Malware and cyber crime - Science and Technology Committee Contents

Written evidence submitted by Symantec (Malware 09)

1.  Recent high profile cyber incidents have highlighted the increasingly complex, sophisticated and organised nature of cybercrime. This together with the shift towards greater interoperability between internet based networks and systems means that a targeted malware attack has the potential to have a cascading effect on other connected systems leading to individuals, businesses and organisations being impacted. Online attacks that were once conducted solely for notoriety are now increasingly being motivated by economic gain with cyber criminals seeking access to information that can then be sold as a commodity on the underground economy and possibly used in further attacks.

2.  Given Symantec's position as one of the world's leaders in internet and information security we welcome the opportunity to provide input to the Committee on the important questions raised in the call for evidence.

What proportion of cyber-crime is associated with malware?

3.  To answer this question first it is necessary to define what is meant by malware. For Symantec malware is malicious computer code that can be classified into four main threat types; viruses, backdoors, worms, and Trojans. As is commonly understood computer viruses propagate by infecting existing files on affected computers with malicious code while backdoor malware is code that allows an attacker to remotely access compromised computers. Worms are malicious code that can replicate on infected computers and can facilitate malicious code being copied to another computer such as via USB storage devices or spread through emails and instant messages. Trojans leads users to unwittingly install malicious code onto their computers, most commonly through either opening email attachments or downloading from a web site.

4.  For the last seven years Symantec has produced its Internet Security Threat Report. The longevity of the Symantec report provides a unique view on how malware threats have evolved, in scale and nature, as well as provides a current view of the worldwide Internet threat activity seen today. According to the latest Symantec's report published in April in 2010 the main malicious code type seen in the UK were Trojans (55%) followed by worms (38%), backdoor codes (4%) with computer viruses (3%) being the least seen malware type.

5.  The volume and sophistication of malicious malware activity globally increased substantially in 2010. Symantec recorded over three billion malware attacks and observed more than 286 million unique variants of malware with many of the malicious code threats increasing sophisticated with multiple features. For example, many worms and viruses are also incorporating backdoor functionality. One reason for this is that threat developers try to enable malicious code with multiple propagation vectors in order to increase their odds of successfully compromising computers in attacks. The development of multi-layered malware means that malicious code is increasingly able to remain resident on infected computers longer, giving attackers more time to steal information before the infections is discovered. As more users become aware of these threats and competition among attackers increases, it is likely that such complex malware threats will continue to increase in sophistication as cyber criminals attempt to evade security software. The use of new delivery mechanisms in 2010, such as web-attack toolkits, has also driven up the number of malware being seen in circulation.

6.  The tactics and approach used by attackers may also change and evolve depending on the target. For example a popular website, social network or mobile operating system may be used to spread an attack given the popularity of the compromised environment and therefore the likelihood of the malware reaching more users. In 2010 Symantec also saw an increased malware threat to mobile devices given their popularity. As new devices, systems and networks grow in popularity and use, such as mobile, social networks, digital signatures and cloud computing, attackers will look to exploit their use as a means of targeting and attacking users.

7.  In 2010 Symantec also observed a number of key attack themes which included a rise in targeted attacks with incidents such as Hydraq and Stuxnet both utilising different types of malware to conduct its activities. The Stuxnet attack is a key example of how malware is being used not only to conduct traditional cyber crimes, such as fraud or extortion, but also targeted cyber attacks on critical systems and networks such as, in the case of Stuxnet, those used by the energy sector.

8.  The Stuxnet attack targeted energy companies around the world and represented an example of a malware threat can be designed to gain access to and reprogram industrial control systems specifically. It is estimated that at least four zero day vulnerabilities attacks were involved in the Stuxnet attack which allowed attackers to steal confidential Supervisory Control and Data Acquisition (SCADA) design and usage documents for industrial systems such as those used by the energy sector. This is the first time that so many zero-day vulnerabilities have been exploited in one attack and indicates that the people needed to develop and execute such an attack were not amateurs. It is understood that once the attackers gained entry into the targeted systems a root kit was used to hide their presence while they targeted software within the systems used to control industrial assets and processes. It is also believed that legitimate as well as stolen digital certificates were used in the attack to mask their trail through the compromised systems. The use of zero-day vulnerability, root kit, stolen digital certificates, and in-depth knowledge of SCADA software are all high-quality attack assets and points to an estimated group of at possibly up to ten people were involved in developing this specific, targeted and technically sophisticated cyber attack.

