Malware and cyber crime - Science and Technology Committee Contents

Written evidence submitted by David Emm and Professor Steven Furnell (Malware 03)


1.  Malware represents a significant and increasing threat to both businesses and individuals with around 35,000 new threats identified each day. While related technological and legislative safeguards exist, evidence suggests that many systems remain inadequately protected, and users have an insufficient understanding of how and where they may be affected. The authors recommend increased efforts towards public awareness-raising, as well as considering an obligation to have related protection in place.


2.  David Emm is a Senior Security Researcher with Kaspersky Lab, a commercial Internet security vendor, and has a particular interest in the malware ecosystem. He conceived and developed Kaspersky's Malware Defence Workshop.

3.  Steven Furnell is Professor of Information Systems Security with Plymouth University, and has extensive research and publications relating to Internet security and cyber-crime, as well as particular interest in the challenges facing end-users.

4.  This submission is made on a joint basis and presents material relating to all of the questions posed by the Call for Evidence. The evidence is drawn from malware analysis conducted by Kaspersky Lab and research studies conducted by Plymouth University.

What proportion of cyber-crime is associated with malware?

5.  By nature, cyber-crime is covert and often goes unnoticed. Even when detected, it often goes unreported. It is impossible to fully quantify cyber-crime in monetary terms, or to determine precisely what portion of it makes use of malware. Nevertheless, we would draw attention to data that indicates, albeit indirectly, a clear link between cyber-crime and malware.

6.  Kaspersky Lab analyses between 30,000 and 50,000 unique samples daily, adding around 3,500 signatures into the virus detection databases daily. From these, it is clear that the threat landscape is dominated by malicious programs designed specifically to perpetrate cyber-crime, and that the factory production of malware is intended to (a) enable the activities of cyber-criminals to try and evade the protection offered by Internet security products; and (b) maintain their grip on already-compromised computers around the globe. One reason for the growth-rate of malware in recent years is to extend its "shelf-life". If we consider, for example, the ZeuS banking Trojan, the number of variants runs into tens of thousands.

7.  The overwhelming majority of malware programs are designed to further cyber-criminal activity. This is clear from the types of malware that dominate Kaspersky Lab's top 20 listings each month (eg backdoor Trojans, keylogggers, Trojan Downloaders, Hacktools, Fraudtools and other programs designed to compromise, and maintain control over, their victims). The aim is typically to harvest confidential data and use this data to assume victims' identities and steal their money, or use it as building blocks in targeted attacks against organisations. Increasingly, we live in an era of "steal everything", where it is not just obviously financial information that is valuable to cyber-criminals, but everything that users post online or write in messages.

8.  There is a thriving market in malicious programs and services. Technical skills are no longer required to launch a high-tech attack against Internet users. It is easy for cyber-criminals to "lease" the services they need (eg the use of a botnet to distribute spam, or install fake anti-virus software), or to buy the banking Trojan they need from those who developed it - with levels of customisation depending on their requirements.

9.  It is clear that a significant portion of the costs associated with cyber-crime relates to use of malware. UK Payments Administration, for example, reports that online banking fraud losses amounted to £46.7 million in 2010. This figure also includes the cost of phishing attacks, but even if half of this is malware-related, then the impact is significant.

Where does the malware come from? Who is creating it and why?

10.  The Internet essentially removes geographic boundaries, which has a profound effect upon criminality. Unlike real-world criminals, who must have sight of their victims, the potential targets of cyber-criminals can be anywhere else in the world. However, there have always been "hot-spots" of malware development. If we consider web-based threats (one of today's key infection vectors), Table 1 shows that in Q2 2011 just 10 countries hosted 87% of the resources used to distribute malware worldwide.[5]

Table 1

Hosting country
Proportion of hosted malware
4Great Britain7.63%
5The Netherlands7.57%
9British Virgin Islands 2.63%

11.  The development of malware is not spread evenly across all these countries. Certain areas specialise in particular types of malware. For example, historically Brazilian cyber-criminals have focused particularly on banking Trojans, Russian cyber-criminals on botnets and Chinese cyber-criminals on gaming malware.

12.  There is no correlation between the geographical sources of malware and the location of victims. In the same period (ie Q2 2011), the countries facing the highest risk of infection were as shown in Table 2.[6] It is clear that most of these countries are part of the developing world, where the use of computers and the Internet are increasing rapidly, but consumer awareness of threats is below that in the developed world.

Table 2

Victim location
% of individual users infected
2Russian Federation49.5
7Saudi Arabia42.6
9United States of America 40.2

13.  Until 2003 malware could be characterised as cyber-vandalism (ie focused on causing disruption to computer systems). This is not to say that malware did not have a financial impact, but the writers did not profit from their creations. It was only with the mass use of the Internet to conduct financial transactions that this possibility presented itself. Today, nearly all malware is designed to make money illegally. This may be through the direct hijacking of financial transactions or the interception of confidential data like passwords, PINs, credit card numbers, etc - using malware and/or by means of phishing scams.

