Can foreign antivirus match Asian threats?

Western antivirus software is not always effective when it comes to tackling Asian-based malware, according to some industry watchers.

The volume of malware written in or specifically for Asia is still not significant, but some observers say non-Asian antivirus programs sometimes experience difficulty picking out threats to regional or local applications.

According to Symantec's Internet Security Threat Report Vol. XIII, which tracked global Internet threat activity between July and December last year, the majority of malware activity worldwide is still derived from Western countries. The United States accounts for 31 percent of malware tracked by the security vendor, while China at 7 percent is a distant second in terms of contribution.

A Singapore-based data backup and system recovery specialist, who declined to be named, told ZDNet Asia in a phone interview that a customer in the healthcare industry sought his help after experiencing virus attacks that disabled its systems. According to him, the organization was using a non-Asian brand of antivirus software that was not effective in handling Asian threats.

The consultant added that during his stint in a global security company, he had come across laboratory tests, where non-Asian antivirus failed to detect malware with a regional or local context.

Anthony Ung, Trend Micro's enterprise product marketing manager for the Asia-Pacific region, also noted in an e-mail interview that there are some malware that "non-Asian antivirus software would have trouble dealing with", such as Trojans that exploit vulnerabilities in a popular Japanese word-processing application called Ichitaro.

"Non-Asian antivirus might not immediately identify such Trojans that attack region or country-specific applications because they might not be aware of those applications," he explained in an e-mail interview.

Ung added that there are many known Asia-based hackers and virus authors, including groups in China, India, Indonesia and the Philippines. For example, threats such as Nachi and the I Love You worm were traced back to China and the Philippines, respectively.

"Trend Micro has been aware of this trend for almost a decade now and has strengthened its malware research in Asia by having its base of operations and R&D in Taiwan and the Philippines, and also by creating specialized groups that deal with local threats such as the Japan and APAC-Regional TrendLabs.

Andrew Walls, research director for security, risk and privacy at Gartner, said however that malicious code "does not respect geographic boundaries". Major suppliers of antivirus software and end point protection technology have a "consistent track record of updating signatures and filter mechanisms" to detect malware, even those that originate from Asia or target organizations in the region, he added in an e-mail.

"Each of the major vendors maintains a network of malware collectors [or] honeypots to capture viruses and worms," said Walls. "These collectors are distributed globally--both physically and logically--to make sure that malware is picked up quickly, regardless of its point of origin or intended target."

Terming the issue a "distraction", Walls noted that local vendors have in the past attempted to create fear, uncertainty and doubt in the minds of clients. According to him, even though it is possible to craft a piece of malware to target a specific computer, network, domain name or organization, such activity is rare and typically relies on virus toolkits that share code with many other viruses. "This use of shared codes means that the new virus variants are rapidly identified as variants and blocked.

"If we assume that geography has some impact on virus construction and deployment, this would imply that local and regional solutions providers would be less effective than global vendors at blocking malware as the vast bulk of malware is generated from a wide variety of locations or regions," he pointed out.

Alvin Ow, Symantec's senior director of technical and systems engineering in Asia-Pacific and Japan, reported in an e-mail that Symantec has "not observed any advantage" regional vendors might have over the company, in competitive and third-party testing.

"Symantec is a global company and has research and response centers all over the world, including China, Taiwan, Japan, Australia and India," he said. "We employ top technical talent locally and tailor our products to meet regional requirements.