Written evidence submitted by David Emm
and Professor Steven Furnell (Malware 03)
EXECUTIVE SUMMARY
1. Malware represents a significant and increasing
threat to both businesses and individuals with around 35,000 new
threats identified each day. While related technological
and legislative safeguards exist, evidence suggests that many
systems remain inadequately protected, and users have an insufficient
understanding of how and where they may be affected. The authors
recommend increased efforts towards public awareness-raising,
as well as considering an obligation to have related protection
in place.
INTRODUCTION
2. David Emm is a Senior Security Researcher
with Kaspersky Lab, a commercial Internet security vendor, and
has a particular interest in the malware ecosystem. He conceived
and developed Kaspersky's Malware Defence Workshop.
3. Steven Furnell is Professor of Information
Systems Security with Plymouth University, and has extensive research
and publications relating to Internet security and cyber-crime,
as well as particular interest in the challenges facing end-users.
4. This submission is made on a joint basis and
presents material relating to all of the questions posed by the
Call for Evidence. The evidence is drawn from malware analysis
conducted by Kaspersky Lab and research studies conducted by Plymouth
University.
What proportion of cyber-crime is associated with
malware?
5. By nature, cyber-crime is covert and often
goes unnoticed. Even when detected, it often goes unreported.
It is impossible to fully quantify cyber-crime in monetary terms,
or to determine precisely what portion of it makes use of malware.
Nevertheless, we would draw attention to data that indicates,
albeit indirectly, a clear link between cyber-crime and malware.
6. Kaspersky Lab analyses between 30,000 and
50,000 unique samples daily, adding around 3,500 signatures into
the virus detection databases daily. From these, it is clear
that the threat landscape is dominated by malicious programs designed
specifically to perpetrate cyber-crime, and that the factory production
of malware is intended to (a) enable the activities of cyber-criminals
to try and evade the protection offered by Internet security products;
and (b) maintain their grip on already-compromised computers around
the globe. One reason for the growth-rate of malware in recent
years is to extend its "shelf-life". If we consider,
for example, the ZeuS banking Trojan, the number of variants runs
into tens of thousands.
7. The overwhelming majority of malware programs
are designed to further cyber-criminal activity. This is clear
from the types of malware that dominate Kaspersky Lab's top 20
listings each month (eg backdoor Trojans, keylogggers, Trojan
Downloaders, Hacktools, Fraudtools and other programs designed
to compromise, and maintain control over, their victims). The
aim is typically to harvest confidential data and use this data
to assume victims' identities and steal their money, or use it
as building blocks in targeted attacks against organisations.
Increasingly, we live in an era of "steal everything",
where it is not just obviously financial information that is valuable
to cyber-criminals, but everything that users post online or write
in messages.
8. There is a thriving market in malicious programs
and services. Technical skills are no longer required to launch
a high-tech attack against Internet users. It is easy for cyber-criminals
to "lease" the services they need (eg the use of a botnet
to distribute spam, or install fake anti-virus software), or to
buy the banking Trojan they need from those who developed it -
with levels of customisation depending on their requirements.
9. It is clear that a significant portion of
the costs associated with cyber-crime relates to use of malware.
UK Payments Administration, for example, reports that online
banking fraud losses amounted to £46.7 million in 2010.
This figure also includes the cost of phishing attacks, but even
if half of this is malware-related, then the impact is significant.
Where does the malware come from? Who is creating
it and why?
10. The Internet essentially removes geographic
boundaries, which has a profound effect upon criminality. Unlike
real-world criminals, who must have sight of their victims, the
potential targets of cyber-criminals can be anywhere else in the
world. However, there have always been "hot-spots"
of malware development. If we consider web-based threats (one
of today's key infection vectors), Table 1 shows that in Q2 2011
just 10 countries hosted 87% of the resources used to distribute
malware worldwide.[5]
Table 1
TOP MALWARE-HOSTING COUNTRIES
Hosting country
| Proportion of hosted malware |
1 | USA | 28.53%
|
2 | Russia | 15.99%
|
3 | Germany | 7.81%
|
4 | Great Britain | 7.63%
|
5 | The Netherlands | 7.57%
|
6 | Ukraine | 5.78%
|
7 | China | 5.64%
|
8 | Canada | 3.50%
|
9 | British Virgin Islands |
2.63% |
10 | Sweden | 1.99%
|
11. The development of malware is not spread evenly across
all these countries. Certain areas specialise in particular types
of malware. For example, historically Brazilian cyber-criminals
have focused particularly on banking Trojans, Russian cyber-criminals
on botnets and Chinese cyber-criminals on gaming malware.
