Written evidence submitted by the Australian
Institute of Criminology (Malware 19)
BACKGROUND
1. In July 2011, the House of Commons Science
and Technology Committee chaired by Andrew Miller MP launched
a new inquiry into the impact of malware on individuals, the responsibilities
of Government to aid in the prevention of malware infections,
and the economy that has grown up around this industry. The Australian
Institute of Criminology (AIC) welcomes the opportunity to contribute
to the current Inquiry.
2. The AIC is Australia's national research and
knowledge centre on crime and justice. It seeks to promote justice
and reduce crime by undertaking and communicating evidence-based
research to inform policy and practice. The AIC conducts research
on a wide range of crime-related subjects, including cybercrime.
3. The material in this document is provided
by the AIC in response to the House of Commons Science and Technology
Committee's inquiry into malware and cybercrime.
SUBMISSION DETAILS
Introduction
4. This submission provides information arising
from AIC research that is applicable to the Inquiry's terms of
reference. This submission also outlines action currently being
taken by the Australian Government in response to the malware
threat.
5. Malware, or malicious software, includes viruses,
worms, keyloggers, spyware, trojans and botware (see definitions
in Table 1). Potential outcomes of malware infection include account
names and passwords being compromised, which may lead to fraudulent
activity; files being accessed and copied; and corruption of hardware
or software resulting in computer downtime or a slowed computer
network (Furnell, 2010). Botware may also result in the infected
computer being used as part of a botnet, a network of compromised
machines, which, among other things, can be harnessed to send
spam, facilitate phishing and click fraud, host illegal data,
disseminate other malware and conduct distributed denial of service
attacks (Choo, Smith & McCusker, 2007). Denial of service
(DoS) attacks involve overloading a website or computer system
so that legitimate access is blocked. When using botnets this
is known as a Distributed Denial of Service, or DDoS, attack (Grabosky,
2007).
Table 1
MALWARE DEFINITIONS
Name | Definition
|
Virus | A self-replicating program that is spread by opening infected files and uses up available memory
|
Worm | A self-replicating program that spreads automatically and uses up available memory
|
Keylogger | A program that records users' keystrokes
|
Spyware | A program that can monitor computer activity
|
Trojan | Malware disguised as legitimate software, such as a game
|
Botware | A program that connects a computer to a botnet and enables it to be controlled remotely
|
Source: Grabosky, 2007.
1. What proportion of cybercrime is associated with malware?
6. In 2008, the AIC commissioned the Australian Business Assessment
of Computer User Security (ABACUS) survey, a randomised survey
of small, medium and large businesses from a range of industry
sectors and from all Australian states and territories. This survey
examined the prevalence and nature of computer security incidents
experienced by businesses in the 2006-07 financial year, the areas
in which business systems were vulnerable to such incidents and
the cost, types and effectiveness of approaches Australian businesses
used to prevent them (Richards, 2009). The survey was weighted
according to industry type and business size so that the data
provided by each participant was proportionate in relation to
the broader population being sampled. Challice (2009) provides
an overview of the research methodology.
7. During 2006-07, 14% of businesses reported having experienced
one or more computer security incident (Richards, 2009). Of these,
83% experienced one to five incidents, 8% experienced six to 10
incidents and nine percent experienced more than 10 incidents
(Richards, 2009). The number of computer security incidents experienced,
by business size, is depicted below in Figure 1.
Figure 1
NUMBER OF COMPUTER SECURITY INCIDENTS EXPERIENCED, BY
BUSINESS SIZE (%)
Note: n=3,620. Excludes 307 businesses with no information
technology and 74 missing answers (61 from small, 12 from medium,
one from large businesses).
Source: Richards, 2009.
8. The most prevalent type of incident was infection by a
virus or other malicious code, which was reported by 64% of ABACUS
respondents that had experienced a computer security incident.
The second most prevalent incident involved spyware, reported
by 44% of victimised respondents. DoS attacks, which often involve
the use of botnets, were experienced by four percent of respondents
reporting a computer security incident. Figure 2 below provides
an overview of the types of computer security incidents experienced,
by business size.
