Threat Management, Incident Response, TDR, Vulnerability Management

Malware purposely not infecting machines in certain countries

Malware authors are adopting a new technique to avoid getting caught.

Recently, two malware families -- Swizzor and Conficker -- stopped infecting machines in countries out of which the authors were operating, so not to attract law enforcement, Pierre-Marc Bureau, senior researcher at ESET, told SCMagazineUS.com on Friday. If a cybercriminals targets users outside of their country, it's harder for authorities to respond, he said.

The Swizzor malware has been around for about two years but only recently stopped infecting Russian machines by identifying the language of a user's operating system, Bureau said. Users running a Russian version of Windows will not be infected.

The fact that the trojan is now avoiding Russian targets reveals some clues about the cybercriminals behind the Swizzor malware, Bureau said. The individuals likely have servers located there and perhaps are conducting other operations, such as money laundering.

Meanwhile, the earliest variants of the rapidly spreading Conficker virus, which exploits a patched Windows Server Service vulnerability, was avoiding Ukraine targets. The malware was able to detect the keyboard layout.

However, the latest variant of Conficker -- responsible for infecting millions of machines this week, according to F-Secure -- is not choosing which victims to infect.

Still, big malware families are adopting this technique to avoid bringing attention on themselves, Bureau said.

“We have not seen this before a couple of months ago,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.