Malware and cyber crime - Science and Technology Committee Contents

Written evidence submitted by Dellsecureworks (Malware 16)

1.  What proportion of cyber-crime is associated with malware?

Considering a couple of aspects of the evolution of Internet connectivity:

(a)  In the enterprise, firewalls and other network layer security controls have become a commodity, the technologies are effective and widely deployed, this places restrictions on how a cyber-criminal can reach or communicate with his target.

(b)  For consumers, widespread adoption of broadband Internet access, which is generally deployed with network-address-translation also limits the communication options for the cyber-criminal.

These two different evolutions in general deliver the same result: web browsing traffic to the Internet is permitted, traffic originating from the Internet is denied.

For a cyber-criminal to gain access to computers to steal, control, observe they must have some software agent, resident on the compromised computer—which will initiate connections outbound to the Internet.

The direct result of the improvement of basic network security controls is an evolution of the tools of the cyber-criminal where malware use is prevalent in cyber-crime.

In terms of proportion, this is not only difficult to quantify but also difficult to define. Is proportion defined by impacted individuals, direct losses or number of incidents? It should also be noted that a proportion of cyber-crime (defined in the most general sense) is conducted by insiders.

Our view at Dell SecureWorks is that the vast majority of cyber-crime leverages malware on a daily basis as part of basic cyber-criminal tradecraft.

2.  Where does the malware come from? Who is creating it and why?

Malware is a worldwide problem supported by a vibrant underground economy.

Malware used to be created by individuals, for their own purposes. Malware now tends to be created by professional gangs, who sell it to the criminals who use it. Malware authors will offer technical support, publish product roadmaps and bugfixes. The malware developers are not talented amateurs, they are highly organised, highly professional and of course have identified that they are not breaking laws by producing malware that others deploy.

Malware is created for a number of reasons:

—  Recognition. Early malware was written for "fun" and to see how many computers could be infected before it was stopped. More malicious versions would corrupt files and try to render the user's computer unusable. The attack was generally against the hardware and data, rather than the individual.

—  Theft from an individual. Most recent malware is written with the aim of capturing bank and credit card details. These can then be sold onto other criminals, with the details being used to buy goods, or steal from bank accounts.

—  Spam. Malware is used to create botnets, which are then rented out to criminals for activities such as mass email campaigns for things like prescription drugs, or to conduct phishing scams; themselves designed to trick people into handing over bank login details.

—  Intellectual property theft from businesses: Malware which attempts to penetrate a corporate environment and remain undetected for long periods of time. The controllers of the malware, meanwhile, use it to steal IP and other sensitive information from the infected company. This information can then be used by competitors, or states, depending on the nature of the company that was compromised.

—  Activism: malware which is used for political means or to embarrass corporations. Activists may leverage "botnets" to launch Denial of Service attacks against targets.

—  Espionage/"Cyberwar": General Malware used for online banking fraud or intellectual property theft can be brought to bear by nation states. There have also been examples of malware being crafted to bring to bear on specific targets—for example the Stuxnet worm which is widely believed to have been written to damage the Natanz uranium enrichment plant in Iran.

The last 12 months have seen actors in each of these areas operating with a degree of sophistication. In some cases the malware "tools" that are deployed are common across the actors, in other cases the malware is highly specialised and tuned to the task in hand.

Who is creating it? It is not possible to determine absolutely but the indicators are clear that malware today is being written by talented software professionals. Geographic indicators point to Eastern Europe, and Asia.

3.  What level of resources are associated with combating malware?

Malware consumes an enormous amount of resources and has a significant economic impact. According to Gartner Group—IT Security spend represents around 5% of total IT spend within enterprises. This, on average, translates to an investment level of around $525 per employee per-annum. This doesn't take any account of the business impact of malware and/or associated downtime.

It is worth noting that there is an asymmetry between the number of threat actors and those combatting their actions. The fight against malware can be likened to a guerrilla war, where a relatively small number of combatants can cause havoc for a much larger and organised adversary.

4.  What is the cost of malware to individuals and how effective is the industry in providing protection to computer users?

For individuals, the costs range from buying anti-virus and anti-spyware programs, (along with the associated annual subscription fees), to the time and money involved in trying to recover from an infection, possibly having their bank account hacked and their credit card details and identity stolen.

The industry is moderately effective in providing protection:

(a)  Desktop anti-virus/anti-malware solutions are a necessary and important protective control however they are not 100% effective. It is unfortunate as this remains the sole technical control deployed by the average consumer this leaves individuals in a vulnerable state.

(b)  Software vendors provide patches, software update services to allow individuals to address vulnerabilities. Software vendors have a duty-of-care to their customers to improve testing and reduce the number of vulnerabilities in their software.

It should be noted that at an individual level, infections are rarely reported to the authorities and the police have little way of understanding the scale or impact of such crime.

5.  Should the Government have a responsibility to deal with the spread of malware in a similar way to human disease?

Given the nature of society I don't think there are mechanisms which would allow the government to participate directly in combatting the spread of malware.

It's likely any government which embarks on direct action would have to define "what ismalware" and "what is not malware". This would be better done at international level so that countries can more easily work together on cybersecurity. Another consequence of Government action would be a need to balance fighting malware with privacy concerns and civil rights.

6.  How effective is the Government in co-ordinating a response to cyber-crime that uses malware?

The Government is not effective today in co-ordinating response to cyber-crime using malware.

CESG (Communications-Electronics Security Group, GCHQ) & CPNI (Centre for the Protection of National Infrastructure) do communicate around such issues, however their communications are directed at a small community (eg CESG Listed Advisers) and often there are restrictions on whether such intelligence can be forwarded out of the community.

Government should focus efforts on identifying and prosecuting those involved in cybercrime. Industry should focus on improving preventative and detective controls relating to the spread of malware. Government and industry should work together to share information to increase effectiveness against malware in general.

It should also be remembered that overall security needs to be maintained. Some cyber attacks originate because of a lack of security in the physical world with people revealing passwords or disclosing too much data to unknown people.

7 September 2011

previous page contents next page

© Parliamentary copyright 2012
Prepared 2 February 2012