12. There is no correlation between the geographical sources
of malware and the location of victims. In the same period (ie
Q2 2011), the countries facing the highest risk of infection were
as shown in Table 2.[6]
It is clear that most of these countries are part of the developing
world, where the use of computers and the Internet are increasing
rapidly, but consumer awareness of threats is below that in the
developed world.
Table 2
COUNTRIES WITH HIGHEST LEVELS OF MALWARE INFECTION
Victim location
| % of individual users infected |
1 | Oman | 55.7
|
2 | Russian Federation | 49.5
|
3 | Iraq | 46.4
|
4 | Azerbaijan | 43.6
|
5 | Armenia | 43.6
|
6 | Sudan | 43.4
|
7 | Saudi Arabia | 42.6
|
8 | Belarus | 41.8
|
9 | United States of America
| 40.2 |
10 | Kuwait | 40.2
|
13. Until 2003 malware could be characterised as cyber-vandalism
(ie focused on causing disruption to computer systems). This
is not to say that malware did not have a financial impact, but
the writers did not profit from their creations. It was only
with the mass use of the Internet to conduct financial transactions
that this possibility presented itself. Today, nearly all malware
is designed to make money illegally. This may be through the
direct hijacking of financial transactions or the interception
of confidential data like passwords, PINs, credit card numbers,
etc - using malware and/or by means of phishing scams.
14. Mass Internet adoption has changed the nature of malware
development. Through the 1990s the vast majority were viruses,
with email worms dominating by the end of the decade. Both were
self-replicating and their aim was the same - to spread as far
and as quickly as possible. As a result, the early 2000s saw
epidemic follow epidemic in quick succession. This changed as
the motive shifted from cyber-vandalism to cyber-crime, and malware
writers sought to generate profits rather than headlines. As
a result, they sought to maintain a low profile - just like real-world
burglars. The connectivity of the Internet also meant that self-replication
was no longer essential - it was sufficient to "seed"
an attack by planting malware on a particular web resource and
direct potential victims to it by distributing links to compromised
web sites, or by re-directing traffic from legitimate sites.
Today, most malware takes the form of Trojans that download updates
to an already-compromised computer; or drop additional code on
the computer; or establish a connection to a remote attacker;
or silently harvest data.
15. Post-2003 has seen both an explosion in sheer numbers
of malicious programs, but the development of a "dark market"
for those that enable cyber-criminals to make money - not only
viruses, worms and Trojans, but also exploit code to capitalise
on software vulnerabilities, packing programs that complicate
malware analysis, and creation kits that allow non-technical criminals
to build their own malware.
What level of resources are associated with combating malware?
16. The efforts to combat malware involve efforts from various
stakeholders, each with a different focus on the problem and different
requirements in terms of resourcing.
17. Internet security vendors are on the front line in analysis,
detection and removal of malware, and consequently marshal significant
resources in this area (eg within Kaspersky Lab, from a staff
of ~2,400, 800 are engaged in related R&D work). This has
led to considerable advances over traditional signature-based
malware detection with today's Internet security applications
blending a range of proactive technologies, including heuristics,
behavioural analysis, whitelisting and reputations services, and
cloud-based analysis.
18. Banks and other financial institutions have a clear interest
in combating malware thanks to the increasing potential for fraudulent
transactions arising from growth in online banking and retail.
Banks now commonly provide their customers with software to block
malware or to safeguard transactions - or, at the least, encourage
customers to protect their systems [a requirement specifically
listed in the banking code].
19. Organisations more generally face a resourcing requirement
in terms of installing and managing defences, and responding to
attacks (eg removing malware, re-configuring computers, re-installing
backups, etc). Responsible organisations will also invest in
raising staff awareness of the threat. All of these activities
naturally incur associated costs to resource.
