out on the latest threats.

Let's say that company X's customers are based mainly in South East Asia, which was also where the company's data collection operation works from. By and large this arrangement will work out because both the company and its customers will be exposed to malware customised to the Asian 'market'. With any luck, the variants will be similar enough for the company to create a generic signature.

However, when a customer travels to Europe (where company X does little business and has no data collection servers) he or she may visit the very same malicious websites but will receive a different file, one that has been designated for European victims. Unless this file is very similar to the Asian version, there is a high risk that the anti-virus software will fail to recognise it. That is, unless the product in question can recognise the original malware downloader or the new, downloaded malware's behaviour.

This method of spreading malware variants is not the most important development ever, because large companies have the resources and global customer base to detect geographically targetted malware. However, there is a chance that an anti-virus product could work perfectly well in one country but become less accurate in another.

For anti-virus testers this raises an interesting question: where do you download your malware from? Results from a test based in Germany, where all the samples have been downloaded from a German-located server, may be different to exactly the same test when run with samples downloaded from the same malware-loaded sites using computers based in the US or even the UK.

Does this mean that anti-virus tests will now need a geographic label such as, "100 per cent detection (North America, South Africa, Iceland)"?