I've been saying for years that attributing malware to a specific country on the basis of the language of comments or build timestamps is total crap. If I were writing a virus I'd set my clock to another TZ and sprinkle the code with comments and variable names in a language used in that TZ. You don't even need to deal with them during development, just change them before the final build.
Of course a little truth gets in the way when you want to be first attribute the latest buzzword named threat to the current enemy du jour.
Biting the hand that feeds IT