9.  In the past this type of cyber attack focusing on such a critical national infrastructure were seen by many as theoretically a possibility however it is fair to say that most would have dismissed such an attack as simply a movie-plot scenario. The Stuxnet incident has shown that such targeted, organised threats do exist where external actors motivated possibly by organised crime, terrorism or even hostile nations, are designing, developing and deploying malware in an attempt to gain control of industrial processes and then place that control in the wrong hands. This incident therefore represents a new way in which malware is being used by cyber attacks to conduct criminal activity that is motivated by reasons other than financial gain or notoriety.

10.  While it is perhaps better understood today the way in which the online threat environment constantly evolves, understanding the sheer scale and nature of the cyber threats facing users from malware can still be somewhat difficult. Looking at the number of malicious code threats observed in a specific period can help to provide an insight into the overall level and variance of activities currently being seen in the global threat landscape and may be useful to paint a picture of current situation within which the Committee's inquiry is taking place.

11.  In the period between 1 April and 30 June 2011 Symantec observed approximately 166 million[25] unique malicious code threats, or malware, and on average observed 138,000 web based attacks. The malware detected in this time consisted of both existing and new threats. In the time period between April and June along with the continued prevalence of botnets and web based attacks, the emergence of new worm threats were also seen such as Qakbot a worm designed to specifically steal online banking account information from compromised computers. In this time period notable events such as the UK Royal Wedding, Japan Tsunami and death of Osama Bin Laden were all seen to be exploited by malware developers with the emergence of spam and phishing campaigns against internet users.

Where does the malware come from? Who is creating it and why?

12.  According to the latest Threat Report the top country from where an attack targeting the UK originated in 2010 was the United States (38%) followed by the UK itself (17%) China (11%), Turkey (4%) and Canada (3%).[26] While these figures provide an indication of the origins of malicious activity it is important to recognise that this data does not give the full picture of where malware may originally originates from. While an attack may appear to be coming from America or China, the cyber attacker themselves could in fact be located in a entirely different country and may only be using the network, systems and perhaps users infected with a botnet viruses, in those countries to distribute and conduct attacks. In addition the creator of the malicious code itself may also be located in a different location altogether. Locating the origins of malware and therefore who is actually creating malicious codes is not something that a single organisation or company can achieve as it requires different information on an attacks, or pieces of a puzzle, to be brought together by different sources as and when appropriate.

13.  Although it's difficult to determine the specific origins and objectives and motivations of attackers, a high proportion of the attacks Symantec is seeing are driven by economic and financial gain and consequently information theft. Recent incidents have fuelled public speculation about possible political motivation of attacks.

14.  It's perhaps easier to comment on why malware is being created and the motivation behind those creating malware. Cyber criminals today are both organised and professional with activities run like a business with malware research and development departments, marketing divisions using online sites to promote and sell attack tool kits which are also being sold with support services and help lines when malware needs to be updated or modified perhaps in order to avoid detection.

15.  End users continue to be the main target for cyber criminals with confidential information a valuable commodity for criminals that can then be used in social engineering or more targeted attacks.

What level of resources are associated with combating malware?

16.  Given the online threat environment and increasing sophisticated malware organizations are being exposed to, having the appropriate technology and solutions in place to address security incidents effectively is important. Given the current economic climate the cost challenges that organizations and individuals are facing may raise many questions as to the level of resources needed. Determining the most appropriate and proportionate level of technological resources needed is a decision that should be based on an assessment and identification of the level of risks being faced.

17.  For Symantec an appropriate approach to addressing possible cyber security threats requires prevention against incidents occurring as well as preparedness to act if and when an incident occurs. Therefore a key resource needed to be prepared for a cyber security incident is having the right information at the right time to consider the possible threat or risk and take action as and when necessary. Having real time threat intelligence information can assist in the assessment of a risk and enable a timely response to the threat situation or incident by deploying appropriate operational capabilities to address specific security risks. Technological tools and solutions clearly also have a role to play in deploying countermeasures to combat and eradicate malware if an incident does occurs.

18.  It is also important however to recognise that in order to combat cyber risks resources should not simply be focused on technology alone. An approach is needed that ensures appropriate technology is in place (based on an assessment of risk), policies and procedures for responding to an incident are developed and that resources are also allocated to ensuring people have the necessary cyber security skills and knowledge.

19.  While it is recognised that the current economic climate may presents resource challenges, it is important that public and private sector organisations understand the importance of investing in, and deploying, appropriate security measures and solutions to protect against the increasing online threat environment.

What is the cost of malware to individuals and how effective is the industry in providing protection to computer users?