14.  Mass Internet adoption has changed the nature of malware development. Through the 1990s the vast majority were viruses, with email worms dominating by the end of the decade. Both were self-replicating and their aim was the same - to spread as far and as quickly as possible. As a result, the early 2000s saw epidemic follow epidemic in quick succession. This changed as the motive shifted from cyber-vandalism to cyber-crime, and malware writers sought to generate profits rather than headlines. As a result, they sought to maintain a low profile - just like real-world burglars. The connectivity of the Internet also meant that self-replication was no longer essential - it was sufficient to "seed" an attack by planting malware on a particular web resource and direct potential victims to it by distributing links to compromised web sites, or by re-directing traffic from legitimate sites. Today, most malware takes the form of Trojans that download updates to an already-compromised computer; or drop additional code on the computer; or establish a connection to a remote attacker; or silently harvest data.

15.  Post-2003 has seen both an explosion in sheer numbers of malicious programs, but the development of a "dark market" for those that enable cyber-criminals to make money - not only viruses, worms and Trojans, but also exploit code to capitalise on software vulnerabilities, packing programs that complicate malware analysis, and creation kits that allow non-technical criminals to build their own malware.

What level of resources are associated with combating malware?

16.  The efforts to combat malware involve efforts from various stakeholders, each with a different focus on the problem and different requirements in terms of resourcing.

17.  Internet security vendors are on the front line in analysis, detection and removal of malware, and consequently marshal significant resources in this area (eg within Kaspersky Lab, from a staff of ~2,400, 800 are engaged in related R&D work). This has led to considerable advances over traditional signature-based malware detection with today's Internet security applications blending a range of proactive technologies, including heuristics, behavioural analysis, whitelisting and reputations services, and cloud-based analysis.

18.  Banks and other financial institutions have a clear interest in combating malware thanks to the increasing potential for fraudulent transactions arising from growth in online banking and retail. Banks now commonly provide their customers with software to block malware or to safeguard transactions - or, at the least, encourage customers to protect their systems [a requirement specifically listed in the banking code].

19.  Organisations more generally face a resourcing requirement in terms of installing and managing defences, and responding to attacks (eg removing malware, re-configuring computers, re-installing backups, etc). Responsible organisations will also invest in raising staff awareness of the threat. All of these activities naturally incur associated costs to resource.

20.  Government has responsibility for framing legislation that can be used to prosecute cyber-criminals and establishing law enforcement bodies that can specialise in this field. The UK has a well-established legislative framework for dealing with computer crime.[7] This is not true of all countries, and this raises a key problem: governments, unlike cyber-criminals, are somewhat constrained by geo-political boundaries, and even attempts to establish a supra-national framework (as with the European Convention on Cybercrime) are limited if governments of some of the malware "hot-spot" areas decline to sign-up.

What is the cost of malware to individuals and how effective is the industry in providing protection to computer users?

21.  Costs to individuals can be measured in terms of financial loss, inconvenience, damage and data theft. However, where users are aware of the problem, the cost ought to be measured in more than just the direct losses or/disruption that they experience. In fact, perhaps the most significant cost is that fear of malware (and other online threats) can undermine trust in technology and online services, and consequently inhibit use. For example, a survey by Which? Computing revealed that 57% of users were concerned about viruses and consequently deterred from carrying out online transactions.

22.  In terms of related protection, antivirus is typically the most readily recognized form of security, and many systems now come provided with at least a trial version from point of purchase. However, it is less certain whether users will renew their licence to use it beyond the initial free period. For example, a 2010 survey of 1,123 UK consumers by GFI Software revealed that 40% would allow their antivirus subscriptions to expire rather than renew them.

23.  There is also a potential gap between those systems that have antivirus installed and those that are using it properly. For example, findings from a 2007 survey of 378 US homes by McAfee and National Cyber Security Alliance (in which users were asked about the safeguards they believed were on their PCs, and the systems were then scanned to check the reality) revealed that while 92% believed their antivirus was up-to-date, only 51% had received a signature within the previous week.

24.  As a user community, little appears to have been learnt from the experience of the past, and so individuals appear freshly vulnerable in each new context. For example, mobile devices are being adopted with very little of the prior experience being carried forward, and so while Ofcom now suggests that approximately one in three UK adults use a smartphone there is a distinct lack of understanding around related security issues - a recent report from Retrevo suggests that only a third of Android users are aware that their devices could be susceptible to malware, while Lookout reports an 85% increase in mobile malware detections on the Android platform during the first six months of 2011, along with a five-fold increase in the number of malware-infected apps.

25.  In terms of the effectiveness of the industry, users have certainly been provided with a wealth of options to choose from, and related packages are now prominently positioned in retailers such as PC World, and there are now relatively few PC adverts and high-street offers that do not make mention of a bundled antivirus or wider Internet Security solution. All of the leading vendors can be relied upon to offer rapid response to new threats (eg in terms of timely signature updates to the products). They also participate in threat discovery, by monitoring Internet activity in order to identify signs of emerging threats.