20. Government has responsibility for framing legislation
that can be used to prosecute cyber-criminals and establishing
law enforcement bodies that can specialise in this field. The
UK has a well-established legislative framework for dealing with
computer crime.[7] This
is not true of all countries, and this raises a key problem:
governments, unlike cyber-criminals, are somewhat constrained
by geo-political boundaries, and even attempts to establish a
supra-national framework (as with the European Convention on Cybercrime)
are limited if governments of some of the malware "hot-spot"
areas decline to sign-up.
What is the cost of malware to individuals and how effective
is the industry in providing protection to computer users?
21. Costs to individuals can be measured in terms of financial
loss, inconvenience, damage and data theft. However, where users
are aware of the problem, the cost ought to be measured in more
than just the direct losses or/disruption that they experience.
In fact, perhaps the most significant cost is that fear of malware
(and other online threats) can undermine trust in technology and
online services, and consequently inhibit use. For example, a
survey by Which? Computing revealed that 57% of users were
concerned about viruses and consequently deterred from carrying
out online transactions.
22. In terms of related protection, antivirus is typically
the most readily recognized form of security, and many systems
now come provided with at least a trial version from point of
purchase. However, it is less certain whether users will renew
their licence to use it beyond the initial free period. For example,
a 2010 survey of 1,123 UK consumers by GFI Software revealed that
40% would allow their antivirus subscriptions to expire rather
than renew them.
23. There is also a potential gap between those systems that
have antivirus installed and those that are using it properly.
For example, findings from a 2007 survey of 378 US homes by McAfee
and National Cyber Security Alliance (in which users were asked
about the safeguards they believed were on their PCs, and the
systems were then scanned to check the reality) revealed that
while 92% believed their antivirus was up-to-date, only 51% had
received a signature within the previous week.
24. As a user community, little appears to have been learnt
from the experience of the past, and so individuals appear freshly
vulnerable in each new context. For example, mobile devices are
being adopted with very little of the prior experience being carried
forward, and so while Ofcom now suggests that approximately one
in three UK adults use a smartphone there is a distinct lack of
understanding around related security issues - a recent report
from Retrevo suggests that only a third of Android users are aware
that their devices could be susceptible to malware, while Lookout
reports an 85% increase in mobile malware detections on the Android
platform during the first six months of 2011, along with a five-fold
increase in the number of malware-infected apps.
25. In terms of the effectiveness of the industry, users have
certainly been provided with a wealth of options to choose from,
and related packages are now prominently positioned in retailers
such as PC World, and there are now relatively few PC adverts
and high-street offers that do not make mention of a bundled antivirus
or wider Internet Security solution. All of the leading vendors
can be relied upon to offer rapid response to new threats (eg
in terms of timely signature updates to the products). They also
participate in threat discovery, by monitoring Internet activity
in order to identify signs of emerging threats.
26. User satisfaction with the products themselves is variable,
with concerns over degraded performance and uninstallation difficulties
often featuring in the "word-of-mouth" reputation for
certain products. There are also potential usability issues,
as illustrated by these quotes from end-users interviewed in a
Plymouth University study:[8]
[1] "The antivirus programs are really difficult to use,
annoying because you try to access something and you get too many
pop up messages, they drive you crazy, with warnings and warnings
and allow or not allow"; [2] "I feel now annoyed because
of the problems that (AV software) caused me. I'm a bit
worried because when my laptop gets stuck my mind goes straight
away maybe it's a virus, maybe it's a Trojan horse, maybe it's
a worm, you know, and then I don't know what to do and sometimes
I feel insecure".
27. Many users lack the awareness to make an informed
choice over their protection (ie to recognise that price, effectiveness,
performance and support may all be relevant considerations). Many
currently choose free products without an appreciation that their
supporting infrastructure may be less substantial, and thus less
timely in response to new threats. However, there are some good
examples in which the core antivirus product is made available
for free, and the consumer pays for the wider Internet Security
suite. This recognises that protection against malware threats
can be best achieved by maximising the number of systems that
are protected.
