Malware and cyber crime - Science and Technology Committee Contents

Written evidence submitted by Microsoft (Malware 17)

0.  Introduction

0.1  Thank you for this opportunity to submit a written response to the House of Commons Science & Technology Committee on Malware & Cybercrime. Bill Gates founded our Trustworthy Computing (TwC) initiative in an open letter in January 2002, focussing Microsoft's increasing strides to protect its customers from the impact of malware and the cybercrime it can enable. Microsoft continues to address these issues through updated and improved products, better software engineering, customer guidance and collaboration with partners across industry, government, law enforcement and academia around the world. In particular, Microsoft works closely with government and law enforcement bodies in the UK to improve our response and defences against malware and cybercrime.

0.2  Malware and cybercrime are two overlapping but distinct concerns addressed by Microsoft. As Scott Charney, Microsoft's Vice President of TwC, referenced in the paper Rethinking the Cyber Threat, "For more than two decades, people have struggled to understand the cyber threat, evaluate the risks to individuals and organisations (including nation-states) and craft appropriate responses." Threats from malware range from cybercrime to cyber espionage to cyber warfare. Given this range, Rethinking the Cyber Threat proposes that malware threats should be collectively addressed by several national and international initiatives combining industry and government capabilities. Scott Charney's speech on the matter and the paper are available here: The remainder of this response will focus on the cybercrime impacts of malware and our collaborations to reduce cybercrime.

0.3  Microsoft provides multiple defences against malware and cybercrime such as: monthly and as-required updates across our software products, including but not limited to Windows and Office; Microsoft Forefront, which provides anti-malware solutions for business; Microsoft Security Essentials, which is free to the UK consumer; malicious website and phishing protection in our browser, Internet Explorer 9; malicious website screening in our search engine, Bing; and spam-filtering in our email products for business (Outlook) and consumers (free Windows Live mail).

0.4  Through automatic settings worldwide, Microsoft updates over 600 million computers monthly and receives information from its Malicious Software Removal Tool on the state of infection. We also implement malware screening on almost 300 million consumer email accounts, enable screening of billions of business emails per year, and scan billions of webpages per month with Bing. These data-streams are collated twice a year to produce Microsoft's Security Intelligence Report, which has been published since 2005. Further information is available here:

0.5  This response has been compiled by Microsoft drawing from our experience and available information at the time of publication around the world and across cyberspace, focused upon the concerns and issues of Her Majesty's Government of the United Kingdom. A comprehensive portal of resources for cyber security policy is available here:

1.  What proportion of cyber-crime is associated with malware?

1.1  Microsoft does not possess statistical information that associates malware with cybercrime. Although Microsoft's Security Intelligence Reports provide information on the geographic variation in malware prevalence, cybercrime is referenced by example only.

1.2  Microsoft is aware on a case-by-case basis of vulnerabilities in its software being exploited by malware to perpetrate cybercrime and has responded in specific instances to the appropriate law enforcement bodies. Much of the malware that enables cybercrime does not exploit vulnerabilities in the software but in the human psyche. Known as "social engineering" or phishing attacks, these types of malware exploit the users of software and their information or assets, rather than compromise the operation of the PC.

1.3  In the past two years, through Project MARS (Microsoft's Active Response for Security), Microsoft has taken specific actions against botnets ("robot-networks" enabled by malware and operated by cybercriminals). Specifically, we took action against the botnets Waledac and Rustock through our operations named "b49" and "b107" respectively. Anecdotally, operation b107, carried out in March 2011, indicated that one million PCs were infected and controlled by the Rustock botnet, generating an estimated 30 billion spam emails every day, accounting potentially for 40-60% of global spam.

1.4  Microsoft is also concerned with cybercrime not primarily perpetuated through malware but taking criminal advantage of online technology, especially in the area of child protection. Microsoft has supported the UK's Child Exploitation and Online Protection (CEOP) centre since its inception, providing resources and software. Microsoft has provided its CETS (ChilD Exploitation Tracking System) solution and donated PhotoDNA technology developed in coordination with the U.S. National Center for Missing & Exploited Children to the UK and many other counties around the world. Further information is available here:

2.  Where does the malware come from? Who is creating it and why?

2.1  Microsoft is aware of malware from many sources around the world and across the internet, although correlating geographical and cyber locations is difficult due to the fact that origin information in cyber-communications can be modified through technical means. However, our Security Intelligence Report provides a broad analysis on the geographic origin and impact of the major malware families based on monthly feedback from over 600 million PCs and our other data sources. Only case-based analysis of specific malware, as in our Project MARS, can identify the malware origins and victim locations; in these cases, we work with appropriate judicial and law enforcement organisations to reach a resolution.

