A couple of years ago I came to the conclusion that tracking country of origin or destination of a malware attack had no real predictive or prescriptive value. This perception was engendered by a few fairly recent (at that time) occurrences:

• Mass-mailers proved that you could infect the entire Internet in a matter of minutes.
• Malware writers stopped including useful clues about its origins.
• The primary motivation for malware was ego: The more machines infected, the more fame.

Contrast this to the situation in the mid-1990s, when threats started in one part of the world and took weeks to reach other parts. However, in 2002 through 2004, threats such as SQLSlammer and Blaster hit virtually the entire planet in the space of only a few minutes to a few hours. For a while, it seemed like the global dominance of Microsoft Windows as a platform, the explosion of broadband usage throughout the world, the ease of finding vulnerabilities, and the application of social-engineering techniques would ensure that no one connected to the Internet was safe for very long from any threat.

During this period, a trend began that, frankly, the anti-virus community as a whole failed to notice in its early stages. An explosion of malware occurred that was larger in scale, but smaller in breadth, than anything seen to date. Bots, password stealers, and other static malware began to appear at alarming rates. Unlike the replicating viruses that characterized the last flurry in what I call the "digital graffiti" stage of malware development, these threats almost never rose to a global level for a variety of reasons—the main one being that these authors were not interested in drawing attention from the law enforcement community.

Whether as a side effect, symptom, or cause of this low and slow paradigm shift, for the following reasons malware has become more regional or localized in nature during the last two to three years:

• Better social engineering is now required for seeding attempts and to lure people to drive-by sites, phishing sites, or hosted malware. Egregious typos made by nonnative speakers are too obvious today.
• More vulnerabilities are found now in more obscure software, including in some localized software, due to the increase in vulnerability bounties, both from security vendors and from attackers.
• Malware authors show increased interest in limiting the sources of attacks to countries where law enforcement is likely to be lax.
• Malware authors are fond of attacking niche markets, whether to exploit a particular resource or to avoid law enforcement.

Although we can’t ignore the motivations of the malware authors in focusing attacks, this activity takes place in a global environment that is quite different from that of even a few years ago. Political, economic, and social forces shape everything and have contributed to a whole underground economy and market whose diversification, breadth, and scope are larger than ever before.

One of the most significant factors increasing the possibilities for attackers is the growth in global broadband penetration. With broadband computers connected full-time to the Internet, the opportunity to attack systems in real time and to use spare bandwidth capacity on compromised machines for further attacks is a resource too tempting to ignore. The expansion and diversification of the role of computers in modern society likewise contribute to expanded opportunities for those seeking to capitalize on cybercrime.

From staggering growth in cell phone usage, to online banking, online gaming, and ecommerce in general, there are enough money, vectors, and targets to ensure that the unscrupulous have plenty to keep them busy. This issue my colleague Jeff Green has written a great article drilling down into country-specific threats, so be sure to check it out.

To some degree, cybercrime is a natural extension of what is probably among the world’s oldest professions: theft. And it may not merely be the criminals getting in on the act. As the recent and ongoing distributed denial-of-service attack on Estonia’s infrastructure demonstrates, political "hacktivists" may have an increasing interest in the Internet as a battlefield or potential theater. Whether nation states or military organizations have a similar interest is an unknown, though likely, assumption. (Click here for McAfee CTO Christopher Bolin’s thoughts on cyber espionage.)

Need for better global coordination
Here at McAfee® Avert® Labs, we work with a variety of law enforcement agencies in countries all over the world, and it is apparent to us that the legislative, financial, and technical resources available to crime-fighters in different parts of the world can be like night and day. And because it is rare for an attack to start, travel through, and end in the same country, this impacts our ability to impede or stop malware authors and crackers even when it is dead obvious who is involved. This inability to coordinate internationally is one of the largest factors contributing to the low-risk environment that characterizes cybercrime today.

A complete version of this article appears in the latest issue of SAGE.