Figure 2
TYPES OF COMPUTER SECURITY INCIDENTS EXPERIENCED BY VICTIMISED
BUSINESSES, BY BUSINESS SIZE (%)
Note: n=781. Excludes 307 businesses with no information technology,
2,881 businesses that experienced no computer security incidents
and 31 missing answers (25 from small, six from medium, less than
one from large businesses).
Source: Richards, 2009.
2. Where does the malware come from? Who is creating it
and why?
9. Common ways that computers become infected with malware
include visiting websites or opening email attachments (Furnell,
2010).
10. Malware is commonly traded online, using black market
portals. Hutchings (in progress) has conducted qualitative interviews
with computer crime offenders and police officers investigating
hacking and computer fraud offences. This research indicates that
these portals are also used to trade in compromised data, to learn
and teach others about vulnerabilities and to trade in particular
skill sets. In addition, portals were found to offer a number
of advantages to offenders. For example, they allow for anonymous
communication, and access can be controlled to minimise law enforcement
infiltration. Some countries have poor reputations for responding
to online crimes; however it can be difficult to determine country
of origin as offenders are likely to hide behind open proxy servers
(Hutchings, in progress).
3. What level of resources are associated with combating
malware?
11. The ABACUS survey asked the respondents which anti-fraud
and malware tools had been used during the 2006-07 financial year.
Anti-fraud tools included anti-spam filters (used by 64% of participants)
and anti-phishing software (used by 34% of respondents), while
malware tools included anti-virus (used by 85% of participants)
and anti-spyware software (used by 59% of participants). Overall,
88 percent of businesses with information technology reported
using some type of anti-fraud or anti-malware tool. The proportions
of small, medium and large businesses that reported using each
of these computer security tools is shown below in Figure 3.
Figure 3
BUSINESSES' USE OF ANTI-FRAUD AND MALWARE TOOLS, BY BUSINESS
SIZE (%)
Note: n=3,658. Excludes 307 businesses with no information
technology and 36 missing answers (34 from small, two from medium
businesses).
Source: Richards, 2009.
12. Respondents were asked to estimate their total information
technology security expenditure for the 2006-07 financial year.
Table 2 below shows the median, mean and range for total information
technology expenditure by business size. It was estimated that
in Australia between AUD$1.37 billion and AUD$1.95 billion is
spent by businesses on computer security each year (Richards,
2009).
Table 2
TOTAL INFORMATION TECHNOLOGY SECURITY EXPENDITURE, BY
BUSINESS SIZE (AUD$)
Business size | Median*
| Mean | Minimum
| Maximum |
Small | 200 | 992
| 0 | 150,000 |
Medium | 2,000 | 7614
| 0 | 300,000 |
Large | 10,000 | 38,474
| 0 | 750,000 |
Businesses overall | 250 |
1,830 | 0 | 750,000
|
*Medians are only estimates, due to the use of weighted data.Note: n=3,330. Excludes 307 businesses with no information technology and 363 missing answers.Source: Richards, 2009.
|
4. What is the cost of malware to individuals and how effective
is the industry in providing protection to computer users?
13. Almost half (47%) of business respondents to the ABACUS
survey who reported one or more computer security incidents identified
viruses, malicious code and spyware as causing the greatest financial
loss, and 57% identified these incidents as being the most significant
(Richards, 2009). Negative outcomes were reported by 77% of businesses
following the most significant computer security incident, these
included:
corruption
of hardware or software (40%);
corruption
or loss of data (31%);
unavailability
of service (38%);
website
defacement (2%);
theft
or loss of hardware (6%);
theft
of business, confidential or proprietary information (5%);
non-critical
operational losses (25%);
non-critical
financial losses (12%);
harm
to reputation (4%);
critical
operational losses (4%);
critical
financial losses (4%); and
other
(1%) (Richards, 2009).
14. When a computer security incident occurred,
the average loss to a business was AUD$4,469 (Richards, 2009).
5. Should the Government have a responsibility
to deal with the spread of malware in a similar way to human disease?
15. The Australian Government responds to malware
in a variety of ways. For example, in accordance with the Australian
Internet Security Initiative (AISI), the Australian Communications
and Media Authority (ACMA) identifies computers infected with
botware and informs the relevant internet service provider (ISP).