2.2  Microsoft is not normally aware of the creators of malware and their purpose. We see distinctions between: 1. "Finders," who identify vulnerabilities in software, 2. "Exploiters," who prove that the vulnerability can be accessed and exploited against the user's wishes and/or without their knowledge; 3. "Malware Coders," who develop malicious software to exploit the vulnerability by infecting PCs; and 4. "Botnet Herders," who manipulate the malware and infected PCs in organised networks across the internet. The Finders and Exploiters can and usually do have benign intent, pursuing the pure research aspect, so we work with this community to protect our customers. Generally our information comes from these security researchers, both inside Microsoft and across the cyber security community, who identify vulnerabilities in our software and likely exploitation mechanisms. However, the Malware Coders and Botnet Herders predominantly have a criminal intent. Our analysis may reveal the location of criminal activity; in these situations, we will provide appropriate information to the primary national law enforcement agency. In the UK we have a good working relationship with the London Metropolitan Police and the Serious and Organised Crime Agency (SOCA). Microsoft does not work with perpetrators of malware or exploiters with criminal intent.

2.3  We have seen increasing sophistication and replication of malware over the past decade. The threat actors range from highly sophisticated pioneers testing new areas of software to "script kiddies" simply repurposing tools that are available on the internet for their advantage. It is also apparent that the cybercrime activity ranges from highly organised enterprises to opportunistic individuals. Malware and the tools to build it are widely available and do not disappear over time: once a piece of malware has been released onto the internet it will be reused by others, and the cost of access, development and deployment is continually diminishing. Malware has become the multi-purpose tool of the criminal in cyberspace. Therefore, we focus on systematic defence of our customers.

3.  What levels of resources are associated with combating malware?

3.1  Microsoft continues to commit several hundred engineer-years per annum to combatting the impact of malware across our product-base though triage, response, updates, better engineering and new product architectures. Our security engineers use this expertise to develop tools to enable our customers and partners defend themselves. For example, !exploitable helps developers identify and assign an "exploitability" rating to program crashes.

3.2  Since 2003, we have invested significant engineer-years developing and delivering the Security Development Lifecycle (SDL), to ensure that all of our engineers are up-to-date with the latest security coding practices. We share this valuable resource for free with our customers and partners around the world. More information is available here:

3.3  Over the past decade, Microsoft has built arguably the best incident response team in the software industry. The Microsoft Security Response Centre (MSRC) coordinates product team engineers across the company to update software at least monthly, providing guidance in almost 30 languages and coordinate field engineers in over 100 countries. In addition, the MSRC collaborates with national Computer Emergency Remediation Teams (CERTs) around the world, each in turn committing substantial resources to combatting malware and cybercrime.

3.4  Microsoft provides leadership in an ecosystem of industry, governments, and academics working continuously around the world to mitigate the threats and protect customers and citizens. In order to nurture and evolve this ecosystem, we have created or collaborated with others to develop numerous programmes, including: MAPP, the Microsoft Active Protection Programme to share information and coordinate software updates with partner companies; MSVR, the Microsoft Vulnerability Research programme to work with partners to identify and mitigate vulnerabilities across the software ecosystem; ICASI, the Industry Consortium for the Advancement of Security on the Internet to collaborate with partner companies in response to systemic threats; and SAFECode, Security Assurance Forum for Excellence in Code to work with partners to improve security in engineering.

3.5  Microsoft has also committed resources to working with law enforcement around the world. Since the inception of the Botnet Task Force, we have partnered with over 40 national law enforcement agencies, and we continue to address malware and cybercrime through training and analysis tools provided through our Law Enforcement Portal.

3.6  Microsoft also commits resources to take specific legal and technical action in our Project MARS, as illustrated by our actions to neutralize the Waledac and Rustok botnets.

3.7  Over the past decade we have provided monetary rewards for information leading to the arrest and prosecution of cybercriminals launching or exploiting malware. Most recently, we offered US $250,000 in July for information leading to the identification and prosecution of the Rustock botnet controllers.

4.  What is the cost of malware to individuals and how effective is the Industry in providing protection to computer users?

4.1  The costs of malware to individuals are manifold and more than monetary: they can include identity theft, data loss, necessary changes in behaviours and resources spent procuring updated and additional software products to protect against malware. Malware has the potential to cause severe impacts to users of compromised computers. In addition to the risk of data loss, some malware seeks to steal users' financial and identity information. Additionally, the current prevalence of malware on the internet requires users to change their behaviours online. This includes not visiting risky sites, not reusing passwords, and having the knowledge to keep their device up to data and protected. Users must also spend time and resources obtaining up-to-date software to protect against current malware threats. While some vendors make effective anti-virus software available at no cost, there are a number of products that are available only with purchase. Because malware threats evolve so quickly, users must have up to date software on their devices. Out-dated operating systems and web browsers cannot adequately protect users from today's malware threats. Consumers must be prepared to invest in current technology in order to enjoy the benefits of a digital society without being placed at undue risk.