26.  User satisfaction with the products themselves is variable, with concerns over degraded performance and uninstallation difficulties often featuring in the "word-of-mouth" reputation for certain products. There are also potential usability issues, as illustrated by these quotes from end-users interviewed in a Plymouth University study:[8] [1] "The antivirus programs are really difficult to use, annoying because you try to access something and you get too many pop up messages, they drive you crazy, with warnings and warnings and allow or not allow"; [2] "I feel now annoyed because of the problems that (AV software) caused me. I'm a bit worried because when my laptop gets stuck my mind goes straight away maybe it's a virus, maybe it's a Trojan horse, maybe it's a worm, you know, and then I don't know what to do and sometimes I feel insecure".

27.  Many users lack the awareness to make an informed choice over their protection (ie to recognise that price, effectiveness, performance and support may all be relevant considerations). Many currently choose free products without an appreciation that their supporting infrastructure may be less substantial, and thus less timely in response to new threats. However, there are some good examples in which the core antivirus product is made available for free, and the consumer pays for the wider Internet Security suite. This recognises that protection against malware threats can be best achieved by maximising the number of systems that are protected.

28.  The industry has perhaps been less effective in communicating the message that antivirus is only one component of online security, and that users should not rely upon it as a total solution. As such, users can have unrealistic expectations about the degree to which they need to take an active role once a package has been installed, as evidenced by further quotes from the Plymouth study: [1] "I think that when I am using the antivirus to scan my computer that this is enough"; [2] "I didn't have any problems so far because I've seen McAfee always downloading stuff … so it works by itself without me doing anything or knowing anything about it". More generally, we still face a situation in which users do not sufficiently understand the threats they face (eg the volume and stealth of the malware), and are thus less likely to appreciate the need to remain updated.

Should the Government have a responsibility to deal with the spread of malware in a similar way to human disease?

29.  It would be naive to think of it in terms of attempting to impose the sort of physical controls on geographic spread that one sees with human infections. However, there would be parallels in terms of the need for awareness-raising and encouragement of safe practices.

30.  To manage the risk, society clearly needs a legal framework, together with appropriate and effective law enforcement agencies. There's little question that law enforcement agencies have developed increasing expertise in dealing with hi-tech crime during the last decade, including joint policing operations across national borders. This must develop further if we are to deal effectively with cyber-crime. In particular, the extension of international legislation beyond the developed countries, and the development of a "cyber-Interpol" to pursue criminals across geo-political borders would contribute greatly to the fight against cyber-crime.

31.  We need to ensure that individuals and businesses understand the risks and have the knowledge and tools to minimise their exposure to cyber-crime. This is particularly important in relation to individuals. They are typically non-technical and understand little about the potential problems associated with online shopping, Internet banking and social networking. As a society, we must find imaginative and varied ways of raising public awareness about cyber-crime and the ways to mitigate the risks. One potential activity would be to require that related awareness-raising literature be shipped with each PC (which could usefully draw attention to other online threats, such as phishing, in addition to malware). This could be in the form of key points for attention, with direction to a site such as Get Safe Online for further information and platform-specific guidance.

How effective is the Government in co-ordinating response to cyber-crime that uses malware?

32.  Although things have improved from a legislative perspective, efforts have been relatively limited in terms of public/citizen-facing initiatives. Various public resources provide sound advice on Internet security and how to minimise the risk of falling victim to cyber-criminals (including Get Safe Online, and Bank Safe Online). However, all assume that the reader is already online. There have been few attempts to reach out to the wider public using TV offline media.

33.  The technology to provide protection against malware exists, but there needs to be more expectation (and perhaps obligation) to use it. There is an ongoing public perception of computers as consumer electronics. Users need to be encouraged to understand that there are on-going responsibilities and associated running costs, far more akin to what one would face with a car. Indeed, there are several areas in which PC owners could learn from the practices that apply to motorists. For example, motorists are obliged to have roadworthy vehicles, but there is no analogous obligation for connecting a PC to the Internet (a machine can be riddled with malware, and no-one will check). Additionally, users could usefully be encouraged to view antivirus subscriptions as being akin to mandatory additional motoring costs such as insurance, tax, and MoT. Finally, whereas would-be motorists must demonstrate competent knowledge of the Highway Code, would-be IT users can be completely ignorant of good practice and where the line between legal and illegal behaviour is drawn.

34.  There is a balance to be struck in terms of encouraging technology usage without engendering over-reliance upon it. While users should be expected to have protection, they should not be lulled into a false belief that it will solve all their problems. Technology needs to be understood in the wider context of safe online behaviour.

6 September 2011

5 Back

6 Back

7   For an historical overview of the UK's cyber-crime legislation, see Back

8   Furnell, S, Tsaganidi, V and Phippen, A 2008. "Security beliefs and barriers for novice Internet users", Computers & Security, vol. 27, no. 7-8, pp235-240. Back

previous page contents next page

© Parliamentary copyright 2012
Prepared 2 February 2012