Home > Malware, Stats > Malware-friendly countries

Malware-friendly countries

May 22nd, 2007

Recently there have been some studies regarding Internet hosting providers which are often used maliciously to distribute malware.

As this is an interesting subject we've been tracking quite a few thousand malware samples received over the last few months at PandaLabs in order to extract (using unpacking and emulation techniques) any URLs pointing to additional malicious software. It is important to note that most of these URLs are hidden inside existing malware (downloaders, bots, trojans, etc.) in order to download additional malware from the Internet. This is becoming a common technique by malware writers. To evade AV detection they simply change the malware binary hosted on the server, in some cases automatically re-compiling the malicious code every couple of hours to evade signature-based detections.

Some basic stats on the study:

Unique malicious URLs:
Unique hostnames:
Not resolving: 101

We processed the URLs through a hostname-to-country script and these are the results.

One interesting thing that pops to mind looking at the data is how malware is being designed for redundancy; each malicious binary has an average 2.58 URLs encoded in it, pointing to different locations. The most redundant sample was hiding 49 different URL locations for downloading new malware updates. This shows a trend in evading take-down efforts of compromised or maliciously exploited servers.

The other interesting conclusion is that over 60% of malicious code is hosted in servers located in China, Russia, Korea and Brazil. I recall some discussions a few years back when the whole phishing movement started to show up about how certain US companies and ISPs considered blocking access to certain eastern European and Asian countries. Think about it, if your company doesn't do any business with these countries and they're the biggest source of malware, could blocking access to entire countries be considered a "proactive" security measure? Would a "block xyz country" functionality be valued in gateway filtering products?

Lastly, the US is still the second largest malware-hosting country. I recall similar studies reaching similar results, so this can be clearly an interesting area for closer cooperation between the industry and law-enforcement agencies.


Categories: Malware, Stats Tags:
  1. Pedro Bustamante
    May 22nd, 2007 at 17:10 | #1

    Right after publishing this post I see Google’s anti-malware blog entry with a similar study and extremely similar results:
    “we analyzed the location of compromised web sites and the location of malware distribution hosts. At the moment, the majority of malware activity seems to happen in China, the U.S., Germany and Russia”
    More here:

  2. Pedro Bustamante
    May 23rd, 2007 at 05:09 | #2

    Yes,I think the viewpoint is not correct,to block these countries is useful?The answer is not confirmed.But i know one thing is very very important and must be correct that all av companies should set up virus lab in the top malware countries.
    The point is not TO BLOCK but TO DISCOVER.

Comments are closed.