When Immunet announced its new product, called Immunet Protect, earlier this week, a core advantage of it was going to be that if a group of users ran a collection of different antivirus software, the Protect metaengine could use those products' threat alerts to inform its own population.

"Immunet Protect provides protection by harnessing the collective wisdom of the security products that you already run, as well as knowledge on the applications installed across Immunet's entire user population," the company states in its press release on the technology. "Immunet Protect collects security judgments on what is, and what is not safe from its community. These aggregated judgments are coalesced in the cloud, and, if they are sound, made available to the rest of the Immunet Community immediately."

Yet, by Wednesday, the company had decided not to include that attribute in the program.

"One of the more controversial [attributes] was whether or not a file [could be] detected by another [antivirus] product," Oliver Friedrichs, CEO of Immunet, wrote in an e-mail on Thursday. "After considering the implications, we have decided to not do this moving forward."

The idea posed a problem because companies who want to use the results of multiple antivirus engines to protect their users typically are required to license the engines. Using the results of another antivirus engine's scan on a user's computer could have been seen as a copyright infringement of antivirus databases.

In some cases, however, the industry apparently looks the other way. Antivirus firms frequently exchange the threats that they have identified as a way to protect the general population against mass outbreaks, says Pedro Bustamante, senior research adviser with Panda Security. Moreover, many antivirus firms use computers that run rivals' antivirus software to act as canaries and detect threats that the firms might have missed. Then the firm's analysts take a part the file to see if it's actually malicious.

"It's the industry's dirty little secret," Bustamante says. "We are all doing the same thing in terms of using competitors' products to add detections to our products. When one group sees a threat, other people will quickly add the detection."

Doing so only makes sense.

In a research paper published by three University of Michigan researchers, 10 major antivirus programs were tested against a collection of malicious code. Even the best antivirus engine could only initially detect three-quarters of newly packed malicious code. It took three months for the best antivirus engine to detect 90 percent of the dangerous software.

Where one engine fails, multiple engines can succeed, says Jon Oberheide, a PhD student at the University of Michigan and the lead author of the paper.

Scanning potential malicious software with two or more engines improves accuracy dramatically. (Source: Oberheide et al.)

"Combining the intelligence of multiple antivirus engines can result in significant gains in detection coverage of globally scoped malware," he says.

In the paper, Oberheide and his colleagues found that any single engine detects 40 to 80 percent of viruses in the first week--using more than one antivirus engine to scan the same program increases the detection rate to between 75 and 95 percent in the first week. The University of Michigan researchers call the technique n-version protection.

While the technique could help companies recognize threats faster, licensing three or four engines per user would be prohibitively expensive. So, for now, automated detection based on multiple antivirus scanners seems to be a dead end.

Data released by Microsoft last week underscores the fact that the information criminals choose to steal varies from country to country. China's online criminals focus on stealing the digital keys to popular online games, for example, while Brazil's data thieves prefer grabbing victims' bank account information.

In a blog post published on August 10, Microsoft program manager Scott Wu compared the worldwide malicious software trends to those of China and Brazil. The top four of the most popular malicious programs, which closely follow the United States and European markets, are three fake security software programs and a downloader that installs fake security software. However, in China, four of the top five threats are password stealers for online games, and in Brazil, three of the top four threats are Trojans that steal the usernames and passwords for online bank accounts.

Microsoft expects the trend to continue. "As the malware ecosystem [has become] more reliant on social engineering, threats worldwide have become more dependent on language and cultural factors," Microsoft said in an e-mail response to questions regarding the blog post. "In China, several malicious browser modifiers are prevalent. In Brazil, malware that targets users of online banks is widespread. And in Korea, viruses are common."

While legal policy has not quite caught up with rogue security software in the United States, Microsoft says that social engineering, not legal holes, are what determines the threat trends.

"Most likely, the threat landscape varies more because of the possibility of returns," says Microsoft. "Rogue security software purveyors will likely focus on the regions where people are more willing and likely to pay (with a credit card) for what they think is legitimate security software."

A comparison between the malicious software prevalent on compromised computers in Brazil and China and those worldwide. (Source: Microsoft)

Most purveyors of such programs are pursued with a civil lawsuit by the Federal Trade Commission (FTC), not with criminal prosecution. For example, last year, the FTC won a $1.9 million judgment against Innovative Marketing, which sold more than 1 million copies of fake security software for at least $39.95 each.

Only one of the most prevalent threats in Brazil and China--a program called Frethog-- is also common worldwide. The software steals passwords for popular games and rankssecond in China, fifth in Brazil and eighth worldwide, according to Microsoft's data.

Another password stealer, called Taterf, is on the top 10 list both in Brazil and worldwide. It steals credentials for popular online games such as World of Warcraft and Lineage and ranks second on the top 10 list of malicious software in Brazil and first on the worldwide list. Finally, the bot programs Rbot and Zlob are on both the Brazilian list and the worldwide list.

A year after Russian troops invaded the former Soviet state of Georgia, a report has concluded that the accompanying cyberattacks were carried out by organized crime and civilians with the aid of the Russian military.

The report, released by the U.S. Cyber Consequences Unit, is the result of an analysis of data collected during and after the attacks, which took place between August 7 and August 16, 2008. The US-CCU is a nonprofit research institute that focuses on analyzing cyber events and advising the U.S. government.

The attacks against Georgia initially targeted news media and government websites, making it hard for Georgians and the outside world to follow the events, the report states. Once the Russian military had established its presence inside Georgia, the list of targets expanded to include financial institutions and other businesses, universities, and more news media and government sites.

"These cyberattacks were designed to make it difficult to organize an effective response to the Russian presence," the report says. "Many of them were intended to interrupt normal business operations. Others were intended to make the Georgian population uncertain about what to expect and what they should do."

While the Russian military obviously benefited from the attacks, the US-CCU argues that the evidence indicates only civilians were involved.

"Although, it would, in principle, have been possible for the Russian military to have carried out some of these cyberattacks, disguising their involvement convincingly would have been very difficult and expensive," the report states.

However, the US-CCU report concludes that the Russian military most likely gave the attackers a list of targets and, potentially the tools to conduct the attacks. Considering that the attacks happened at nearly the same time as the invasion of Georgia--and that there was no reconnaissance done prior to the attacks--the denial-of-service floods were probably preplanned, the report argues. The attacks also involved the cooperation of Russian organized crime, as many of the attacking computers also had software installed for other cybercriminal activities, according to the report.

In defending against the attacks, the Georgian government tapped groups of cybersecurity experts and initially filtered the Russian IP address space. However, the attackers soon used proxies and compromised computers in other nation's address spaces, making the attacks harder to block.

The Georgians also apparently planted a counterattack tool, disguising it as another script to attack its own computers. Russian sympathizers who downloaded and used the program would instead attack 19 websites in Russia.

"No evidence of damage caused by this attack script came to the US-CCU's attention, which suggests that any harm it caused was not extensive," says the report.