20.  On 7 September Symantec published its latest Norton Cybercrime Report.[27] Based on a survey of individuals on their experience of malware and cybercrime, the 2011 report has found that malware, specifically computer viruses, was the top cyber crime reported by both UK and global individual users. In the UK 38% of respondents having suffered a malware related incident of which 55% occurred in the last 12 months. This is the most common type of cyber crime experienced by users in the past 12 months. Following malware in the list of cyber crime experienced by users was online credit card fraud (10% of respondents) followed by social network profile hacking (6%). The Norton Cybercrime report estimates the total net cost of cybercrime to the UK as £1.1 billion. The lost of time by victims affected by cybercrime is valuated at £618.9 million while the direct cash cost to victims from such factors as money stolen and the cost of resolving cybercrime is estimated at £474.2 million.

21.  From the perspective of the computer security industry Symantec continues to develop and supply tools and solutions that enable users to put in place appropriate measures to protect their systems, networks and information. Symantec works around the world to ensure there is an adequate level of protection for users against online threats. Software companies, however, cannot and should not be held responsible for what they do not effectively control such as how the customer may install, configure, use and update security software. However, effective cyber security is not just about technology but also processes and education. Users must also be aware and educated about cyber threats and have the knowledge and skills to be safe online.

Should the Government have a responsibility to deal with the spread of malware in a similar way to human disease?

22.  It was the computer expert Fred Cohen who is reported to have coined the phrase computer virus back in the1980's as a way of describing how a file can infect a computer and propagate itself through a device similar to a virus in a human body. The analogy is still relevant today particularly with the rise in malware such as malicious spam emails. A provider of anti-spam services uses technical information, such as traffic data, to detect spam and deploy anti-spam techniques. It is rather like the immune system of the body recognising a pathogen (in this case the malicious traffic data) and producing the necessary antibodies. Operating in this automated way enables the security provider to determine whether an email is a spam and address the malware quickly and effectively to protect the potential victim.

23.  Since the 1980's not only has the nature of computer viruses changed but so has the environment in which they operate with the interconnected nature of advanced electronic networks and systems. Sophisticated malware attacks today can use more than one type or malware to conduct its attack multiplying rapidly across a number of different domains and infrastructures and devices that may be used, owned, managed or controlled by a number of different parities both in the public and private sector.

24.  Ensuring the ongoing resilience and stability of the Internet from cyber threats is therefore not a responsibility of governments alone but a responsibility that is shared by all those using the Internet. The nature of the internet and IT technology is such that no single person can be held accountable and we all share a collective responsibility to protect ourselves and our customers whether they are businesses, users or citizens. Given the complex cyber ecosystem of the internet the threat information, technical intelligence and cyber security related expertise and advice that may be needed in a cyber related incident will reside across a number of different sources both inside and outside of government. For example it is estimated that 90% of critical national infrastructures that are increasingly reliant on interconnected networks and systems, and therefore a possible target for cyber attacks, are privately owned and managed. As a result public and private sector co-operation and collaboration are a key factor to assisting not only the government but also industry to identify, assess and evaluate the level of seriousness of cyber incidents.

25.  The government does have a role to play in considering and addressing the UK's preparedness for cyber related issues and provide coordination. The recognition of the cyber threats to the UK in the National Security and Defence Strategy was welcomed as was the focus on the importance of public-private partnership which should continue to be supported. Given the importance of the ongoing resilience and stability of the internet to the societal and economic stability of the UK cyber security must remain a long term overarching public policy objective.

How effective is the Government in co-ordinating a response to cyber-crime that uses malware?

26.  Symantec is supportive of government efforts to gather advice and information in the event of a cyber incident as needed and bring together those that may need to work together to address an issue as and where appropriate and within the boundaries of the law.

27.  Symantec sees the Office of Cyber Security as playing a key role in coordinating government activities in this area and operational response to address cyber related issues. The willingness of the Office of Cyber Security to engage and work with industry is also welcomed given the shared responsibility to prepare for and address cyber incident as and when they occur. It's recognised that the UK has a number of different bodies addressing cyber security related issues at many different levels ranging from e-crime to critical national infrastructure protection. These bodies include the important work of CPNI and the UK e-Crime Police Unit which also play an important role in addressing cyber security issues in the UK.

28.  Coordination and cooperation between the public and private sector on addressing the spread of cyber related threats are an important component to a cyber security strategy not only in the UK but globally. The UK government's involvement in European international forums where cyber security issues are discussed such as ENISA, UN Internet Governance Forum, ITU and OCED as well as the UK's participation in cyber security related exercises are welcomed and should continue going forward to ensure the UK playing a leading role in international efforts.


Symantec is a world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. Further information can be found at

7 September 2011

25   Symantec Intelligence Quarterly - April - June 2011-08-10 Back

26   Symantec Internet Security Threat Report : Trends for 2010 - United Kingdom Data (Volume 16 April 2011) Back

27   Norton Cybercrime Report 2011 

previous page contents next page

© Parliamentary copyright 2012
Prepared 2 February 2012