CNN news recently interviewed a small hacker group operating out of China. From that onsite interview comes this very telling quote:

"No Web site is one hundred percent safe. There are Web sites with high-level security, but there is always a weakness." (Xiao Chen, Chinese hacker)

The Chinese hackers claim to have broken into U.S. Pentagon systems and subsequently sold the information to Chinese government officials. (The Chinese government denies the hackers' claims). But while cross-country cyber espionage is heady stuff, it's far outpaced by the everday attacks on the 'average joe'.

ScanSafe's January 2008 global threat report (PDF) includes a heat map which shows the distribution of malware-hosting web sites throughout the world. Collectively, China holds the #2 spot. The U.S. has the dubious distinction of being #1. But the January heat map includes all types of malware hosts, including those that may be the result of compromised computers (i.e. botnets), or resulting from rogue advertising.

When viewed from the perspective of password-stealing Trojans, China tops the list, dramatically so. A full 48% of the password-stealing Trojan hosts originate in China, compared to 28% in the U.S., 8% in Korea, 5% in the U.K, and 5% in Brazil.

Of course, most of us would never knowingly visit a malicious web site. But even visiting the most reputable of sites can lead to infection. And that's just where hackers like Xiao Chen come into play. Highly skilled, extremely patient, and possessing more knowledge of search engine optimization (SEO) techniques than even the most savvy marketing pro, today's hackers can ferret out and exploit a range of vulnerabilities on legitimate web sites, planting hidden scripts and iframes that silently deliver the malware hosted on the attacker-owned site. And once a site has been compromised, the hacker may put their SEO skills to work, boosting the site's ranking in search engine results to increase traffic to the compromised sites, thus increasing the number of potential victims.

So how do some of the other malware hosting categories stack up?

Worms: China 33%, U.S. 24%, U.K. 10%, India 10%, Russia 5%
Virus: U.S. 45%, U.K. 14%, China 6%, Korea 5%, Spain 5%
Droppers: U.S. 33%, Russia 18%, China 18%, Austria 8%, U.K. 8%
Backdoors: U.S. 48%, U.K. 6%, Nethlands 6%, France 4%, Spain 4%

Regardless of which country tops the list in any given malware category, geography alone is no key indicator of malware potential. Bottom line, you might get pwned by a hacker from China. But it's just as likely to be from some kid living in Kansas. Web site compromise is an equal opportunity employer and knows no boundaries, geographic or otherwise. Or to paraphrase Xiao Chen, no web site is safe - and no one country is completely to blame.