Microsoft has a new way of determining the geolocation of systems infected with malware, and it had subtle but relevant effects on the 11th volume of the Microsoft Security Intelligence Report. It’s a novel concept, instead of relying on an administrator-specified setting that anyone with hands and a mouse can change, they are now relying on IP addresses.
When Microsoft compared the results of the 11th Microsoft Security Intelligence Report using both the new IP address method and the old administrator-specified method they found that very few locations saw a decrease in infection rates from the old method to the new, according to a post on TechNet. In fact the only locations that saw decreases were Taiwan, Spain, Russia, the United States, and France; the languages spoken in these countries (Chinese, Spanish, Russian, English, and French respectively) represent five of the most popular languages on the Internet.
On the other hand, a number of locations, mostly places with small populations, saw significant increases in malware detection rates. Microsoft’s director of trustworthy computing, Tim Raines, isn’t claiming that computer administrators, malicious or otherwise, are altering the settings to skew the results of the Microsoft Intelligence Report, but rather that in smaller countries (let’s use one in which Spanish is the primary language other than Spain as an example) the administrators may be configuring the local settings to reflect language-origin rather than actual location. In this case, that would mean choosing Spain as the location when that user may indeed live in Equatorial Guinea. The result would be that any malware infections taking place in that country would be reported as having occurred in Spain. Hence, a small Spanish speaking country’s malware rates go up and Spain’s goes down.
Of course IP addresses can be spoofed, but it’s more difficult and (probably) less common than users choosing incorrect locale settings in Windows for whatever reason.