28. The industry has perhaps been less effective in communicating
the message that antivirus is only one component of online security,
and that users should not rely upon it as a total solution. As
such, users can have unrealistic expectations about the degree
to which they need to take an active role once a package has been
installed, as evidenced by further quotes from the Plymouth study:
[1] "I think that when I am using the antivirus to scan
my computer that this is enough"; [2] "I didn't
have any problems so far because I've seen McAfee always downloading
stuff
so it works by itself without me doing anything
or knowing anything about it". More generally, we still
face a situation in which users do not sufficiently understand
the threats they face (eg the volume and stealth of the malware),
and are thus less likely to appreciate the need to remain updated.
Should the Government have a responsibility to deal with the
spread of malware in a similar way to human disease?
29. It would be naive to think of it in terms of attempting
to impose the sort of physical controls on geographic spread that
one sees with human infections. However, there would be parallels
in terms of the need for awareness-raising and encouragement of
safe practices.
30. To manage the risk, society clearly needs a legal framework,
together with appropriate and effective law enforcement agencies.
There's little question that law enforcement agencies have developed
increasing expertise in dealing with hi-tech crime during the
last decade, including joint policing operations across national
borders. This must develop further if we are to deal effectively
with cyber-crime. In particular, the extension of international
legislation beyond the developed countries, and the development
of a "cyber-Interpol" to pursue criminals across geo-political
borders would contribute greatly to the fight against cyber-crime.
31. We need to ensure that individuals and businesses understand
the risks and have the knowledge and tools to minimise their exposure
to cyber-crime. This is particularly important in relation to
individuals. They are typically non-technical and understand
little about the potential problems associated with online shopping,
Internet banking and social networking. As a society, we must
find imaginative and varied ways of raising public awareness about
cyber-crime and the ways to mitigate the risks. One potential
activity would be to require that related awareness-raising literature
be shipped with each PC (which could usefully draw attention to
other online threats, such as phishing, in addition to malware).
This could be in the form of key points for attention, with direction
to a site such as Get Safe Online for further information and
platform-specific guidance.
How effective is the Government in co-ordinating response to
cyber-crime that uses malware?
32. Although things have improved from a legislative perspective,
efforts have been relatively limited in terms of public/citizen-facing
initiatives. Various public resources provide sound advice on
Internet security and how to minimise the risk of falling victim
to cyber-criminals (including Get Safe Online, identitytheft.org.uk
and Bank Safe Online). However, all assume that the reader is
already online. There have been few attempts to reach out to
the wider public using TV offline media.
33. The technology to provide protection against malware exists,
but there needs to be more expectation (and perhaps obligation)
to use it. There is an ongoing public perception of computers
as consumer electronics. Users need to be encouraged to understand
that there are on-going responsibilities and associated running
costs, far more akin to what one would face with a car. Indeed,
there are several areas in which PC owners could learn from the
practices that apply to motorists. For example, motorists are
obliged to have roadworthy vehicles, but there is no analogous
obligation for connecting a PC to the Internet (a machine can
be riddled with malware, and no-one will check). Additionally,
users could usefully be encouraged to view antivirus subscriptions
as being akin to mandatory additional motoring costs such as insurance,
tax, and MoT. Finally, whereas would-be motorists must demonstrate
competent knowledge of the Highway Code, would-be IT users can
be completely ignorant of good practice and where the line between
legal and illegal behaviour is drawn.
34. There is a balance to be struck in terms of encouraging
technology usage without engendering over-reliance upon it. While
users should be expected to have protection, they should not be
lulled into a false belief that it will solve all their problems.
Technology needs to be understood in the wider context of safe
online behaviour.
6 September 2011
5
https://www.securelist.com/en/analysis/204792186/IT_Threat_Evolution_Q2_2011#21 Back
6
https://www.securelist.com/en/analysis/204792186/IT_Threat_Evolution_Q2_2011#22 Back
7
For an historical overview of the UK's cyber-crime legislation,
see https://www.securelist.com/en/analysis/204792064/Cybercrime_and_the_law_a_review_of_UK_computer_crime_legislation Back
8
Furnell, S, Tsaganidi, V and Phippen, A 2008. "Security
beliefs and barriers for novice Internet users", Computers
& Security, vol. 27, no. 7-8, pp235-240. Back
|