The ACMA identified 4,093,436 compromised computers in the 2009-10
financial year, an average of 11,215 per day (ACMA, 2011).
16. It is estimated that over 90 percent of Australian
home internet users are customers of the 82 ISPs participating
in the AISI (ACMA, 2011). When these ISPs have been informed by
the ACMA that a customer's computer has been infected with botware
they can select from a range of responses as set out in the voluntary
icode. These options include:
(a) contacting the customer directly (by phone,
email or SMS or other means);
(b) regenerating the customer's account password
to prompt customers to call the helpdesk so they can be directed
to resources to assist;
(c) applying an "abuse" plan where
the customer's Internet service is speed throttled;
(d) temporarily quarantining the customer's service,
for example by holding them within a "walled garden"
with links to relevant resources that will assist them until they
are able to restore the security of their machine;
(e) in the case of spam sources, applying restrictions
to outbound email (simple mail transfer protocolSMTP);
and/or
(f) such other measures as determined by the
ISP consistent with their terms of service (Internet Industry
Association, 2010).
17. CERT Australia is Australia's official national
computer emergency response team. It also provides a direct response
to malware by identifying account details that have been obtained
using malware, and advises the relevant organisations when their
customers' account details have been compromised so that appropriate
action can be taken. CERT Australia detected over 250,000 compromised
accounts during the period of September 2010 to February 2011
(McClelland, 2011). CERT Australia advises that this is an area
of ongoing work and that the figure has significantly increased
since this time.
REFERENCES
Australian Communications and Media Authority 2011.
Annual Report 2009-10. Melbourne: Commonwealth of Australia.http://www.acma.gov.au/WEB/STANDARD/pc=PC_312295
Challice G 2009. The Australian Business Assessment
of Computer User Security (ABACUS) survey: Methodology report.
Technical and background paper series no. 32. Canberra: Australian
Institute of Criminology.http://www.aic.gov.au/publications/current%20series/tbp/21-40/tbp032.aspx
Choo K-K R, Smith R G & McCusker R 2007. Future
directions in technology-enabled crime: 2007-09. Research
and public policy series no. 78, Canberra: Australian Institute
of Criminology.http://www.aic.gov.au/publications/current%20series/rpp/61-80/rpp78.aspx
Choo, K-K R 2010. Cloud computing: Challenges
and future directions. Trends and Issues in Crime and Criminal
Justice series no. 400. Canberra: Australian Institute of Criminology.http://www.aic.gov.au/publications/current%20series/tandi/381-400/tandi400.aspx
Furnell, S 2010. Hackers, viruses and malicious software.
In Y Jewkes & M Yar, Handbook of Internet Crime (pp.
173-193). Devon: Willan Publishing.
Grabosky, P 2007. Electronic Crime. New Jersey:
Pearson Education Inc.
Hutchings, A J (in progress). Theory and Crime: Does
it Compute? (Doctoral thesis). Mt Gravatt: Griffith University.
Internet Industry Association 2010. icode: Internet
Industry Code of Practice. Manuka: Internet Industry Association.http://iia.net.au/images/resources/pdf/iiacybersecuritycode_implementation_dec2010.pdf
McClelland, R 2011. Australian Defence MagazineCyber
Security Summit. Barton: Attorney-General's Department.http://www.attorneygeneral.gov.au/www/ministers/mcclelland.nsf/Page/Speeches_2011_ThirdQuarter_25July2011-AustralianDefenceMagazine-CyberSecuritySummit
Richards K 2009. The Australian Business Assessment
of Computer User Security: A national survey. Research and
public policy series no. 102. Canberra: Australian Institute of
Criminology.http://www.aic.gov.au/publications/current%20series/rpp/100-120/rpp102.aspx
Urbas G & Choo K-K R 2008. Resource materials
on technology-enabled crime. Technical and background paper
no. 28. Canberra: Australian Institute of Criminology.http://www.aic.gov.au/publications/current
series/tbp/21-40/tbp028.aspx
Dr Adam Tomison, Director (Chief Executive) of
the Australian Institute of Criminology
Dr Rick Brown, Deputy Director (Research)
Ms Alice Hutchings, Research AnalystAustralian
Institute of Criminology
8 September 2011
|