Malware and cyber crime - Science and Technology Committee Contents

Written evidence submitted by StopBadware (Malware 05)

1.  Thank you for soliciting input on the effects of malware and the role of the Government in addressing it. StopBadware is a not for profit organization, based in the United States, which aims to protect Internet users from websites that distribute badware, and to protect owners and hosts of websites from having their sites turned to this malicious purpose. Where such damage has already been done to legitimate sites, StopBadware seeks to facilitate notification and remediation to minimize the risk to the public.

2.  In response to your first question, it is difficult to quantify the proportion of cyber-crime that is associated with malware. This is due to the myriad challenges of reaching common agreement of definitions, gathering reports of losses, quantifying losses, and associating specific losses with malware.

3.  Qualitatively, it is our experience that the vast majority of cyber-crime content that individual citizens encounter in their day to day use of the Internet—spam, fake pharmaceutical sales, scareware (eg fake anti-virus), and unauthorized downloads—are directly or indirectly supported through the use of malware or other badware. [9] Malware is used directly to:

—  steal money from bank accounts;

—  capture credit card numbers and other credentials;

—  send or post spam via email, social networks, and blog comments;

—  spy on the communications of computer users; and

—  participate in distributed denial of service (DDoS) attacks.

4.  Indirectly, these behaviors support a broader criminal ecosystem, in which spam, phishing, malware, counterfeiting, social engineering (ie con artistry), and illicit financial operations combine to perpetuate a wide variety of crimes.

5.  Further, malware is a frequent tool used to perpetuate directed attacks against businesses, governments, and political organizations. Many of the same techniques used by malware in opportunistic or "mass market" cyber-crimes are deployed (often in more sophisticated form) in such directed attacks. This suggests that state-sponsored and other sophisticated actors may learn from and perhaps even draw directly on the expertise of the criminal underground, though we have seen no specific evidence to confirm this theory.

6.  The preceding paragraphs begin to answer your second question regarding the source of, and motivations behind, malware. Within the economic underground, freelance developers and specialized groups develop and market malware or e-crime toolkits that allow other actors to perpetuate their chosen attacks or scams. The primary motivation in these cases is largely one of profit, though this is frequently accompanied by an anti-establishment ethos or a "look what I can do" arrogance. In contrast, some of the most technically sophisticated malware likely comes from highly skilled, highly paid individuals and teams working within or sympathetic to the organizations (governmental, political, or criminal) responsible for perpetuating targeted attacks.

7.  When discussing where malware comes from, it's also important to consider how malware reaches individual computers, smartphones, and similar devices. Although the specific vectors vary, there are two elements common to most malware, especially the forms targeted a broad audience: malware is opportunistic, and it abuses user trust. Several years ago, malware frequently manifested itself as a worm spreading from friend to friend by email, or a Trojan disguising itself with a Microsoft Word icon. Today, malicious links spread from friend to friend via Facebook, and fake antivirus alerts are disguised as Microsoft security warnings. In our work at StopBadware, we work with website owners whose otherwise harmless websites—blogs, retail storefronts, and so on—have been compromised and enlisted in distributing badware to the sites' unsuspecting visitors.

8.  Regarding the cost to individuals, it is again difficult to quantify. Here in the United States, Consumer Reports published a study in June 2010 that attributed $3.9 billion in consumer damages to viruses and spyware.[10] These numbers, however, are at best a rough approximation, as they were self reported by consumers via survey. Some of the challenges to accurately measuring the cost to individuals include:

—  centralizing information about consumer losses, many of which are unreported or are reported only to private institutions, such as banks or credit card issuers

—  attributing a loss specifically to malware (eg if a consumer's credit card number is stolen, s/he may not realize it was because of a Trojan)

—  distinguishing between financial losses borne directly by the individual and those ultimately borne by the financial institution

—  valuing lost time, aggravation, and other intangible—but not insignificant—costs.

9.  It can be challenging, as well, to determine how effectively the security industry is protecting individuals. After all, how do you measure what you cannot see (ie the malware that doesn't get detected)? That said, there are some things we do know. For example, we know that the protection afforded by consumer security products (eg anti-virus software and comprehensive security suites) varies dramatically across brands and versions. We recently reviewed a study that simulated real world conditions of a user opening attachments, downloading files, and visiting dangerous websites, while protected by various name brand security products. The percentage of attacks that succeeded in infecting the computers ranged from 0% to 35% depending upon the security product used.

10.  Security products, however, are not the only form of protection for individuals against malware. Here are just a few examples of other areas in which industry plays a role in protecting users:

—  Web hosting providers can help protect customers' websites from becoming compromised by malware.

—  Software vendors can design sensible security defaults and automatic update mechanisms into operating systems and applications.

—  Technology industry players can collaborate on common messaging and security standards to reduce end user confusion.

—  ISPs can notify customers whose devices exhibit malware behavior and direct those customers to educational content and support resources.

11.  The extent to which malware continues to proliferate and affect individual Internet users indicates that industry as a whole is not doing as well as it could—and, we would argue, should—to prioritize consumer protection from malware.

12.  While it is reasonable to conclude, then, that government has a responsibility to address the spread of malware, more work is needed to determine the best approach. Your inquiry refers to a human disease metaphor, and indeed there are efforts underway to identify an Internet health model patterned after global public health models.[11] These efforts are still early in their development, and we are still determining the extent to which the health metaphor applies to fighting malware, and what this implies for government involvement.

13.  What is clear, however, is that government can and should play a role in aligning incentives and facilitating industry response to malware. Carefully constructed policies around liability for spreading malware—with clear protections for industry players that take reasonable precautions to prevent it—may help elevate prevention as a priority. Government can facilitate valuable data sharing and measurement in a number of ways, including:

—  institution of mandatory data reporting;

—  centralized collection and collation of data, whether shared voluntarily or via mandate;

—  removal of real or perceived legal barriers to data sharing; and

—  funding of existing efforts to collect data and report on trends.

14.  Countries like Germany, Japan, and Australia have demonstrated the value of government-facilitated data sharing through their efforts to assist ISPs in notifying customers of compromised devices. Germany and Japan have taken this a step further with their funding of centralized centers to assist consumers with the removal of malware from their systems.

15.  Collectively, these existing and proposed government approaches can offer a blueprint for effective response by government to malware. Combined with the ongoing efforts of leading industry players and third party organizations like StopBadware, it should be possible to substantially reduce the threat to the public of malware and its attendant criminal activity.

Maxim Weinstein
Executive Director, StopBadware

6 September 2011

9   Badware is any software that fails to respect users' choices about how their computers or network connections are used. It is a superset of malware that also includes spyware, fake anti-virus software, drive-by downloads, and other similar threats. Back

10 Back

11   See, for example, the East-West Institute's cyber security breakthrough group on Internet Health. Back

previous page contents next page

© Parliamentary copyright 2012
Prepared 2 February 2012