4.2  As the world's leading provider of software and services, Microsoft makes great efforts to protect its customers from the effects of malware. Our Security Development Lifecycle has led to measurable improvements in the security of our software: fewer pieces of malware now exploit operating system vulnerabilities, relying instead upon social engineering tricks to obtain access to a computer. When there is software vulnerability Microsoft is able to rapidly mobilize a response and, if necessary, deliver updates to over 600 million customers quickly and at no cost through our Windows Update service. Further, as part of this servicing process the Microsoft Malicious Software Removal Tool (MSRT) is run on each computer that connects to Windows Update. MSRT scans for and removes many of the most prevalent malware families and has been used more than 20 billion times since 2005. Finally, for enhanced protection against malware we offer Microsoft Security Essentials (MSE), an anti-virus solution, free to users of genuine Windows PCs. MSE's more than 30 million users report millions of malware removals per year.

4.3  Beyond our product efforts, Project MARS works with academic and industry experts, and utilizes technical and legal efforts in an attempt to defeat botnets. For example, the Waledac and Rustock botnets were shut down through successful legal action, and then Microsoft began working with ISPs and national CERTs to help customers remove the Waledac infection from their computers.

4.4  There are also numerous international, national and private sector efforts to promote or use collective defence that have had varying degrees of effectiveness. Microsoft has called for greater collaboration between government and industry on collective defence in its paper on the subject by Scott Charney and referenced in his recent RSA speech,(see Introduction above). The Collective Defence paper (attached) highlights several successful examples of government and industry collaboration to improve cyber security.

5.  Should the Government have a responsibility to deal with the spread of malware in a similar way to human disease?

5.1  Several members of industry, including Microsoft in our Collective Defence paper of 2010, have proposed looking at the public health model to address the issue of malware. Malware does share several characteristics with human disease in that it can spread host to host, morph rapidly and even exist asymptomatically. However, human disease is not a perfect analogue for malware. Human diseases are not sponsored by malicious actors, for example.

5.2  The public health model provides a very useful inspiration to solving the malware problem while not being the solution itself. Looking at the public health model prompts consideration of several important functions required to address the malware problem. First, we should strive for a trusted system with clear roles and responsibilities just like we have for doctors, paramedics and epidemiologists in human health. Second, computer users need to know who and where to get help with a malware issue. Just as individuals can recognize a hospital or pharmacy, it must be clear to them who can be trusted to provide assistance with malware prevention and remediation. Prevention or wellness is another topic that should be adopted from human health. To do so, we must begin with an understanding of what it takes to keep a system healthy and develop the social and technical norms to encourage the healthy state of all devices. Finally, as with epidemic preparedness, industry and government must be prepared for a potential malware outbreak in a way that leverages the trusted system and roles outlined above.

5.3  Governments around the world and the ICT industry share a responsibility to deal with malware both individually for their constituencies and collectively. Microsoft has invested significant effort over the past decade working on its own products and with partners to make the customer experience more secure. The currently broadening appreciation of the malware threat is an opportunity for reinvigorated effort to take action corporately, nationally and internationally to provide better protection to customers and citizens alike.

6.  How effective is the Government in co-ordinating a response to cyber-crime that uses malware?

6.1  Microsoft works with CESG, the National Technical Authority, CPNI, OCSIA and other government agencies concerned with cyber security to ensure the protection of UK citizens. These collaborations have been successful for many years in the mitigation and containment of cyber-attacks. These organisations are skilled and effective in their mitigation of the impact of malware on HMG and the Critical Infrastructure.

6.2  Microsoft also works with the London Metropolitan Police, SOCA and many other law enforcement organisations to address malware-based cybercrime in the UK. These organisations are generally under-resourced and differently prioritised to pursue cybercrime, which means that the people are concerned and committed to fighting cybercrime but unable to have broad impact. The citizen continues to be at a loss when it comes to reporting cybercrime, other than to his or her bank or ISP, who are generally effective at remediation but can take no further action to neutralize cyber threats.

6.3  Microsoft has noted and welcomes the substantial efforts by the current Government to collaborate with industry to address all aspects of cyber security including cybercrime. We will continue to work towards making the UK a national exemplar of best practice in fighting malware-based cybercrime.

6.4  Microsoft has been a clear advocate of the Council of Europe's Convention on Cybercrime and welcomes the UK's recent ratification. We are also aware that malware and cybercrime respect no national boundaries and there is a need for international collaboration between governments to improve and align legislation and regulation and eventually establish treaties to pursue and prosecute cybercrime effectively. We support the work of the US and UK in the development and promulgation of acceptable norms of behaviour in cyberspace and a first step to improving international legal cooperation against cybercrime.

7.  Declaration of Interests

7.1  Microsoft provides products and services to UK citizens that can be impacted by malware and cybercrime and continues to develop mitigation and protection mechanisms in each new release.

7.2  Microsoft also provides updates to its products and services at least monthly free of charge to all customers. We also provide Microsoft Security Essentials anti-malware software free of charge to UK consumers. Our anti-malware facilities in our Internet Explorer 9 browser, Bing search engine and Windows Live email are all provided free of charge. Microsoft also offers security products commercially in the UK market, including Microsoft Forefront, and will continue to provide innovative and security-enhancing technologies for citizens of the UK and worldwide.

7 September 2011

previous page contents next page

© Parliamentary copyright 2012
Prepared 2 February 2012